Microsoft Active Directory Federation Services
Microsoft AD FS (Active Directory Federation Services) is the identity and access management software installed on the Microsoft Windows server. It uses SAML 2.0 and WS-Federation protocols to enable a secure exchange of identity information, attributes, and authentication tokens. As a result, Microsoft AD FS, provides single sign-on (SSO) and identity management, allowing authorized users to access multiple applications located on-premise or in the cloud.
By integrating āAkamai MFAā with Microsoft AD FS, you provide users with strong, two-step authentication to protected resources.
See this diagram that presents a conceptual model of the authentication process. For clarity reasons, some traffic flows are not covered.
This authentication process refers to users who are enrolled in āAkamai MFAā.
-
The user attempts to access a protected enterprise application.
-
The application server sends the authentication request to the Windows server.
-
The Windows server validates user credentials against AD FS.
-
AD FS using the āAkamaiā plug-in confirms that the primary authentication succeeded.
-
A connection is established over the TCP port 443, and the user is redirected to āAkamai MFAā.
-
āAkamai MFAā challenges the user with secondary authentication.
-
The user confirms their identity using the selected secondary authentication method.
-
āAkamai MFAā redirects the user to the Windows server.
-
The Windows server redirects the user to the application server.
-
The user gains access to the application.
Prerequisites
-
This integration has been tested on Microsoft AD FS on Windows Server 2016. You should have an installed, configured, and working instance of AD FS on Windows Server 2016.
-
This integration communicates with āAkamai MFAā on TCP port 443. Make sure that your firewall allows outbound connections to the host you specify when you set up the integration. You can achieve this by setting up a firewall policy that allows connections to the appropriate CIDR (Classless Inter-Domain Routing) blocks. The following
csv
file provides the relevant CIDR blocks for the āmfa.akamai.comā host: āAkamai MFAā CIDR blocks list.
Your <API Host> is available in the āAkamai MFAā Integrations configuration page.
Add an ADFS integration
Follow this procedure to generate your integration credentials in āAkamai MFAā that you have to provide in the following step to enable the communication between AD FS and āAkamai MFAā.
-
In the Enterprise Center navigation menu, select Multi-factor Authentication > Integrations.
-
Click Add integration (+).
-
In Integration Type, select the ADFS.
-
In Name, enter a unique name for your ADFS integration.
-
Click Save and Deploy.
Youāve just generated your API Host, Integration ID, Verifying Key, and Signing Key. This data will be available for you on the integration page. Your integration credentials can be copied anytime and used in the following steps to configure the integration with ADFS.
Your Signing Key should be kept completely secret like any other password or secret key credential.
Install the AD FS plug-in for āAkamai MFAā
Follow these steps to run the AD FS plug-in for āAkamai MFAā and enable communication between the Microsoft AD FS and āAkamai MFAā.
-
Download the
AkamaiMfaAdfsAdapter.msi
installation package. -
Open Command Prompt as administrator.
-
Launch the installation of the package using the following command
msiexec.exe /i <path to AkamaiMfaAdfsAdapter.msi>
.
The installation prompt displays. Follow the on-screen instructions to install theAkamaiMfaAdfsAdapter.msi
package. -
In the installer welcome dialog, click Next.
-
In the installer configuration dialog, enter the API Host and your authentication credentials copied in the previous step from the āAkamai MFAā integration page. Click Next.
-
Click Install to start the installation.
-
When the installation is completed, click Finish.
-
Verify if there are no errors or red texts in the Powershell output to confirm that the installation was successful.
You've just installed the ADFS plug-in for āAkamai MFAā.
Configure āAkamai MFAā as a multi-factor authentication method
Follow this instruction to configure Microsoft AD FS to redirect to āAkamai MFAā for the secondary authentication. With these settings, you'll also enable āAkamai MFAā to receive and return authentication requests from the ADFS.
-
Log in to the ADFS management console.
-
In the ADFS management console, select ADFS > Service > Authentication Methods.
-
In Multi-factor Authentication, click Edit.
-
In the Edit Authentication Methods dialog, select āAkamai MFAā. This enables āAkamai MFAā as the secondary authenticator.
-
Click Apply, and next OK.
You've just configured āAkamai MFAā as a multi-factor authenticator.
Now, let's update the existing access control policy by applying āAkamai MFAā.
-
In the ADFS management console, select ADFS > Access Control Policies.
-
Check settings for the access control policy that you want to apply, for example, Permit everyone and require MFA policy. Make sure that this policy is assigned to all configured user and group accounts.
-
In the ADFS management console, select ADFS > Relying Party Trust.
-
Right-click the selected relying party for which you want to enable āAkamai MFAā, and select Edit Access Control Policy.
-
In Edit Access Control Policy, select an access control policy that requires multi-factor authentication. For example, Permit everyone and require MFA policy.
-
Click Apply and, next, OK.
You've just applied āAkamai MFAā as your second factor to the selected relying party.
Test your ADFS configuration
Follow this instruction to verify your ADFS configuration. With those steps, you can also test the end users' login experience when they attempt to access a protected application.
Use the username and password of the user that has already been enrolled to āAkamai MFAā and whose device has been activated.
-
Log in to any application with a Relying party setup. You are redirected to the ADFS login page.
-
Complete the AD FS primary authentication.
-
Upon successful authentication, you are redirected to āAkamai MFAā for the secondary authentication. Select an authentication method on the authentication prompt. For example, click Send me a Push.
-
Go to your enrolled mobile device, open the authentication request and approve it.
You are redirected to the previously required application.
Updated 3 months ago