HOWTO: Install VASCO’s DIGIPASS Authentication for AD FS

HowTo

Today, I had the pleasure of installing and configuring OneSpan’s (formerly Vasco’s) DIGIPASS Authentication for Microsoft Active Directory Federation Services (AD FS).

Microsoft Docs offers links to documentation for 3rd-party providers with MFA offerings currently available for AD FS, but just like CensorNet’s SMS PASSCODE AD FS Agent, OneSpan’s installation and configuration manual is not linked, so here’s how to perform this task yourself.

 

About the Extensible Authentication Framework

Active Directory Federation Services (AD FS) offers the Extensible Authentication Framework (EAF). Leveraging this functionality, multi-factor authentication providers can hook their products into the authentication funnel.

Through an AD FS Agent, the authentication gets routed to the multi-factor authentication software, when an MFA claim is needed. Only when the multi-factor authentication software signals back that the multi-factor authentication was successful, will AD FS be able to successfully send a federation claim to the user.

 

About VASCO, OneSpan and DIGIPASS

OneSpan (formerly VASCO Data Security International) is a publicly traded cybersecurity technology company based in Chicago, Illinois with offices in Montreal, Brussels and Zurich. The company is historically known for its multi-factor authentication and electronic signature software.

VASCO started developing its DIGIPASS technology in the early 2000s. In 2009, VASCO made DIGIPASS two-factor authentication available in the App Store for iPhone and iPod Touch.

On May 30, 2018, VASCO changed its name to OneSpan.

 

Prerequisites

Before following the below steps, make sure you meet the following prerequisites:

  • Implement the OneSpan IDENTIKEY Authentication Server .
  • Copy the installation file for the AD FS component to a file location that is accessible to the AD FS Server(s). Make sure users accounts are configured with appropriate authentication information.
  • Log on to the AD FS Server(s) with an account that has privileges to manage Active Directory Federation Services. Make sure you run the last steps of this HowTo on the AD FS Server that is the primary server, when the AD FS Farm leverages the Windows Internal Database (WID) as the AD FS configuration database.
  • Make sure the AD FS Servers are able to communicate with the centralized CensorNet SMS PASSCODE server over TCP port 20003 and/or TCP port 20004. Web Application Proxies don’t need a connection to the server, though.

 

How to install DIGIPASS Authentication for Microsoft ADFS

Follow these steps to install DIGIPASS Authentication for Microsoft AD FS:

  • Log on to the AD FS server.
  • Locate the DIGIPASS Authentication for Microsoft AD FS installation file. Execute the following command line in an elevated Command Prompt (cmd.exe) window to start installing DIGIPASS Authentication for Microsoft AD FS:

msiexec /i dp-auth-for-adfs_<version>_x64.msi

    

The DIGIPASS Authentication for Microsoft AD FS <version> window appears.

DIGIPASS Authentication for ADFS - Welcome

  • On the Welcome to the DIGIPASS Authentication for Microsoft ADFS Setup screen, click Next >.

DIGIPASS Authentication for ADFS - License Agreement

  • On the License Agreement screen, select the I accept the terms in the license agreement option and click Next >.

DIGIPASS Authentication for ADFS - Destination Folder

  • Click Next > on the Destination Folder screen to accept the default installation location. Alternatively, you can change the destination folder.

DIGIPASS Authentication for ADFS - Ready to Install the Program

  • On the Ready to Install the Program screen, click Install.
  • After successful installation, click Finish to exit the setup program.

 

How to configure DIGIPASS Authentication for Microsoft ADFS

After the initial installation, follow these steps to configure DIGIPASS Authentication for Microsoft AD FS:

  • After clicking Finish in the DIGIPASS Authentication for Microsoft AD FS <version> window, it closes and the DIGIPASS Authentication for Microsoft ADFS Configuration Wizard is started:

DIGIPASS Authentication for Microsoft ADFS Configuration Wizard - Configure DIGIPASS Authentication for Microsoft ADFS

  • On the Configure DIGIPASS Authentication for Microsoft ADFS screen, click
    Next >.

DIGIPASS Authentication for Microsoft ADFS Configuration Wizard - Specify the connection details

  • On the Specify the connection details screen, provide the IP address or DNS name of the OneSpan IDENTIKEY Authentication Server. The default TCP port is 20003 for non-TLS and 20004 for TLS connections. Press Next > afterward.

DIGIPASS Authentication for Microsoft ADFS Configuration Wizard - Specify the IP address

  • On the Specify the IP address screen, select an IP address from the drop-down list of IP addresses assigned to the current machine. The DIGIPASS Authentication Module will use the selected IP address exclusively.

Note:
As VASCO component licensing operates on IP address, this ensures that the DIGIPASS Authentication Module will only use up one component license slot.

DIGIPASS Authentication for Microsoft ADFS Configuration Wizard - Specify whether to create an IDENTIKEY client record

  • On the Specify whether to create an IDENTIKEY client record screen, select the Create client record automatically option. Specify the credentials for the administrator login at the IDENTIKEY Authentication Server to register the DIGIPASS Authentication Module in the authentication server database.
  • Click Next >.

DIGIPASS Authentication for Microsoft ADFS Configuration Wizard - Specify license key

  • On the Specify license key screen, select a license.dat file that contains a license key for DIGIPASS Authentication for Microsoft ADFS.

Note:
You can skip to activate later, but multi-factor authentication using DIGIPASS Authentication for Microsoft ADFS will only succeed after a valid license key is entered.

DIGIPASS Authentication for Microsoft ADFS Configuration Wizard - Ready to complete DIGIPASS Authentication Module configuration

  • On the Ready to complete DIGIPASS Authentication Module configuration screen, review the data in the Detail column, and click Finish when done.

 

How to Update DIGIPASS Authentication for Microsoft ADFS

When you’ve installed DIGIPASS Authentication for ADFS with the installer for a previous version, you can update the installation with the accompanying Microsoft update package (*.msp), using the following command line on an elevated Command Prompt window (cmd.exe):

msiexec /update dp-auth-for-adfs_<version>_x64.msp

 

How to enable Multi-factor Authentication through DIGIPASS Authentication for Microsoft ADFS

Follow these steps to enable Multi-factor Authentication through DIGIPASS Authentication for Microsoft ADFS:

  • Log on to the (primary) AD FS server.
  • Open the AD FS Management tool.
  • In the left navigation pane, select Authentication Policies.
  • In the right task pane, click on Edit Global Multi-factor Authentication… link.
  • Select DP4AuthADFS as additional authentication method if it’s not selected already.
  • To enable authentication for all external authentication, also select Extranet. Alternatively, specify multi-factor authentication per Relying Party Trust (RPT).
  • Click OK.

 

Concluding

Using the the Extensible Authentication Framework (EAF) in Active Directory Federation Services (AD FS) makes enabling multi-factor authentication a breeze.

Further reading

Configure Additional Authentication Methods for AD FS
DIGIPASS Authentication Servers Features

One Response to HOWTO: Install VASCO’s DIGIPASS Authentication for AD FS

  1.  

    This is the first reference I’ve seen anywhere to OneSpan’s ADFS plugin!
    I thought I was the only one who has ever installed it. 🙂

    Warning: if you have existing themes that you want to keep (logos etc) you will want to make sure you save those and make appropriate modifications to convert the OneSpan with your theme.

    Also we’ve observed that the UserPrincipalName is what comes through the Plugin and in our OneSpan environment we’ve sync’d all users with their sAMAccountName attribute as the OneSpan UserID. Is this an ADFS issue – where it only sends UPN or is it a OneSpan issue? OneSpan says it just forwards what ADFS sends – is there a way to change what ADFS sends – instead of UPN, send UserID aka sAMAccountName?

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.