Today, I had the pleasure of installing and configuring OneSpan’s (formerly Vasco’s) DIGIPASS Authentication for Microsoft Active Directory Federation Services (AD FS).
Microsoft Docs offers links to documentation for 3rd-party providers with MFA offerings currently available for AD FS, but just like CensorNet’s SMS PASSCODE AD FS Agent, OneSpan’s installation and configuration manual is not linked, so here’s how to perform this task yourself.
About the Extensible Authentication Framework
Active Directory Federation Services (AD FS) offers the Extensible Authentication Framework (EAF). Leveraging this functionality, multi-factor authentication providers can hook their products into the authentication funnel.
Through an AD FS Agent, the authentication gets routed to the multi-factor authentication software, when an MFA claim is needed. Only when the multi-factor authentication software signals back that the multi-factor authentication was successful, will AD FS be able to successfully send a federation claim to the user.
About VASCO, OneSpan and DIGIPASS
OneSpan (formerly VASCO Data Security International) is a publicly traded cybersecurity technology company based in Chicago, Illinois with offices in Montreal, Brussels and Zurich. The company is historically known for its multi-factor authentication and electronic signature software.
VASCO started developing its DIGIPASS technology in the early 2000s. In 2009, VASCO made DIGIPASS two-factor authentication available in the App Store for iPhone and iPod Touch.
On May 30, 2018, VASCO changed its name to OneSpan.
Before following the below steps, make sure you meet the following prerequisites:
- Implement the OneSpan IDENTIKEY Authentication Server .
- Copy the installation file for the AD FS component to a file location that is accessible to the AD FS Server(s). Make sure users accounts are configured with appropriate authentication information.
- Log on to the AD FS Server(s) with an account that has privileges to manage Active Directory Federation Services. Make sure you run the last steps of this HowTo on the AD FS Server that is the primary server, when the AD FS Farm leverages the Windows Internal Database (WID) as the AD FS configuration database.
- Make sure the AD FS Servers are able to communicate with the centralized CensorNet SMS PASSCODE server over TCP port 20003 and/or TCP port 20004. Web Application Proxies don’t need a connection to the server, though.
How to install DIGIPASS Authentication for Microsoft ADFS
Follow these steps to install DIGIPASS Authentication for Microsoft AD FS:
- Log on to the AD FS server.
- Locate the DIGIPASS Authentication for Microsoft AD FS installation file. Execute the following command line in an elevated Command Prompt (cmd.exe) window to start installing DIGIPASS Authentication for Microsoft AD FS:
msiexec /i dp-auth-for-adfs_<version>_x64.msi
The DIGIPASS Authentication for Microsoft AD FS <version> window appears.
- On the Welcome to the DIGIPASS Authentication for Microsoft ADFS Setup screen, click Next >.
- On the License Agreement screen, select the I accept the terms in the license agreement option and click Next >.
- Click Next > on the Destination Folder screen to accept the default installation location. Alternatively, you can change the destination folder.
- On the Ready to Install the Program screen, click Install.
- After successful installation, click Finish to exit the setup program.
How to configure DIGIPASS Authentication for Microsoft ADFS
After the initial installation, follow these steps to configure DIGIPASS Authentication for Microsoft AD FS:
- After clicking Finish in the DIGIPASS Authentication for Microsoft AD FS <version> window, it closes and the DIGIPASS Authentication for Microsoft ADFS Configuration Wizard is started:
- On the Configure DIGIPASS Authentication for Microsoft ADFS screen, click
- On the Specify the connection details screen, provide the IP address or DNS name of the OneSpan IDENTIKEY Authentication Server. The default TCP port is 20003 for non-TLS and 20004 for TLS connections. Press Next > afterward.
- On the Specify the IP address screen, select an IP address from the drop-down list of IP addresses assigned to the current machine. The DIGIPASS Authentication Module will use the selected IP address exclusively.
As VASCO component licensing operates on IP address, this ensures that the DIGIPASS Authentication Module will only use up one component license slot.
- On the Specify whether to create an IDENTIKEY client record screen, select the Create client record automatically option. Specify the credentials for the administrator login at the IDENTIKEY Authentication Server to register the DIGIPASS Authentication Module in the authentication server database.
- Click Next >.
- On the Specify license key screen, select a license.dat file that contains a license key for DIGIPASS Authentication for Microsoft ADFS.
You can skip to activate later, but multi-factor authentication using DIGIPASS Authentication for Microsoft ADFS will only succeed after a valid license key is entered.
- On the Ready to complete DIGIPASS Authentication Module configuration screen, review the data in the Detail column, and click Finish when done.
How to Update DIGIPASS Authentication for Microsoft ADFS
When you’ve installed DIGIPASS Authentication for ADFS with the installer for a previous version, you can update the installation with the accompanying Microsoft update package (*.msp), using the following command line on an elevated Command Prompt window (cmd.exe):
msiexec /update dp-auth-for-adfs_<version>_x64.msp
How to enable Multi-factor Authentication through DIGIPASS Authentication for Microsoft ADFS
Follow these steps to enable Multi-factor Authentication through DIGIPASS Authentication for Microsoft ADFS:
- Log on to the (primary) AD FS server.
- Open the AD FS Management tool.
- In the left navigation pane, select Authentication Policies.
- In the right task pane, click on Edit Global Multi-factor Authentication… link.
- Select DP4AuthADFS as additional authentication method if it’s not selected already.
- To enable authentication for all external authentication, also select Extranet. Alternatively, specify multi-factor authentication per Relying Party Trust (RPT).
- Click OK.
Using the the Extensible Authentication Framework (EAF) in Active Directory Federation Services (AD FS) makes enabling multi-factor authentication a breeze.