NAV Navbar

Introduction

Notakey Authenticator plugin for AD FS is standard AD FS service plugin that integrates in your SSO Web based application authentication workflow.

System Requirements

OS Type Minimum Version
Server Windows Server 2012
Server Windows Server 2016

Installation

Standard plugin distribution comes as MSI package NotakeyAdfsMfaPluginInstaller-<version>.msi and can be install normally by running msi or deployed automatically using distribution tools. MSI install is not registered automatically with AD FS, this has to be done by execution of install scripts. Power Shell install and uninstall scripts are included with package and are installed in program directory, normally in %ProgramFiles(x86)%\Notakey Latvia\Notakey AD FS MFA plugin.

You will be asked to apply MFA authentication policy and restart AD FS services during install.

Install service with PS> AdfsPluginInstall.ps1 from a user with administration privileges. Uninstall with PS> AdfsPluginUninstall.ps1.

Workflow

  • User authenticates with standard username and password
  • If 2FA enabled per user group and zone (extranet, intranet) user is sent authentication request automatically
  • User approves authentication request on his mobile device
  • Logon is successful and AD FS redirects user to requested Service Provider

Plugin configuration

All configuration is done using Windows registry. This allows flexible deployments using Group Policy, please look in documentation of GPO how to deploy registry values in domain on per-machine basis. Please note that changes in registry based configuration require AD FS service restart.

This can be done in PS using th following commands:

Stop-Service -Name adfssrv -Force
Start-Service -Name adfssrv

Configuration

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Notakey]

[HKEY_LOCAL_MACHINE\SOFTWARE\Notakey\AdfsMfa]
"ServiceURL"="https://demo.notakey.com/api/"
"ServiceID"="65af8d56-b7d9-49b9-86c6-595dc440d933"
"MessageTtlSeconds"=dword:0000001e
"MessageActionTitle"="ADFS Login"
"MessageDescription"="Proceed as {0}?"

Description of configuration options

Name Default Description
ServiceURL <none> API endpoint URL. Has to end with /api/, this value must be present for service to function.
ServiceID <none> Service ID as displayed in NAS dashboard, this value must be present for service to function.
MessageTtlSeconds 300 The validity duration of auth request in seconds.
MessageActionTitle AD FS login request Title for auth request.
MessageDescription Proceed with login for user {0}? The message body of auth request.

More information

Troubleshooting

Plugin writes error and status logs to Windows EventLog service, please check there for issues. All user errors are codified, please check with product support for details of specific encountered code.