ADFS Integration

GreenRADIUS 2FA can be integrated with Active Directory Federation Services (ADFS).

This deployment and configuration guide assumes the following:

• GreenRADIUS (v4.1.11.11 or later) has been deployed and configured
• A GreenRADIUS license has been installed that enables the ADFS MFA module
• The ADFS Server role has been installed and configured in either Windows Server 2016 or 2019
• Applications and services are already set up in ADFS as relying parties

GreenRADIUS Configuration

1. In the GreenRADIUS web admin interface, click on the Global Configuration tab.

2. Click the Client-based Authentication Policies icon.
3. In the Add Client page, configure the following settings:

• Client ID: This is an admin-defined value and should be the same Client ID as configured in the ADFS adapter.
• Description: This is an optional field.
• Shared Secret: This is an admin-defined character string and must match with the Shared Secret configured in the ADFS adapter.
• Type: Set to ADFS
• Multi-Factor Policy: The configured setting will be enforced for user logins:
  • Password + OTP: Password and OTP (or mobile push app)
  • PIN + OTP: PIN and OTP (or mobile push app)
  • Password + PIN + OTP Password, PIN, and OTP (or mobile push app)
• Enable First Factor Validation (Password/PIN) Through GreenRADIUS: Set to No
• Enable Auto-provisioning: If set to Yes, YubiKeys (when OTPs are used) will be automatically assigned to users upon the first successful login with the YubiKey if the user does not already have a YubiKey assigned.
  • Note: To enable auto-provisioning of YubiKeys for use with ADFS, not only must this be set to "Yes", but also at the global and domain level.

4. Click the Add button.

Install and Configure the GreenRADIUS ADFS MFA Adapter

1. Download the GreenRADIUS ADFS MFA Adapter. (You can obtain the latest version by contacting us.)
2. Logged in as an admin on the Windows Server with the ADFS server role, double-click the GreenRADIUS ADFS 2FA Adapter installer. After a few progress bars, a welcome screen appears. Click Next.

3. Accept the license agreement and click Next.

4. Click Install.

5. After the installation is complete, click Finish.
6. Open the GreenRADIUS ADFS MFA Adapter Configuration application

7. Click the Global Configuration tab.
8. Configure the following settings:

• Request Processing Scheme
  • Ordered List: The first GreenRADIUS instance listed will be contacted first for user authentication, then the next, and so on.
  • Round Robin: The next GreenRADIUS instance will be contacted first for user authentication, rotating through the list of GreenRADIUS instances with each new login attempt.
• Server Connection Timeout: The time (in seconds) for which the ADFS client waits for each GreenRADIUS instance to respond.
• Dead Server Detection Threshold: Indicates the maximum number of consecutive login attempts to be made to a configured GreenRADIUS instance before marking the instance as "dead"
• Server Dead Time Interval: The time (in seconds) for which a server marked as dead will not be contacted.
• Client ID: Should be the same Client ID as configured in all GreenRADIUS instances.
  • Note: The client ID must be unique and not already used by another ADFS client.
• Shared Secret: This must match the shared secret configured in each GreenRADIUS for this ADFS client.

9. Click the Server List tab.
10. Add GreenRADIUS instances and enable them.

11. Click the Save and Apply button.
12. Launch the ADFS management application. Right-click on Authentication Methods and select Edit Multi-factor Authentication Methods.

13. A list of authentication providers will be shown. Select/Enable Green Rocket Security MFA for AD FS, and then click Apply.

14. Restart the ADFS service.

Configuring the GreenRADIUS ADFS MFA Adapter/Plugin

1. Launch the ADFS management application. Right-click on Access Control Policies and select Add Access Control Policy....

2. An "Add Access Control Policy" screen will appear. In the Name field, enter a name for this new access control policy.

3. In the "Rule Editor" screen, under the "Permit" section, select users and check the checkbox for and require multi-factor authentication. Then click OK.

4. Click on Apply, then OK to save changes.

Associate Access Control Policies to Relying Parties in ADFS

1. In the ADFS management application, right-click on Relying Party Trusts, and select a relying party trust to configure.
2. From the list of available access control policies, select the policy that was just configured above that requires multi-factor authentication.

3. Restart the ADFS service.

User Logins with GreenRADIUS MFA for ADFS Relying Parties

At this point, the ADFS service is ready to authenticate users and their second factor with GreenRADIUS. If the relying party is configured with an access control policy requiring multi-factor authentication with GreenRADIUS, users will see the following screen (or similar) after logging in with their username and password.

The following tokens are currently supported:

• YubiKeys: YubiKey OTPs are supported. With the cursor in the blank field, after inserting the YubiKey, the user simply touches the YubiKey button.
• Google Authenticator: Google Authenticator and other Authenticator apps are supported as well. In the blank field, the user enters the current six-digit OTP in the Authenticator app, then clicks Continue.
• Green Rocket 2FA Mobile App: Our Green Rocket 2FA Mobile App can also be used. The user leaves the field blank and clicks Continue. The user should then receive a push notification on his or her mobile phone and tap Approve to complete the login.