Microsoft ADFS

Introduction

The purpose of this integration document is to provide guidelines on how to integrate Mideye two-factor authentication with Microsoft Active Directory Federation Service.

Prerequisites & general issues

Requirements

A Mideye Server (any release). If there is a firewall between the ADFS-server and the Mideye Server, it must be open for two-way RADIUS traffic (UDP, standard port 1812). ADFS acts as a RADIUS client towards the Mideye Server. Hence, the ADFS-server must be defined as a RADIUS client on the Mideye Server. Refer to the Mideye Server Configuration guide for information on how to define a new RADIUS client.

Supported ADFS-versions are Windows Server 2012R2, 2016 and 2019.

Prerequisites

This guide will not explain how to setup ADFS. Refer to Microsoft-documentation how to configure ADFS before proceeding with this integration document.

Remove any existing versions of Mideye ADFS module

Before installing a new version of the module, any existing module must be uninstalled. Complete the following steps to remove older versions of the ADFS-module.

Open ADFS management console and navigate to access control policies. Remove all relaying parties from any MFA policies.

Open ADFS management console and navigate to access control policies. Remove all relaying parties from any MFA policies.

Navigate to authentication method and click Edit next to multifactor authentication methods.

Navigate to Authentication Method and click Edit next to Multi-factor authentication methods.

Uncheck the Mideye ADFS-module and click OK.

Uncheck the Mideye ADFS-module and click OK.

Open Control Panel and navigate Remove/Add programs. Uninstall the Mideye ADFS module

Open Control Panel and navigate Remove/Add programs. Uninstall the Mideye ADFS module.

To make sure that all register keys are removed from any older versions, open Powershell as an administrator and type Unregister-AdfsAuthenticationProvider -Name Mideye.ADFS -Confirm:$false

To make sure that all register keys are removed from any older versions, open Powershell as an administrator and type Unregister-AdfsAuthenticationProvider -Name Mideye.ADFS -Confirm:$false

Installing the ADFS module

Run the ADFS-package as an administrator.

Enter the IP-address(es) to the Mideye Server and specify the UDP-port (Default ump/1812). Type the shared secret that should be used between the RADIUS-client (ADFS) and the Mideye Server. Multiple RADIUS-servers can be configured.

Enter the IP-address(es) to the Mideye Server and specify the UDP-port (Default udp/1812). Type the shared secret that should be used between the RADIUS-client (ADFS) and the Mideye Server. Allow at least 35 seconds as timeout to make sure that any fallback method have enough time before timing out. Multiple RADIUS-servers can be configured.

Choose language for informational / error messages.

Choose language for informational / error messages and finish the installation.

Enable the module

Open the ADFS management console and navigate to Authentication Method and click edit next to multi factor authentication methods. Enable the MFA-method and click OK.

Navigate to Access control policies and move any relaying party to use MFA.

Create RADIUS-client

Refer to configuration guide how to create a new RADIUS-client on the Mideye Server.

On the created RADIUS-client, navigate to Client configuration and remove the “Check static password”. This check is not necessary since ADFS will perform a username and password check before allowing an authentication.

Remove check static password

Remove check static password

Customise error messages, language and Serverlist

To change language and customise informational / error messages, open Mideye ADFS configuration editor. To customise any field, check the Custom edit button and make any changes followed by Save.

To add/remove/edit the RADIUS-server list open the tab Client settings and check the Custom edit button. Make any changes followed by Save.

Troubleshooting

Check RADIUS-logs

Check if anything is written to the Mideye RADIUS logs

Mideye Server\log\radius-messages.log

If nothing is logged, verify that udp/1812 is allowed between your ADFS server and Mideye Server. Also, check Event viewer for logs on the ADFS-server.

Contact Mideye support

For further support please contact Mideye support, support@mideye.com, +46854514750.