Challenge
A university uses Microsoft Active Directory Federation Services (ADFS) as a federation service. ADFS at the university is affiliated to SWAMID, a federation for universities and colleges. SUNET (Swedish University Computer Network) is responsible for the federation's regulations. Today, employees and students authenticate with username and password, alternatively Windows Single Sign-On to ADFS. Some services within SWAMID require logging in at a higher trust level, which requires an additional factor for authentication. In addition, ADFS must be able to signal trust according to rules in SWAMID/Refed. The ADFS Toolkit is used to enable ADFS to manage the aggregated federation.
The university's infrastructure is based, among other things, on software from Microsoft. However, for compliance and cost reasons, the use of Microsoft Azure's multi-factor authentication (MFA) tool is not applicable to the college. MFA must work "on-premise" without the involvement of cloud services.
Solution
With the Fortified ID ADFS MFA adapter, a second factor is added during authentication to the university's ADFS. The adapter sets the trust level to https://refeds.org/profile/mfa after a successful login. Of the various choices for other factors that the solution offers, the college has chosen a one-time password via mobile app (token). The university has chosen Microsoft Authenticator as the mobile app. During authentication, the user begins to enter a username and password or an already logged-in Windows session is used. In the next step, a new input box appears where the one-time password must be entered. The user uses Microsoft Authenticator where a one-time password is displayed, the one-time password is changed every 30 seconds. The user enters the displayed one-time password and if validation of the one-time password is correct, the user is authenticated and gets access to the underlying resource.
The solution is very cost-effective:
Requires minimal administration in the organization
Teachers and students can activate Microsoft Authenticator via self-service. The activation portal is included with the Fortified ID ADFS MFA adapter
Standardized integration
Other
The solution consists of two components, Fortified ID ADFS adapter and Fortified ID Integrity API. The Fortified ID Integrity API is used for validation of the OTP. The ADFS adapter sends the specified OTP to the Fortified ID Integrity API over HTTPS via a REST api. The one-time password is validated in the Fortified ID Integrity API via the algorithms specified in the OATH (Initiative for Open Authentication) standard. The result is returned to the ADFS adapter. The regulations regarding when a second factor is required are governed by ADFS, access policies. For example, it may be required for certain services, from certain locations, etc.