Secure ADFS Access

This guide describes the installation for Pointsharp Multi-Factor Authentication for Active Directory Federation Services (ADFS).

ADFS has the possibility to add additional authentication. In ADFS 2019 the Active Directory authentication is no longer a requirement during the first step of the authentication process. Pointsharp can be used both as the primary and secondary step for authentication. The multi-factor authentication can be generated from soft- or hardware tokens, or sent as SMS or email. It is very easy to handle for the users and increases security significantly.

Important requirement: A fully functioning ADFS Federation with a published resource. Verify login to the resource with standard credentials before proceeding the installation of Pointsharp ADFS 2019.

This guide describes only how to install multi-factor support on the ADFS Server. How to use ADFS resources with Access Gateway with SSO configuration is not covered.

Installation

Install Pointsharp ADFS 2019 by running the exe-file. Unless installation location needs to be edited, no further input is needed.

Configure XML

After installation, open the xml file in an elevated notepad. Default path to PointsharpADFS2019.xml: C:\Program Files\PointSharp\AD FS

Explanation of basic values in xml file:

<Debug>

Set to true when troubleshooting issues.
<WebServiceUrl>

Path towards the Pointsharp ID Server.
<WebServiceVersion>

Default value -1(Use latest).
<WSUsername>

Username for Pointsharp Web Service – not mandatory.
<WSPassword>

Password for Pointsharp Web Service – not mandatory.
<WSDomain>

Domain for Pointsharp Web Service – not mandatory.

Next step is to add an authentication method in the xml file (if no authentication method is configured in Pointsharp ID Admin GUI – please see Authentication methods before proceeding).

Locate the value <AuthenticationProviders>. Under this section the authentication methods are added. Multiple authentication methods are supported.

<Name>

Set the name that also will be used when registering the adapter (see Registering the MFA adapter). This name will also be displayed for the user during login process.
<AuthenticationMethod>

The name of the authentication method in PSID Admin GUI that will be used. Each provider is configured like the example below:

 
<Provider>
 <Name>PointsharpMFA</Name>
 <AuthenticationMethod>ADFStest</AuthenticationMethod>
 </Provider>

Repeat this whole step, with the values <Provider>, <Name> and <AuthenticationMethod>, for each authentication method that is added. End each method with </Provider>.

When the XML-file is completed, run the script described in next section. Whenever there has been a change in the xml file after registration, for example changing authentication method or enabling debug logs, the ADFS service must be restarted.

Registering the MFA Adapter / ADFS Farms

After installation and configuration of xml file, you need to register the adapter to ADFS.The installer only adds the binaries due to ADFS Farm scenario where you need to install MFA on multiple ADFS servers.Install the binaries on each server and then run the registration on one server afterward, otherwise you will get an error stating that the MFA Adapter already exists.

There are two different scripts for registration: “RegisterAdfs2019” and “RegisterAdfs2019SingleSignon”.

This document describes only the non-SSO option.

Execute the script named “RegisterAdfs2019” in the installation folder using PowerShell elevated as Admin. It will ask for a “Provider Name”. Set the name used in the XML-file previously.

If multiple “Provider Names” are needed to differentiate multiple methods, add them all like this: “PointsharpMFA, PointsharpMFA2” etc, during the registration of the script.

The ADFS Service will restart during the registration.

Unregistering the MFA Adapter / Uninstall

To remove the MFA Adapter, run the “UnRegisterAdfs2019” script in an elevated PowerShell. You will be asked to enter the name for the Authentication Provider during the process. The AD FS Service will be restarted after this step – wait for it to complete. Then uninstall the adapter binaries using “Add/Remove Programs”.

ADFS Configuration

Next, enable the multifactor authentication.Open the ADFS management GUI and select “Services” and then “Authentication Methods”. Enable Pointsharp as “Primary” or “Additional” authentication method depending on your environment.

Authentication methods PSID Admin GUI

This section explains how to add supported authentication methods in Pointsharp ID Admin GUI for use with the Pointsharp ADFS 2019.

The configuration changes depending if Pointsharp ADFS 2019 is set to Primary or Additional Authentication.

Primary authentication

As Primary Authentication in ADSF 2019, Pointsharp takes over the whole authentication step, thus enabling more features and possibilities such as Login App in combination with SmartAuth.

OATH can be used as Stateful.

Additional authentication

As Additional Authentication in ADFS 2019, the first step in the process is authentication via Active Directory. Pointsharp adds the second factor such as Login App, OTP via software/hardware tokens or SMS.

  • Login App and SMS needs to be configured with SkipPasswordValidation

  • OATH method needs to use Stateless.

Please see examples and more details for each method in next section.

Authentication method Login App

Login App and Additional Authentication Option:

  1. Start Pointsharp ID Admin GUI.

  2. Go to the Authentication tab and create a Login App method and give it a friendly name.

  3. Enable User Attribute under Advanced Options.

  4. Authentication Method is set to None – Pointsharp Login will then skip password validation and only validate via Pointsharp Login App.

  5. Apply and restart Pointsharp ID Service.

  6. Add the authentication method in the ADFS xml file.

Authentication method OATH

OATH (for Mobile Tokens and Google/MS Authenticator) and Additional Authentication Method:

  1. Start Pointsharp ID Admin GUI.

  2. Go to the Authentication tab and create an OATH method and give it a friendly name.

  3. Set Password Type to Stateless:OTP.

  4. Enable User Attribute under Advanced Options.

  5. Apply and restart Pointsharp ID Service.

  6. Add the authentication method in the ADFS xml file.

OATH (for Mobile Tokens and Google/MS Authenticator) and Primary Authentication Method:

  1. Start Pointsharp ID Admin GUI.

  2. Go to the authentication tab and create an “OATH” method and give it a friendly name.

  3. Set Password Type to Stateful.

  4. Enable User Attribute under “Advanced Options”.

  5. Apply and restart Pointsharp ID Service.

  6. Add the authentication method in the ADFS xml file.

Authentication method SMS

SMS and Additional Authentication Method:

  1. Start Pointsharp ID Admin GUI.

  2. Go to the Authentication tab and create an SMS method and give it a friendly name.

  3. Enable User Attribute under Advanced Options.

  4. Apply and restart Pointsharp ID Service.

  5. Next, open the PSID3.xml file located default here: C:\Program\PointSharp\PointSharp ID\bin

  6. Locate the friendly Name of the SMS Authentication method and change the value skipPasswordValidation to true.

  7. Change the value skipPasswordValidationAttribute to be empty.

  8. Add the authentication method in the ADFS xml file.

SMS and Primary Authentication Method:

  1. Start Pointsharp ID Admin GUI.

  2. Go to the Authentication tab and create an SMS method and give it a friendly name.

  3. Enable User Attribute under Advanced Options.

  4. Apply and restart Pointsharp ID Service.

  5. Add the authentication method in the ADFS xml file.

Authentication method SmartAuth

In version 6.0.1 or older, Pointsharp must be set as Primary Authentication in ADFS for SmartAuth to work. In version 7.0 SmartAuth supports this both as Primary and secondary.

It must be enabled in the PSID3.xml file. Take a backup of the file before proceeding. Open the xml file in notepad and search for the name of the SmartAuth Authentication method to be used. Locate the value skippasswordvalidation and set that to true and save the changes.

The PSID3.xml file is located by default here: C:\Program Files\Pointsharp\Pointsharp ID\bin

Troubleshooting

In case of issues, create a ticket in the Pointsharp Support Page and attach logs.

Enable debug log

Enable debug log for the MFA Adapter in the xml file. Restart service after change. Logs files are written default to: C:\Program Files\Pointsharp\AD FS\logs

  1. Open Pointsharp ID Admin GUI

  2. Go to Tools and System Settings

  3. Enable debug logs.

  4. Recreate issue and collect logs.

    • For MFA Adapter: take latest log file in the log folder.

    • For Pointsharp ID Admin GUI: create a Diagnostic File located under Tools.

  5. Note any errors in Windows Server Event Logs for ADFS.

  6. Attach in the support ticket.

Pointsharp Support Page: https://support.pointsharp.net