Enable MFA for Active Directory Federation Services (ADFS) as a service

This topic describes how to enable an app and the Active Directory Federation Services (ADFS) plugin for multifactor authentication (MFA) for ADFS as a service.

Start this procedure

  1. Enable an existing app for MFA as a service.

    1. In the Admin Console, go to Applications > Applications.

    2. Select an ADFS app.
    3. Select the Sign On tab.
    4. In the Settings section, click Edit.
    5. Select MFA as a service.
    6. Click Save.

  2. Enable the ADFS plugin for MFA as a service.

    1. Connect to the machine where the ADFS plugin is installed.
    2. Open this file with a text editor:

      C:\Users\<adfs_service_account_name>\AppData\Local\Okta\Okta MFA Provider\config\okta_adfs_adapter.json.

      See MFA for Active Directory Federation Services (ADFS) Configuration.

    3. Search for the useOIDC property and set its value to false.
    4. Save your changes and close the text editor.
    5. Using a text editor, copy and create the following Microsoft Powershell script and save as ApplyConfigurationSettingChanges.ps1. If required, change the values of the BinDir and ConfigDir variables to match your environment. 
      # ApplyConfigurationSettingChanges.ps1
[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")

$BinDir = "C:\Program Files\Okta\Okta MFA Provider\bin"
$ConfigDir = "C:\Program Files\Okta\Okta MFA Provider\config"

Start-Service adfssrv

# Remove Okta MFA Provider
$providers = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
$providers.Remove("OktaMfaAdfs") 
Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $providers

# Unregister 
Unregister-AdfsAuthenticationProvider -Name "OktaMfaAdfs" -Confirm:$false -ErrorAction Stop

# restart the ADFS service
Restart-Service adfssrv -Force

# register MFA adapter again
$OktaMfaAssamply = [Reflection.Assembly]::Loadfile($BinDir + "\OktaMfaAdfs.dll")
$typeName = "OktaMfaAdfs.AuthenticationAdapter, OktaMfaAdfs, Version=" + $OktaMfaAssamply.GetName().Version + ", Culture=neutral, PublicKeyToken=3c924b535afa849b"
Register-AdfsAuthenticationProvider -TypeName $typeName -Name "OktaMfaAdfs" -Verbose -ConfigurationFilePath "$ConfigDir\okta_adfs_adapter.json"

# restart the service
Restart-Service adfssrv -Force

# Enable Okta MFA adapter
$providers = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
$providers.Add("OktaMfaAdfs") 
Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $providers
    6. Open Microsoft PowerShell as an administrator and execute the script ApplyConfigurationSettingChanges.ps1.
    7. Verify that a user can authenticate.

Next steps

Troubleshooting