Enable MFA as a service for existing installations configured for OIDC

To enable MFA as a service for existing ADFS installations:

  1. Enable an existing application for MFA as a service.

    1. Sign on to your Okta tenant as an administrator.
    2. Navigate to Applications> Applications, then select an existing ADFS app.
    3. Select the Sign On tab and in the Settings section click Edit.
    4. Select MFA as a service.
    5. Click Save.
  2. Enable ADFS plugin for MFA as a service.

    1. Connect to the machine where the ADFS plugin was installed. .
    2. Using a text editor open C:\Program Files\Okta\Okta MFA Provider\config\okta_adfs_adapter.json.
      Note: By default the okta_adfs_adapter.json file can be found in c:\Program Files\Okta\Okta MFA Provider\config\okta_adfs_adapter.json.
      See MFA for Active Directory Federation Services (ADFS) Configuration for more information.
    3. Search for and modify the useOIDC property, setting its value to false.
      for example: useOIDC:false
    4. Save your changes and close the editor.
    5. Using a text editor copy and create the following Microsoft Powershell script and save as ApplyConfigurationSettingChanges.ps1.
      If required change the values of the BinDir and ConfigDir variables to match your environment.
      Copy

      ApplyConfigurationSettingChanges.ps1

      # ApplyConfigurationSettingChanges.ps1
      [System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")

      $BinDir = "C:\Program Files\Okta\Okta MFA Provider\bin"
      $ConfigDir = "C:\Program Files\Okta\Okta MFA Provider\config"

      Start-Service adfssrv

      # Remove Okta MFA Provider
      $providers = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
      $providers.Remove("OktaMfaAdfs") 
      Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $providers

      # Unregister 
      Unregister-AdfsAuthenticationProvider -Name "OktaMfaAdfs" -Confirm:$false -ErrorAction Stop

      # restart the ADFS service
      Restart-Service adfssrv -Force

      # register MFA adapter again
      $OktaMfaAssamply = [Reflection.Assembly]::Loadfile($BinDir + "\OktaMfaAdfs.dll")
      $typeName = "OktaMfaAdfs.AuthenticationAdapter, OktaMfaAdfs, Version=" + $OktaMfaAssamply.GetName().Version + ", Culture=neutral, PublicKeyToken=3c924b535afa849b"
      Register-AdfsAuthenticationProvider -TypeName $typeName -Name "OktaMfaAdfs" -Verbose -ConfigurationFilePath "$ConfigDir\okta_adfs_adapter.json"

      # restart the service
      Restart-Service adfssrv -Force

      # Enable Okta MFA adapter
      $providers = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
      $providers.Add("OktaMfaAdfs") 
      Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $providers
                              
    6. As administrator open a Microsoft PowerShell and execute the script ApplyConfigurationSettingChanges.ps1.
    7. Verify that a user can authenticate.

You have successfully configured MFA as a service.

Next steps

Troubleshooting