MFA for Active Directory Federation Services (ADFS)

The guide below outlines the setup process to install the Okta Multifactor Authentication (MFA) provider for Active Directory Federation Services (ADFS) v. 3.0 and v 4.0. With this feature, customers can use ADFS as their Identity Provider (IdP) to applications and also use Okta for MFA to provide a strong method of authentication for your applications. Please see the list of prerequisites and assumptions before starting the install process.


Before you begin

Requirements for installing the Okta Credential Provider for Windows:

  • Proxy Configuration: The Okta Credential Provider for Windows does not support a discrete proxy configuration but will obey system level proxy configurations. To understand management of proxies on Windows machines, refer to
  • The Windows machine used for installation must have an active internet connection with port 443 open.
  • The installing account must have administrative rights to install the Okta Windows Credential Provider Agent, Visual C++ Redistributable and .NET 4.0+.

TLS 1.2 is required. For information on enabling TLS 1.2 in .NET and in Microsoft Internet Explorer browsers, see Okta ends browser support for TLS 1.1.

Supported OS

The Okta Credential Provider for Windows agent can be installed on the following:

  • Windows Server 2019 - v1.3.0 and later.
  • Windows Server 2016
  • Windows Server 2012
  • Windows Server 2012 R2

Supported authenticators

The following authentication methods are supported:

MFA authenticator



Google Authenticator

On-Prem MFA (RSA)

Security Question

Okta Verify

Phone (SMS and Voice call)

Typical workflow



Download the agent

Download the Okta MFA provider for ADFS agent from the Settings > Downloads page your in Okta org. The agent is found in the MFA Plugins and Agents section. Ensure the agent is downloaded to the machine where the agent will be installed.

For the agent version history, see Okta ADFS Plugin Version History

Install and configure Microsoft ADFS in Okta

Enable and configure:

  • Required MFA factors and a target group
  • The ADFS application
  • Cross-Origin Resource Sharing
Install the Okta ADFS Plugin on your ADFS Server Install and configure the ADFS Plugin on the ADFS server.
See MFA for Active Directory Federation Services (ADFS) Configuration for more information on ADFS configuration settings.
Enable the Okta MFA Provider in ADFS

Enable Okta as an MFA provider for ADFS.

Add Access Control Policy to a Relying Party Application

Add the Access Control Policy to a Relying Party Application.

Assign the Microsoft ADFS (MFA) Application in Okta Assign Okta application to users or groups.
Verify the Okta MFA prompt when logging into ADFS

Verify that the application behaves as expected.

Troubleshooting Troubleshoot the Okta MFA provider for ADFS agent installation.

Post installation and configuration tasks



Enable Open ID Connect with existing ADFS installations
Enable Open ID Connect with existing ADFS installations.
Enable MFA as a service for existing installations configured for OIDC Enable MFA as a service with existing ADFS installations