Enable MFA as a service for existing installations configured for OIDC

To enable MFA as a service for existing ADFS installations:

  1. Enable an existing application for MFA as a service.

    1. Sign on to your Okta tenant as an administrator.
    2. Navigate to Applications> Applications, then select an existing ADFS app.
    3. Select the Sign On tab and in the Settings section click Edit.
    4. Select MFA as a service.
    5. Click Save.
  2. Enable ADFS plugin for MFA as a service.

    1. Connect to the machine where the ADFS plugin was installed. .
    2. Using a text editor open C:\Program Files\Okta\Okta MFA Provider\config\okta_adfs_adapter.json.
      Note: By default the okta_adfs_adapter.json file can be found in c:\Program Files\Okta\Okta MFA Provider\config\okta_adfs_adapter.json.
      See Configure MFA for Active Directory Federation Services (ADFS) for more information.
    3. Search for and modify the useOIDC property, setting its value to false.
      for example: useOIDC:false
    4. Save your changes and close the editor.
    5. Using a text editor copy and create the following Microsoft Powershell script and save as ApplyConfigurationSettingChanges.ps1.
      If required, change the values of the BinDir and ConfigDir variables to match your environment.


      # ApplyConfigurationSettingChanges.ps1
      [System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")

      $BinDir = "C:\Program Files\Okta\Okta MFA Provider\bin"
      $ConfigDir = "C:\Program Files\Okta\Okta MFA Provider\config"

      Start-Service adfssrv

      # Remove Okta MFA Provider
      $providers = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
      Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $providers

      # Unregister
      Unregister-AdfsAuthenticationProvider -Name "OktaMfaAdfs" -Confirm:$false -ErrorAction Stop

      # restart the ADFS service
      Restart-Service adfssrv -Force

      # register MFA adapter again
      $OktaMfaAssamply = [Reflection.Assembly]::Loadfile($BinDir + "\OktaMfaAdfs.dll")
      $typeName = "OktaMfaAdfs.AuthenticationAdapter, OktaMfaAdfs, Version=" + $OktaMfaAssamply.GetName().Version + ", Culture=neutral, PublicKeyToken=3c924b535afa849b"
      Register-AdfsAuthenticationProvider -TypeName $typeName -Name "OktaMfaAdfs" -Verbose -ConfigurationFilePath "$ConfigDir\okta_adfs_adapter.json"

      # restart the service
      Restart-Service adfssrv -Force

      # Enable Okta MFA adapter
      $providers = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
      Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $providers
    6. As administrator open a Microsoft PowerShell and execute the script ApplyConfigurationSettingChanges.ps1.
    7. Verify that a user can authenticate.

You have successfully configured MFA as a service.

Next steps