Enable MFA for Active Directory Federation Services (ADFS) as a service

This topic describes how to enable an app and the Active Directory Federation Services (ADFS) plugin for multifactor authentication (MFA) for ADFS as a service.

Start this procedure

1. Enable an existing app for MFA as a service.

   1. In the Admin Console, go to ApplicationsApplications.

   2. Select an ADFS app.
   3. Select the Sign On tab.
   4. In the Settings section, click Edit.
   5. Select MFA as a service.
   6. Click Save.

2. Enable the ADFS plugin for MFA as a service.

   1. Connect to the machine where the ADFS plugin is installed.
   2. Open this file with a text editor:

      C:\Users\<adfs_service_account_name>\AppData\Local\Okta\Okta MFA Provider\config\okta_adfs_adapter.json.

      See Configure MFA for Active Directory Federation Services (ADFS).

   3. Search for the useOIDC property and set its value to false.
   4. Save your changes and close the text editor.
   5. Using a text editor, copy and create the following Microsoft Powershell script and save as ApplyConfigurationSettingChanges.ps1. If required, change the values of the BinDir and ConfigDir variables to match your environment.

      Copy

      ApplyConfigurationSettingChanges.ps1

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      23
      24
      25
      26
      27
      28
      29
      30
      31
      32
      # ApplyConfigurationSettingChanges.ps1
      [System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
      
      $BinDir = "C:\Program Files\Okta\Okta MFA Provider\bin"
      $ConfigDir = "C:\Program Files\Okta\Okta MFA Provider\config"
      
      Start-Service adfssrv
      
      # Remove Okta MFA Provider
      $providers = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
      $providers.Remove("OktaMfaAdfs") 
      Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $providers
      
      # Unregister 
      Unregister-AdfsAuthenticationProvider -Name "OktaMfaAdfs" -Confirm:$false -ErrorAction Stop
      
      # restart the ADFS service
      Restart-Service adfssrv -Force
      
      # register MFA adapter again
      $OktaMfaAssamply = [Reflection.Assembly]::Loadfile($BinDir + "\OktaMfaAdfs.dll")
      $typeName = "OktaMfaAdfs.AuthenticationAdapter, OktaMfaAdfs, Version=" + $OktaMfaAssamply.GetName().Version + ", Culture=neutral, PublicKeyToken=3c924b535afa849b"
      Register-AdfsAuthenticationProvider -TypeName $typeName -Name "OktaMfaAdfs" -Verbose -ConfigurationFilePath "$ConfigDir\okta_adfs_adapter.json"
      
      # restart the service
      Restart-Service adfssrv -Force
      
      # Enable Okta MFA adapter
      $providers = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
      $providers.Add("OktaMfaAdfs") 
      Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $providers
                              

   6. Open Microsoft PowerShell as an administrator and execute the script ApplyConfigurationSettingChanges.ps1.
   7. Verify that a user can authenticate.