Connect with Duo users and security professionals in our Community.
Can't find what you're looking for? Contact Sales or Contact Support.
Connect with Duo users and security professionals in our Community.
Can't find what you're looking for? Contact Sales or Contact Support.
Duo integrates with Microsoft AD FS 3 and 4 to add two-factor authentication to services using browser-based federated logins, complete with inline self-service enrollment and Duo Prompt.
The Duo AD FS module supports relying parties that use Microsoft's WS-Federation protocol, like Office 365, as well as SAML 2.0 federated logons for cloud apps like Google Apps and salesforce.com.
The AD FS application is part of Duo Beyond, Duo Access, and Duo MFA plans.
The Duo AD FS MFA adapter supports AD FS 3 on Windows Server 2012 R2 and AD FS 4 on Windows Serve 2016 To protect AD FS on Windows Server 2012 or 2008 R2 use the AD FS 2.x integration.
Before installing the Duo AD FS integration, verify that federated logins to your relying parties are working.
This integration communicates with Duo's service on TCP port 443. Also, we do not recommend locking down your firewall to individual IP addresses, since these may change over time to maintain our service's high availability.
This integration adds a pluggable multi-factor (MFA) authentication provider that provides a Duo two-factor authentication prompt to web-based logins through an AD FS Identity Provider and/or Web Application Proxy. After completing primary authentication to the AD FS server (by any standard means such as Windows Integrated or Forms-Based), your users will be required to complete a Duo authentication challenge before getting redirected back to the relying party.
Install the Duo integration on the internal AD FS identity provider server only. In an AD FS farm deployment install Duo on all identity provider AD FS servers in the farm.
When configuring the multi-factor authentication policies after the Duo installation on the internal AD FS server you select whether to require MFA on Internal or External access locations (or both). If you are planning to require two-factor authentication for External access locations, a Web Application Proxy server is required. You do not need to install the Duo AD FS integration on the Web Application Proxy server.
The Duo MFA adapter has been tested with basic ADFS web theme customizations, but more extensive advanced customization of the login pages may cause issues. We recommend verifying Duo MFA functionality at AD FS login with a basic theme first, then reapplying the custom theme.
Try setting your application's "New user policy" to "Allow Access" while testing. Users that Duo knows about will be prompted to authenticate with Duo, while all other users will be transparently let through.
Users that have a phone (or hardware token) associated with them will see the authentication prompt. All other users will be able to add their phone through Duo's self-service enrollment (see Test Your Setup).
Then (when you're ready) change the "New user policy" to "Require Enrollment." This will prompt all users to authenticate (or enroll) after they type in their usernames and passwords.
Launch the Duo Security installer MSI from an elevated command prompt (right-click "Command Prompt" and select the "Run as Administrator" option).
Enter your integration key, secret key, and API hostname from the Duo Security AD FS application page when prompted.
If the Bypass Duo authentication when offline option is unchecked, then users will not be able to log in to protected federated resources when Duo Security cloud services are unreachable.
If you only have one AD FS server running, select the option to automatically generate a new key. However, if you are running multiple AD FS servers in a farm, then you should manually generate a random string at least 40 characters long, and use the same string as the session key during installation on each of the servers.
For example, you could use the following PowerShell commands to generate a suitable session key:
$bytes = new-object "System.Byte[]" 30
(new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($bytes)
[Convert]::ToBase64String($bytes)
Launch the AD FS Management console on your primary AD FS internal server. Navigate to AD FS → Authentication Policies and click the Edit Global Multi-factor Authentication... action, or click on the Edit link under Multi-factor Authentication → Global Settings.
On the "Multi-factor (MFA)"" tab of the "Edit Global Authentication Policy" you can choose to assign a domain group for MFA using the Add... button (Domain Users in the example).
Alternatively, after determining what types of connections will be required to use MFA check the boxes for Extranet and/or Intranet. For example, if you want to always require two-factor authentication for all of your users, select both the Extranet and Intranet location when configuring the multi-factor authentication policy. If you only want to enforce two-factor authentication for external users, and you have configured your network such that external users communicate with an AD FS Web Application Proxy while internal users communicate with the Identity Provider, only enable the Extranet location in the multi-factor authentication policy and leave the Intranet location unchecked.
Check the box next to the Duo Authentication for AD FS 1.1.0.x authentication method (where 1.1.0.x reflects the Duo version) to enable Duo protection.
In an advanced multi-factor scenario, you can choose Intranet and/or Extranet location requirements on a per user or per relying party basis. Refer to the Microsoft article Overview: Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications for more information.
If you need to enforce more complex MFA rules for an Office 365 relying party, please take a look at our Guide to advanced client configuration for Duo with AD FS 3 and later with Office 365 Modern Authentication
Launch the AD FS Management console on your primary AD FS internal server and navigate to AD FS → Service → Authentication Methods.
Click the Edit link under Multi-factor Authentication Methods or click Edit Multi-factor Authentication Methods... action on the far right.
Check the box next to the Duo Authentication for AD FS 1.1.0.x authentication method (where 1.1.0.x reflects the Duo version) to enable Duo protection. Click OK.
Go to AD FS → Access Control Policies and either edit one of the existing MFA policies to apply it to users or groups, or create a new MFA policy if no pre-defined one is sufficient for your organization's MFA requirements.
Go to AD FS → Relying Party Trusts , right-click the relying party trust where you want to add Duo, then select Edit Access Control Policy.
Pick a policy for the relying party that includes MFA and then click OK. The MFA policy immediately applies to the selected relying party.
In this example, all users have access to this relying party, but members of the "Duo Users" domain group also require multi-factor authentication before accessing the application.
In an advanced multi-factor scenario, you can choose Intranet and/or Extranet location requirements, along with other conditions for access. Refer to the Microsoft article Access Control Policies in Windows Server 2016 AD FS for more information.
If you need to enforce more complex MFA rules for an Office 365 relying party, please take a look at our Guide to advanced client configuration for Duo with AD FS 3 and later with Office 365 Modern Authentication
To test your setup, use a web browser to log into a relying party for your AD FS 3 or 4 deployment. As an example, you might log into https://portal.microsoftonline.com to access Office 365. Duo's enrollment or login prompt appears after you complete primary authentication to your AD FS server:
Visit our guides to protecting popular cloud applications like Google Apps and Office 365 with Duo's powerful two-factor authentication for AD FS.
To upgrade Duo on an AD FS 3 or 4 server, you first disable the Duo Authentication for AD FS authentication method in the AD FS Management console.
Launch the AD FS Management console on your AD FS internal server.
Navigate to AD FS → Authentication Policies and click the Edit Global Multi-factor Authentication... action (AD FS 3) or AD FS → Service → Authentication Methods and click the Edit Multi-factor Authentication Methods... action (AD FS 4).
Uncheck the box next to the Duo Authentication for AD FS 1.1.0.x authentication method to disable Duo protection. Note that in older releases of Duo for AD FS the authentication method is called Duo Security for AD FS 3.0.
Download the most recent Duo AD FS Installer Package for AD FS 3 and 4 and run the MSI from an elevated command prompt.
Follow the on-screen prompts to complete the upgrade installation.
When the installer is finished, repeat the steps you originally followed to enable the Duo method in AD FS. Users may log on to federated services without two-factor protection until you've re-enabled the Duo authentication method.
Need some help? Take a look at the AD FS Frequently Asked Questions (FAQ) page or try searching our AD FS Knowledge Base articles or Community discussions. For further assistance, contact Support.
