Duo's AD FS application is part of the Duo Beyond, Duo Access, and Duo MFA plans.
The Duo AD FS 2.1 module supports relying parties that use Microsoft's WS-Federation protocol, like Office 365, as well as SAML 2.0 federated logons for cloud apps like Google G Suite and salesforce.com. The login assertion must contain a SAML 2.0 NameId or a WS-Federation (AD FS 1.1 compatible) UserPrincipalName, WindowsAccountName, or EmailAddress. Relying parties that require encrypted assertions are not supported.
The Duo AD FS 2.1 IIS module supports AD FS 2.1 on Windows Server 2012 only. To protect AD FS on Windows Server 2012 R2 or later use the AD FS 3+ MFA adapter.
Before moving on to the deployment steps, it's a good idea to familiarize yourself with Duo administration concepts and features like options for applications, available methods for enrolling Duo users, and Duo policy settings and how to apply them. See all Duo Administrator documentation.
Also verify that federated logins to your relying parties are working prior to installing Duo.
Click Protect an Application and locate the entry for Microsoft ADFS in the applications list. Click Protect to the far-right to configure the application and get your integration key, secret key, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options.
The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
Make sure you have installed ASP.NET 3.5 support for IIS. You can do this from the Server Manager console, or by running the following PowerShell commands:
Import-Module ServerManager Add-WindowsFeature Web-Asp-Net
This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.
This integration adds a two-factor authentication prompt to web-based logins through an AD FS 2.1 Identity Provider and/or Proxy. After completing primary authentication to the AD FS server (by any standard means such as Windows Integrated, Forms-Based, and HTTP Basic), your users will be required to complete a Duo authentication challenge before getting redirected back to the relying party.
You should install the Duo integration on any AD FS 2.1 server on which you want to enforce two-factor authentication. For example, if you want to always require two-factor authentication for all of your users, you should install the Duo integration on all of your AD FS Identity Providers and Proxies:
However, if you only want to enforce two-factor authentication for external users, and you have configured your network such that external users communicate with an AD FS proxy, while internal users communicate with the Identity Provider, you might install the Duo integration only on your proxy:
In an AD FS farm deployment the Duo integration should be installed on all AD FS servers in the farm.
Try setting your application's "New user policy" to "Allow Access" while testing. Users that Duo knows about will be prompted to authenticate with Duo, while all other users will be transparently let through.
Users that have a phone (or hardware token) associated with them will see the authentication prompt. All other users will be able to add their phone through Duo's self-service enrollment (see Test Your Setup).
Then (when you're ready) change the "New user policy" to "Require Enrollment." This will prompt all users to authenticate (or enroll) after they type in their usernames and passwords.
Launch the Duo Security installer MSI from an elevated command prompt (right-click "Command Prompt" and select the "Run as Administrator" option). Accept the license agreement and continue.
Enter your integration key, secret key, and API hostname from the Duo Security ADFS application page when prompted.
If the Bypass Duo authentication when offline option is unchecked, then users will not be able to log in to protected federated resources when Duo Security cloud services are unreachable.
If you only have one AD FS server running, select the option to automatically generate a new key. However, if you are running multiple AD FS servers in a farm (e.g. behind a load-balancer), then you should manually generate a random string at least 40 characters long, and use the same string as the session key during installation on each of the servers.
For example, you could use the following PowerShell commands to generate a suitable session key:
$bytes = new-object "System.Byte" 30 (new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($bytes) [Convert]::ToBase64String($bytes)
To test your setup, use a web browser to log into a relying party for your AD FS deployment. As an example, you might log into https://portal.microsoftonline.com to access Office 365. Duo's enrollment or login prompt appears after you complete primary authentication to your AD FS server:
If you plan to permit use of WebAuthn authentication methods (security keys, U2F tokens, or Touch ID), Duo recommends enabling hostname whitelisting for this application and any others that show the inline Duo Prompt before onboarding your end-users.
Visit our guides to protecting popular cloud applications like Google G Suite and Office 365 with Duo's powerful two-factor authentication for AD FS.