Duo integrates with Microsoft AD FS 2.1 to add two-factor authentication to services using browser-based federated logins, complete with inline self-service enrollment and Duo Prompt.
Duo's AD FS application is part of the Duo Premier, Duo Advantage, and Duo Essentials plans.
The Duo AD FS 2.1 module supports relying parties that use Microsoft's WS-Federation protocol, like Office 365, as well as SAML 2.0 federated logons for cloud apps like Google G Suite and salesforce.com. The login assertion must contain a SAML 2.0 NameId or a WS-Federation (AD FS 1.1 compatible) UserPrincipalName, WindowsAccountName, or EmailAddress. Relying parties that require encrypted assertions are not supported.
The Duo AD FS 2.1 IIS module supports AD FS 2.1 on Windows Server 2012 only. To protect AD FS on Windows Server 2012 R2 or later use the AD FS 3+ MFA adapter.
Before moving on to the deployment steps, it's a good idea to familiarize yourself with Duo administration concepts and features like options for applications, available methods for enrolling Duo users, and Duo policy settings and how to apply them. See all Duo Administrator documentation.
Also verify that federated logins to your relying parties are working prior to installing Duo.
Log in to the Duo Admin Panel and navigate to Applications.
Click Protect an Application and locate the 2FA-only entry for Microsoft ADFS in the applications list. Click Protect to the far-right to configure the application and get your Client ID, Client secret, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options.
Previously, the Client ID was called the "Integration key" and the Client secret was called the "Secret key".
Download the Duo AD FS Installer Package for AD FS 2.1. View checksums for Duo downloads here.
Make sure you have installed ASP.NET 3.5 support for IIS. You can do this from the Server Manager console, or by running the following PowerShell commands:
Import-Module ServerManager Add-WindowsFeature Web-Asp-Net
This application communicates with Duo's service on SSL TCP port 443.
Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review Duo Knowledge Base article 1337.
Effective June 30, 2023, Duo will no longer accept TLS 1.0 or 1.1 connections or support insecure TLS/SSL cipher suites. See Duo Knowledge Base article 7546 for additional guidance.
The new Universal Prompt provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.
|Universal Prompt||Traditional Prompt|
Duo's AD FS 2.x application will not offer support for the Universal Prompt experience. Duo has no plans to release an application update with Universal Prompt support for AD FS 2.x servers. Microsoft will end extended support for Windows Server 2012 in October, 2023. You're encouraged to migrate to AD FS 3 or later (offered in Windows 2012 R2 and later) with pluggable multifactor provider support.
Duo's MFA plugin for AD FS 3 and later supports the Duo Universal Prompt as of version 2.0.0. The Universal Prompt status for a newly-created may be misleading to AD FS v2.x admins, because the same Duo AD FS application on the Duo Admin Panel can be used with both AD FS 2.x and AD FS 3+. Once your users authentication using the Duo IIS-based AD FS application for AD FS v2.x, the Universal Prompt status shown in the Admin Panel will correctly reflect that the AD FS application is incompatible with Universal Prompt.
Read the Universal Prompt Update Guide for more information about the update process and the new login experience for users.
This integration adds a two-factor authentication prompt to web-based logins through an AD FS 2.1 Identity Provider and/or Proxy. After completing primary authentication to the AD FS server (by any standard means such as Windows Integrated, Forms-Based, and HTTP Basic), your users will be required to complete a Duo authentication challenge before getting redirected back to the relying party.
You should install the Duo integration on any AD FS 2.1 server on which you want to enforce two-factor authentication. For example, if you want to always require two-factor authentication for all of your users, you should install the Duo integration on all of your AD FS Identity Providers and Proxies:
However, if you only want to enforce two-factor authentication for external users, and you have configured your network such that external users communicate with an AD FS proxy, while internal users communicate with the Identity Provider, you might install the Duo integration only on your proxy:
In an AD FS farm deployment the Duo integration should be installed on all AD FS servers in the farm.
Set your application's New User Policy to "Allow Access" while testing. Enrolled users must complete two-factor authentication, while all other users are transparently let through.
Then (when you're ready) change the "New user policy" to "Require Enrollment." This will prompt all users to authenticate (or enroll) after they type in their usernames and passwords.
Launch the Duo Security installer MSI from an elevated command prompt (right-click "Command Prompt" and select the "Run as Administrator" option). Accept the license agreement and continue.
Enter your integration key (may show as the Client ID in the Admin Panel), secret key (may show as the Client secret in the Admin Panel), and API hostname from the Duo Security ADFS application page when prompted.
If the Bypass Duo authentication when offline option is unchecked, then users will not be able to log in to protected federated resources when Duo Security cloud services are unreachable.
If you only have one AD FS server running, select the option to automatically generate a new key. However, if you are running multiple AD FS servers in a farm (e.g. behind a load-balancer), then you should manually generate a random string at least 40 characters long, and use the same string as the session key during installation on each of the servers.
For example, you could use the following PowerShell commands to generate a suitable session key:
$bytes = new-object "System.Byte" 30 (new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($bytes) [Convert]::ToBase64String($bytes)
Complete the Duo installation. The Duo installer stops and then restarts IIS services on your AD FS servers automatically.
To test your setup, use a web browser to log into a relying party for your AD FS deployment. As an example, you might log into https://portal.microsoftonline.com to access Office 365. Duo's enrollment or login prompt appears after you complete primary authentication to your AD FS server:
If you plan to permit use of WebAuthn authentication methods (security keys, U2F tokens, or Touch ID) in the traditional Duo Prompt, Duo recommends configuring allowed hostnames for this application and any others that show the inline Duo Prompt before onboarding your end-users.
The Duo Universal Prompt has built-in protection from unauthorized domains so this setting does not apply.
Visit our guides to protecting popular cloud applications like Google G Suite and Office 365 with Duo's powerful two-factor authentication for AD FS.
Need some help? Take a look at the AD FS Frequently Asked Questions (FAQ) page or try searching our AD FS Knowledge Base articles or Community discussions. For further assistance, contact Support.