Duo integrates with Microsoft AD FS 3.0 to add two-factor authentication to services using browser-based federated logins, complete with inline self-service enrollment and authentication prompt.
The Duo AD FS module supports relying parties that use Microsoft's WS-Federation protocol, like Office 365, as well as SAML 2.0 federated logons for cloud apps like Google Apps and salesforce.com.
The AD FS application is part of Duo Beyond, Duo Access, and Duo MFA plans.
The Duo AD FS 3.0 integration has been tested with AD FS 3.0 on Windows Server 2012 R2. To protect AD FS on Windows Server 2012 or 2008 R2 use the AD FS 2.x integration.
Before installing the Duo AD FS integration, verify that federated logins to your relying parties are working.
This integration communicates with Duo's service on TCP port 443. Also, we do not recommend locking down your firewall to individual IP addresses, since these may change over time to maintain our service's high availability.
This integration adds a pluggable multi-factor (MFA) authentication provider that provides a Duo two-factor authentication prompt to web-based logins through an AD FS Identity Provider and/or Web Application Proxy. After completing primary authentication to the AD FS server (by any standard means such as Windows Integrated or Forms-Based), your users will be required to complete a Duo authentication challenge before getting redirected back to the relying party.
Install the Duo integration on the internal AD FS 3.0 identity provider server only. In an AD FS farm deployment install Duo on all identity provider AD FS servers in the farm.
When configuring the multi-factor authentication policies after the Duo installation on the internal AD FS server you select whether to require MFA on Internal or External access locations (or both). If you are planning to require two-factor authentication for External access locations, a Web Application Proxy is required. You do not need to install the Duo AD FS integration on the Web Application Proxy server.
Try setting your application's "New user policy" to "Allow Access" while testing. Users that Duo knows about will be prompted to authenticate with Duo, while all other users will be transparently let through.
Users that have a phone (or hardware token) associated with them will see the authentication prompt. All other users will be able to add their phone through Duo's self-service enrollment (see Test Your Setup).
Then (when you're ready) change the "New user policy" to "Require Enrollment." This will prompt all users to authenticate (or enroll) after they type in their usernames and passwords.
Launch the Duo Security installer MSI from an elevated command prompt (right-click "Command Prompt" and select the "Run as Administrator" option).
Enter your integration key, secret key, and API hostname from the Duo Security ADFS application page when prompted.
If the Bypass Duo authentication when offline option is unchecked, then users will not be able to log in to protected federated resources when Duo Security cloud services are unreachable.
If you only have one AD FS server running, select the option to automatically generate a new key. However, if you are running multiple AD FS servers in a farm (e.g. behind a load-balancer), then you should manually generate a random string at least 40 characters long, and use the same string as the session key during installation on each of the servers.
For example, you could use the following PowerShell commands to generate a suitable session key:
$bytes = new-object "System.Byte" 30 (new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($bytes) [Convert]::ToBase64String($bytes)
Launch the AD FS Management console on your primary AD FS internal server. Navigate to AD FS > Authentication Policies and click the Edit Global Multi-factor Authentication... action, or click on the Edit link under Multi-factor Authentication > Global Settings.
On the Multi-factor (MFA) tab of the Edit Global Authentication Policy you can choose to assign a domain group for MFA using the Add... button (Domain Users in the example).
Alternatively, after determining what types of connections will be required to use MFA check the boxes for Extranet and/or Intranet. For example, if you want to always require two-factor authentication for all of your users, select both the Extranet and Intranet location when configuring the multi-factor authentication policy. If you only want to enforce two-factor authentication for external users, and you have configured your network such that external users communicate with an AD FS Web Application Proxy while internal users communicate with the Identity Provider, only enable the Extranet location in the multi-factor authentication policy and leave the Intranet location unchecked.
Check the box next to the Duo Authentication for AD FS 1.1.0.x authentication method (where 1.1.0.x reflects the Duo version) to enable Duo protection.
In an advanced multi-factor scenario, you can choose Intranet and/or Extranet location requirements on a per user or per relying party basis. Refer to Microsoft's TechNet article Overview: Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications for more information.
To test your setup, use a web browser to log into a relying party for your AD FS deployment. As an example, you might log into https://portal.microsoftonline.com to access Office 365. Duo's enrollment or login prompt appears after you complete primary authentication to your AD FS server:
Visit our guides to protecting popular cloud applications like Google Apps and Office 365 with Duo's powerful two-factor authentication for AD FS.