One Identity Defender AD FS Adapter integrates with Microsoft Active Directory Federation Services (AD FS) to add Two-Factor authentication to services using browser-based federated logins. The Defender AD FS Adapter supports relying parties that use Microsoft WS-Federation protocol, like Office 365, as well as SAML 2.0 federated logons for cloud apps like Google Apps and salesforce.com. Defender AD FS Adapter supports Windows Server 2012 R2 and Windows Server 2016.
Before installing Defender AD FS Adapter, verify the following:
After verifying and setting up the prerequisites, connecting to Defender through Defender AD FS Adapter requires following parameters:
Defender AD FS Adapter adds Multi-Factor Authentication (MFA) that provides a Two-Factor authentication prompt to web-based logins through AD FS server or Web Application Proxy. After completing the primary AD FS server authentication (by any standard means such as Windows Integrated or Forms-Based), you have to complete Defender authentication challenge before getting redirected to the relying party. If the deployment is in an AD FS farm, install Defender AD FS Adapter on all AD FS servers in the farm.
After the installation of Defender AD FS Adapter on the AD FS servers in the farm, while configuring the Multi-Factor Authentication policies, select the MFA location (Internal access or External access or both as per the requirement). If you require Two-Factor authentication for External access locations, a Web Application Proxy is required and you do not have to install Defender AD FS Adapter on the Web Application Proxy server.