One Identity Starling Two-Factor AD FS Adapter integrates with Microsoft Active Directory Federation Services (AD FS) to add two-factor authentication to services using browser-based federated logins. Starling Two-Factor AD FS Adapter supports relying parties that use Microsoft WS-Federation protocol such as Office 365, as well as SAML 2.0 federated logins for cloud applications such as Google Apps and Salesforce.com. Starling Two-Factor AD FS Adapter supports Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.
Starling Two-Factor AD FS Adapter adds multi-factor authentication (MFA) that provides a two-factor authentication prompt to web-based logins through AD FS server or Web Application Proxy. After completing the primary AD FS server authentication, using standard methods such as Windows Integrated or Forms-Based, complete Starling Two-Factor authentication before getting redirected to the relying party. If the deployment is in an AD FS farm, install Starling Two-Factor AD FS Adapter on all AD FS servers in the farm.
Figure 1: Starling Two-Factor AD FS Adapter deployment overview
After the installation of Starling Two-Factor AD FS Adapter on the AD FS servers in the farm, while configuring the multi-factor authentication policies, select the MFA location (Internal access or External access or both as per the requirement). If you require two-factor authentication for External access locations, a Web Application Proxy is required and you do not have to install Starling Two-Factor AD FS Adapter on the Web Application Proxy server.
The following diagram gives an overview of how AD FS Adapter functions with Starling Two-Factor Authentication to provide two-factor authentication to the relying parties.
The following sections brief about the prerequisites and the steps to download and install the latest version of the Starling Two-Factor AD FS Adapter.
Before installing Starling Two-Factor AD FS Adapter, verify the following on the system:
Microsoft .NET Framework 4.6.2 or later is installed
PowerShell 4.0 or later is installed
AD FS role is installed
The federated logins to the relying parties are working
A valid phone number and email address are configured in the Active Directory for the user