Chat now with support
Chat with Support

Starling Two-Factor Authentication Hosted - AD FS Adapter Administrator Guide

Configuring Active Directory attributes

If user data is stored in Active Directory, you must configure the user AD attributes that would be used to retrieve values of the log on user from the Active Directory. The user's email address and phone number attributes specified in Starling Two-Factor AD FS Adapter are used to validate if the AD user can be authenticated to log in to the to services using browser-based federated logins.

The Starling Two-Factor AD FS Adapter Configuration window allows you to specify the user attributes that would be used to retrieve the user's email address and phone number from Active Directory.

To configure AD FS Adapter to retrieve user attributes stored in Active Directory

  1. On the Starling Two-Factor AD FS Adapter Configuration page, click Attribute names.

The Active Directory attributes window is displayed.

  1. In the E-Mail attribute field, select the required email attribute from the drop-down menu, or enter the value of the email attribute. The entered value must be an AD attribute. By default, the following values are available as part of the drop-down menu:
    • mail
    • userPrincipalName

The default email attribute is mail.

  1. In the Phone number attribute field, select the required phone attribute from the drop-down menu, or enter the value of the phone number attribute. The entered value must be an AD attribute. By default, the following values are available as part of the drop-down menu:
    • mobile
    • homephone

The default Phone number attribute is mobile.

  1. Select the Enable LDAP over SSL option, to enable AD FS Adapter to communicate over secured LDAP connection with Active Directory server.
  2. Click Save Settings after completing the configuration.

NOTE: If the attribute entered is invalid, an error message is displayed when you click Save Settings.

Upgrading Starling Two-Factor AD FS Adapter

This section describes the procedures that must be followed before upgrading One Identity Starling Two-Factor AD FS Adapter.

Before upgrading Starling Two-Factor AD FS Adapter on Windows Server 2012 R2

  1. Launch the AD FS Management console on the primary server in the AD FS farm.
  2. Navigate to AD FS | Authentication Policies, and click Edit Global Multi-factor Authentication. Alternatively, navigate to Multi-factor Authentication | Global Settings, and click Edit.
  3. In the Edit Global Authentication Policy dialog box, click Multi-factor.
  4. Clear the Starling Two-Factor Authentication method.

Before upgrading Starling Two-Factor AD FS Adapter on Windows Server 2016 and Windows Server 2019

  1. Launch the AD FS Management console on the primary server in the AD FS farm.
  2. Navigate to AD FS | Service | Authentication Methods, and then click Edit Multi-factor Authentication Methods on the right pane. Alternatively, navigate to Additional Authentication Methods and click Edit.
  3. In Edit Authentication Methods, select Additional tab.
  4. Clear the Starling Two-Factor Authentication method.

 

To upgrade the One Identity Starling Two-Factor AD FS Adapter, use the StarlingTwoFactorADFSAdapter.msi file, and follow the on-screen instructions. For information on the procedure to be followed after installing Starling Two-Factor AD FS Adapter, see Configuring AD FS Multi-factor Authentication.

 

IMPORTANT: In case of an upgrade to Starling Two-Factor AD FS Adapter 7.1 from 6.x, you must connect to Starling as the Subscription key related provision is removed. Connect to Starling using the credentials that were used to create the Starling account. You must configure the Push notification and AD attributes again, to overwrite the default values. For information on connecting to Starling, see Connecting Starling for authentication.

Configuring AD FS Multi-factor Authentication

AD FS server must be configured to enable multi-factor authentication to communicate with the Starling Two-Factor AD FS Adapter. If it is not configured, you cannot authenticate the users or groups trying to login to AD FS through Starling Two-Factor Authentication.

This section provides information on the configuration of AD FS Multi-factor Authentication on Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.

To configure AD FS Multi-factor authentication on Windows Server 2012 R2

  1. Launch the AD FS Management console on the primary AD FS internal server.

  2. Navigate to AD FS | Authentication Policies and click Edit Global Multi-factor Authentication.

    Alternatively, under Multi-factor Authentication | Global Settings section, click Edit.

  3. In the Edit Global Authentication Policy dialog box, click Multi-factor.

  4. In Users/Groups section, click Add and select an object for multi-factor authentication, for example, Domain Users.

  5. In the Locations section, select the Extranet or Intranet option, based on the required type of connection.

    For example, if you always require two-factor authentication, select both Extranet and Intranet locations when configuring the multi-factor authentication policy.

    If you want to enforce two-factor authentication for external users and you have configured your network such that external users communicate with an AD FS Web Application Proxy while internal users communicate with the Identity Provider, select Extranet only.

    NOTE: In an advanced multi-factor scenario, you can choose either Intranet, Extranet, or both the options for each user or for each relying party. For more information, see the Microsoft's TechNet article Overview: Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications.

  6. In Select additional authentication methods, select Starling Two-Factor Authentication.

  7. Click OK to save the multi-factor authentication settings.

To configure AD FS Multi-factor authentication on Windows Server 2016 or Windows Server 2019

  1. Launch the AD FS Management console on the primary AD FS internal server.

  2. Navigate to AD FS | Service | Authentication Methods.
  3. On the Authentication Methods pane, under Multi-factor Authentication Methods, click the Edit .

    Alternatively, in the Actions pane, click Edit Multi-factor Authentication Methods.

  4. On the Edit Authentication Methods wizard, under the Multi-factor tab, select the Starling Two-factor Authentication option and click OK.

  5. Navigate to AD FS | Access Control Policies.

  6. On the Access Control Policies pane, edit one of the existing policies.

    Alternatively, create a new multi-factor authentication policy if a pre-defined policy is not sufficient for your organization's multi-factor authentication requirements.

  1. Navigate to AD FS | Relying Party Trusts.

  2. On the Relying Party Trusts pane, right-click the relying party trust, and select Edit Access Control Policy.
  3. On the Edit Access Control Policy for <relying party trust> wizard, under Access control policy, select a policy for the relying party that includes multi-factor authentication, and then click OK.

    The multi-factor authentication policy is applied to the selected relying party.

Testing the setup

 

After completing required configurations on the AD FS Management Console and Starling Two-factor AD FS Adapter, you can test the setup for successful authentication.

To test the two-factor authentication for the relying party using AD FS Adapter

  1. Use a web browser to log in to a relying party. For example, log in to Office 365 by using https://portal.microsoftonline.com.

  2. Enter the required credentials to perform the primary authentication .

    After successful primary authentication, user receives an approval request on the Starling 2FA application. User can approve or deny the request. If the request is denied or timed out, user can request for another approval request or sign in with the token response obtained from SMS, Phone call, or the Starling 2FA application.

Related Documents