Starling Two-Factor Authentication Hosted - Starling Two-Factor AD FS Adapter Administrator Guide


One Identity Starling Two-Factor AD FS Adapter integrates with Microsoft Active Directory Federation Services (AD FS) 3.0 to add two-factor authentication to services using browser-based federated logins. Starling Two-Factor AD FS Adapter supports relying parties that use Microsoft WS-Federation protocol, like Office 365, as well as SAML 2.0 federated logons for cloud applications like Google Apps and Starling Two-Factor AD FS Adapter with AD FS 3.0 supports Windows Server 2012 R2.


Before installing Starling Two-Factor AD FS Adapter, verify the following:

  • Microsoft .NET Framework 4.6.1 or later is installed

  • PowerShell 4.0 or later is installed

  • AD FS role is installed and the AD FS service is running

  • The federated logins to the relying parties are working

  • A valid phone number and email id is configured in Active Directory for the user

Connectivity requirements

After verifying and setting up the prerequisites, do the following:

  1. Request Starling Two-Factor Authentication subscription.

  2. Log in to Starling Two-Factor Authentication Dashboard and get the subscription key (required for Starling Two-Factor AD FS Adapter installation).

Starling Two-Factor AD FS Adapter communicates with Starling Two-Factor Authentication on SSL/TCP port 443. As the IP addresses can change over time, you must not lock down the firewall to individual IP addresses.

Deployment Overview

Starling Two-Factor AD FS Adapter adds multi-factor authentication (MFA) that provides a two-factor authentication prompt to web-based logins through AD FS server or Web Application Proxy. After completing the primary AD FS server authentication (by any standard means such as Windows Integrated or Forms-Based), you have to complete Starling Two-Factor authentication challenge before getting redirected to the relying party. If the deployment is in an AD FS farm, install Starling Two-Factor AD FS Adapter on all AD FS servers in the farm.



After the installation of Starling Two-Factor AD FS Adapter on the AD FS servers in the farm, while configuring the multi-factor authentication policies, select the MFA location (Internal access or External access or both as per the requirement). If you require two-factor authentication for External access locations, a Web Application Proxy is required and you do not have to install Starling Two-Factor AD FS Adapter on the Web Application Proxy server.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

Please note our Privacy Policy recently changed to support GDPR. You may read it here. Continuing to use our website indicates you have accepted the new policy.