Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.

Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.
Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active
Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.

Document issue: 1.0

May 2019
Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.
Entrust is a trademark or a registered trademark of Entrust Datacard Limited in Canada. All Entrust product names
and logos are trademarks or registered trademarks of Entrust, Inc. or Entrust Datacard Limited in certain countries.
All other company and product names and logos are trademarks or registered trademarks of their respective
owners in certain countries.

The information is subject to change as Entrust Datacard reserves the right to, without notice, make changes to its
products as progress in engineering or manufacturing methods or circumstances may warrant.

You should not act or abstain from acting based upon such information without first consulting a professional.
ENTRUST DATACARD DOES NOT WARRANT THE QUALITY, ACCURACY OR COMPLETENESS OF THE
INFORMATION CONTAINED IN THIS ARTICLE. SUCH INFORMATION IS PROVIDED "AS IS" WITHOUT ANY
REPRESENTATIONS AND/OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, BY
USAGE OF TRADE, OR OTHERWISE, AND ENTRUST DATACARD SPECIFICALLY DISCLAIMS ANY AND ALL
REPRESENTATIONS, AND/OR WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, NON-
INFRINGEMENT, OR FITNESS FOR A SPECIFIC PURPOSE.

Copyright © 2019. Entrust Datacard. All rights reserved.
Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.
Contents
Introduction ................................................................................................................... 5
  Overview .................................................................................................................................................... 5
  Integration information ............................................................................................................................... 5
  Authentication overview............................................................................................................................. 6
  Two-factor authentication .......................................................................................................................... 9
     Primary authentication ........................................................................................................................... 9
     Secondary authentication ...................................................................................................................... 9
  Authentication flow .................................................................................................................................... 9
  Multifactor authentication flow process ................................................................................................... 10
Performing the integration ......................................................................................... 11
  Integrating with IntelliTrust ...................................................................................................................... 11
     Add an Authentication API to IntelliTrust ............................................................................................. 12
     Add a Resource Rule ........................................................................................................................... 12
Installing the Entrust Datacard AD FS Adapter ........................................................ 16
  Prerequisites ............................................................................................................................................ 16
  Install the Entrust Datacard AD FS Adapter primary server.................................................................... 16
  Restarting the AD FS service .................................................................................................................. 22
Configuring AD FS for Entrust Datacard authentication ......................................... 23
Testing the integration................................................................................................ 29
Post-installation configuration .................................................................................. 32
  Configuring AD FS for IntelliTrust ............................................................................................................ 32
  Configuring AD FS for Entrust IdentityGuard .......................................................................................... 33
  Configuring the second factor authentication method ............................................................................. 33
    Configuring policy-based authentication .............................................................................................. 34
    Configuring grid authentication ............................................................................................................ 34
    Configuring token authentication ......................................................................................................... 36
    Configuring knowledge-based authentication ...................................................................................... 36
    Configuring policy authentication to override Q&A challenge size ...................................................... 38
    Configuring one-time password (OTP) authentication......................................................................... 39
    Configuring Mobile Smart Credential authentication (Identity Assured) .............................................. 40
    Configuring Mobile Soft Token (TVS) authentication .......................................................................... 41
  Configuring alternate authenticators ....................................................................................................... 43
  Configuring the user domain to Entrust IdentityGuard group mapping ................................................... 44
  Migrating users to Entrust IdentityGuard or IntelliTrust ........................................................................... 45
    Forcing migration ................................................................................................................................. 45
    Phasing in migration ............................................................................................................................ 46
    Modifying user migration settings ........................................................................................................ 47
    Modifying the SkipAuthNoExist element .............................................................................................. 48
    Modifying the SkipAuthNoActive element ............................................................................................ 48
  Customizing end-user messages ............................................................................................................ 49
  Configuring logging.................................................................................................................................. 49
    Location of log files .............................................................................................................................. 49
    Changing the logging level .................................................................................................................. 50
    Configuring the log file settings ............................................................................................................ 50
Uninstalling the Entrust Datacard AD FS Adapter ................................................... 52

© Copyright 2019 Entrust Datacard                                                                                        http://www.entrustdatacard.com
All rights reserved.                                                                                                                                  3
Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.
Appendix A: Installing and Configuring AD FS 3.0 .................................................. 61
  Installing AD FS 3.0 ................................................................................................................................. 61
  Configuring AD FS................................................................................................................................... 63
  Configuring an AD FS sample application............................................................................................... 71
  Installing WAP ......................................................................................................................................... 71
  Configuring WAP ..................................................................................................................................... 73
  Publishing AD FS 3.0 sample application on WAP ................................................................................. 76
  Configuring WAP on Windows server 2016 and 2019 ............................................................................ 81
  Publishing AD FS 4.0 and 5.0 sample application on WAP .................................................................... 83
Appendix B: Configuring failover for Entrust IdentityGuard Servers ..................... 89
Appendix C: Known issues ........................................................................................ 92




© Copyright 2019 Entrust Datacard                                                                                     http://www.entrustdatacard.com
All rights reserved.                                                                                                                               4
Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.
Introduction
This Technical Integration Guide provides an overview of how to integrate Entrust® IdentityGuard
Adapter with Microsoft® Active Directory Federation Services (AD FS). The aim of this integration is to
add Entrust IdentityGuard multi-factor authentication (MFA) to AD FS. The Entrust IdentityGuard Adapter
uses the pluggable Multi-factor authentication (MFA) option of AD FS to integrate Entrust IdentityGuard
MFA with AD FS.


Overview
Entrust Datacard AD FS Adapter integrates the Entrust IdentityGuard Server and IntelliTrust second
factor authentication to Microsoft Active Directory Federation Services.
The Entrust IdentityGuard Server is a server-based software product that authenticates and manages
users and their authentication data. Entrust IdentityGuard provides strong second-factor authentication.
When AD FS is integrated with the Entrust Datacard AD FS Adapter, the Entrust Datacard AD FS Adapter
serves as a login and re-authentication device to allow for two-factor authentication for system access or
to verify certain secured actions.


Integration information
Entrust Product: Entrust IdentityGuard 12.0 FP1 or later
Partner name: Microsoft
Web site: http://www.microsoft.com
Product name: Active Directory Federation Services
Product version: 3.0, 4.0, 5.0


Partner Product description: In Windows Server® 2012 R2, Windows Server® 2016, and Windows
Server® 2019, AD FS includes a federation service role service that acts as an identity provider
(authenticates users to provide security tokens to applications that trust AD FS) or as a federation
provider (consumes tokens from other identity providers and then provides security tokens to applications
that trust AD FS). Active Directory Federation Services (AD FS) makes it possible for local users and
federated users to use claims-based single sign-on (SSO) to Web sites and services.
AD FS can be used to collaborate securely across Active Directory domains with other external
organizations by using identity federation. This reduces the need for duplicate accounts, management of
multiple logons, and other credential management issues that can occur when establishing cross-
organizational trusts. The AD FS platform provides a fully redesigned Windows-based Federation Service
that supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols.




© Copyright 2019 Entrust Datacard                                               http://www.entrustdatacard.com
All rights reserved.                                                                                         5
Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.
Authentication overview
The following tables describe the supported authentication methods.
Table 1: Supported authentication methods for Entrust IdentityGuard

 Authentication Type                Description

  Entrust IdentityGuard             In OTP authentication, the user enters a password that can be used
  One-Time Password                 only once. In the classic case, the user receives the password only
                                    when it is needed.
                                    Entrust IdentityGuard allows users to have multiple OTPs. Since
                                    OTPs can be used only once, the user’s supply of OTPs is reduced
                                    with each authentication. When the user’s supply of OTPs falls below
                                    a threshold, Entrust IdentityGuard automatically generates and sends
                                    a new supply of OTPs.
                                    The operation and refresh threshold are defined in Entrust
                                    IdentityGuard policy. OTP authentication can be used with a personal
                                    verification number (PVN) if your system is set up to require it.

  Entrust IdentityGuard Grid        In grid authentication, the user enters the user ID and password on
                                    one page, and the response to the grid challenge on the next page.
                                    Grid authentication can be used with a personal verification number
                                    (PVN) if your system is set up to require it.

  Entrust IdentityGuard             During user registration, the user sets up answers for some
  Knowledge Based Q & A             predefined (and sometimes user-defined) questions. In knowledge-
                                    based authentication, the user answers these previously-defined
                                    questions.

  Entrust IdentityGuard Token       In token authentication, the user enters a code generated on a
                                    hardware or software token in response to a token challenge. There
                                    are two types of hardware tokens:
                                       •   response-only (RO)
                                       •   challenge-response (CR)
                                    Token authentication can be used with a personal verification number
                                    (PVN) if your system is set up to require it.

  Entrust IdentityGuard Mobile      TVS is a strong out-of-band authentication method where an
  Soft Token                        authentication challenge is sent on user’s mobile. This challenge is
                                    signed by the Entrust Mobile Soft Token app and verified by Entrust
                                    IdentityGuard server. A user can accept or reject the challenge, which
                                    results in either a successful or failed authentication.

  Entrust IdentityGuard Mobile      Identity Assured is a strong out-of-band authentication method where
  Smart Credentials                 an authentication challenge is sent on user’s mobile. This challenge is
                                    signed by the Entrust Mobile smart card app and verified by Entrust
                                    IdentityGuard server. A user can accept or reject the challenge, which
                                    results in either a successful or failed authentication




© Copyright 2019 Entrust Datacard                                                 http://www.entrustdatacard.com
All rights reserved.                                                                                           6
Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.
Authentication Type                Description

  Entrust IdentityGuard             Provides an extra level of security when using grids, tokens, and
  Personal Verification             temporary PINs. Any grid, token, or temporary PIN challenge can also
  Number                            include a PVN challenge. By default, no authentication methods
                                    require a PVN, so you must set the Entrust IdentityGuard policy to
                                    require PVNs.
                                    An administrator can create PVNs for your users, or you can let users
                                    create and update their own PVNs.
                                    The PVN can be any length from 1-255 digits, but you should select a
                                    length that makes the value easy to remember and enter, while still
                                    providing an acceptable level of security. You set the length in the
                                    PVN policy on the Entrust IdentityGuard Server.
                                    Each user can have just one PVN. You can force a user to update
                                    their PVN just after an administrator creates it, or anytime the PVN
                                    gets too old. If a user’s PVN needs to be changed, the user receives
                                    at the next login attempt. The change request appears with the
                                    second-factor challenge.

  Entrust IdentityGuard             A temporary PIN is a fallback authentication method used when the
  Temporary PIN                     user:
                                        •   is not yet registered for a grid or token
                                        •   the user has lost or forgotten their grid or token
                                        •   The user requests the temporary PIN, and receives a
                                            password (PIN) that can be used to log on. The temporary
                                            PIN can be used to replace grid, or token authentication.
                                    Temporary PINs can be used with a personal verification number
                                    (PVN) if your system is set up to require it.

  Machine risk-based                Supports checking the IP address and additional client information
  authentication                    (for example persistent browser cookies) of the user logging in.


Table 2: Supported authentication methods for IntelliTrust

 Authentication Type                Description

  One-time password (OTP)           In OTP authentication, the user enters a password that can be used
                                    only once. In the classic case, the user receives the password only
                                    when it is needed by email, SMS, or voice.
  Grid                              In grid authentication, the user a the response to the grid challenge.

  Knowledge Based Q & A             During user registration, the user sets up answers for some
                                    predefined (and sometimes user-defined) questions. In knowledge-
                                    based authentication, the user answers these previously-defined
                                    questions.
  Token                             In token authentication, the user enters a code generated on a
                                    hardware or software token in response to a token challenge.




© Copyright 2019 Entrust Datacard                                                   http://www.entrustdatacard.com
All rights reserved.                                                                                             7
Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.
Authentication Type                Description

 Mobile Soft Token                  TVS is a strong out-of-band authentication method where an
                                    authentication challenge is sent on user’s mobile. This challenge is
                                    signed by the Entrust Mobile Soft Token app and verified by
                                    IntelliTrust. A user can accept or reject the challenge, which results in
                                    either a successful or failed authentication.

  Mobile Smart Credentials          Identity Assured is a strong out-of-band authentication method where
                                    an authentication challenge is sent on user’s mobile. This challenge is
                                    signed by the Entrust Mobile smart card app and verified by
                                    IntelliTrust server. A user can accept or reject the challenge, which
                                    results in a successful or failed authentication

  Entrust IdentityGuard             A temporary PIN is a fallback authentication method used when the
  Temporary PIN                     user:
                                        •   is not yet registered for a grid or token
                                        •   the user has lost or forgotten their grid or token
                                        •   The user requests the temporary PIN, and receives a
                                            password (PIN) that can be used to log on. The temporary
                                            PIN can be used to replace grid, or token authentication.
                                    Temporary PINs can be used with a personal verification number
                                    (PVN) if your system is set up to require it.
  Machine risk-based                Supports checking the IP address and additional client information
  authentication                    (for example persistent browser cookies) of the user logging in.




© Copyright 2019 Entrust Datacard                                                   http://www.entrustdatacard.com
All rights reserved.                                                                                             8
Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.
Two-factor authentication
AD FS supports both primary and secondary authentication of users against Active Directory.

Primary authentication
Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019 support the following
primary authentication methods:

    •    Windows integrated authentication
    •    Username and password
    •    Client certificate (client Transport Layer Security (TLS), including SmartCard authentication

Secondary authentication
Secondary authentication occurs immediately after primary authentication and authenticates the same
Active Directory (AD) user. Once primary authentication is complete and successful, AD FS invokes an
external authentication handler. This handler invokes an additional authentication provider, either an
in-box AD FS provider or an external MFA provider, based on protocol inputs and policy.
AD FS passes the primary authenticated user’s identity to the additional authentication provider, which
performs the authentication and returns the results. At this point, AD FS continues executing the
authentication/authorization policy and issues the token accordingly.


Authentication flow
AD FS provides extensible Multifactor Authentication by additional authentication providers that are
invoked during secondary authentication. AD FS includes, in-box, the x509 certificate authentication
provider. Other, external providers developed by AD FS partners can be registered in AD FS by the
administrator. Once a provider is registered with AD FS, it is invoked from the AD FS authentication code
through specific interfaces and methods that the provider implements and that AD FS calls. Because it
provides a bridge from AD FS to the functionality of an external authentication provider, the external
authentication provider is also called an AD FS MFA adapter.
Figure 1 provides an overview of the AD FS authentication flow using the AD FS Adapter for second
factor authentication with Entrust IdentityGuard.




© Copyright 2019 Entrust Datacard                                                 http://www.entrustdatacard.com
All rights reserved.                                                                                           9
Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.
Figure 1: Overview of AD FS multifactor authentication flow




Multifactor authentication flow process
The multifactor authentication flow works as follows:
1. The user accesses a resource protected using AD FS on WAP, for example, Microsoft OWA.
2. The user is redirected to the AD FS primary authentication login page, for example, forms
   authentication or Integrated Windows Authentication (IWA).
3. AD FS performs the primary authentication by validating the credentials with Active Directory Domain
   Service.
4. AD FS invokes the Entrust Datacard AD FS Multifactor Authentication Adapter.
5. Entrust Datacard AD FS Adapter submits the SF challenge page to AD FS and then presents it to the
   user.
6. The user provides SF response to Entrust Datacard AD FS Adapter by way of AD FS.
7. Entrust Datacard AD FS Adapter verifies SF response and returns success or failure to
   AD FS.
8. AD FS issues a security token (WS-trust, WS federation or SAML 2.0) and redirects to original
   protected resource.




© Copyright 2019 Entrust Datacard                                              http://www.entrustdatacard.com
All rights reserved.                                                                                        10
Performing the integration
To integrate Active Directory Federation Services and the Entrust Datacard AD FS Adapter for Entrust
IdentityGuard, you complete the following steps:

To integrate with Entrust IdentityGuard
1. Install and configure AD FS.
2. Install and configure WAP.
3. Publish an AD FS sample application on WAP.
4. Install Entrust IdentityGuard Adapter.
5. Restart the AD FS service.
6. Configure AD FS for Entrust Datacard authentication.
7. Test the integration by publishing a WAP application.

Note: This guide assumes that you have WAP, AD FS 3.0, 4.0, 0r 5.0 and at least one Relying Party,
protected by AD FS working prior to Entrust Datacard AD FS Adapter integration. Appendix A provides
instructions on installing and configuring AD FS, WAP, and a publishing application. However, it is
expected that customers contact Microsoft support if they encounter any issues.

To integrate with IntelliTrust
1. Add AD FS as an authentication API to IntelliTrust.
2. Create a resource rule in IntelliTrust to protect access to AD FS.
3. Install and configure AD FS 5.0.
4. Restart the AD FS service.
5. Configure AD FS for Entrust Datacard authentication.
6. Test integration by publishing a WAP application.


Integrating with IntelliTrust
If you want to install Entrust Datacard AD FS installer for IntelliTrust, you need to add Authentication API
to IntelliTrust and copy the Application ID for use in the Entrust Datacard AD FS Adapter installer. You
must also create a resource rule to protect your resource.

Prerequisites
The Entrust Datacard AD FS Adapter IntelliTrust Authentication API uses TLS 1.2.
For IntelliTrust Authentication API, you must change the subkeys listed below to establish a successful
connection between the IntelliTrust Authentication API and the Entrust Datacard AD FS Adapter.

Subkeys for this new registry key
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]"SchUseStrong
Crypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]"SchUseStrong
Crypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]"

© Copyright 2019 Entrust Datacard                                                  http://www.entrustdatacard.com
All rights reserved.                                                                                            11
SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]"
SchUseStrongCrypto"=dword:00000001

All .net applications using Framework 4.5 use SSL 3.0 and TLS 1.0 by default for all SSL/TLS
Handshakes.

If you make the registry changes documented in https://support.microsoft.com/en-
us/help/3194197/considerations-for-disabling-and-replacing-tls-1-0-in-adfs, the default protocols are
replaced with TLS 1.0, TLS1.1 and TLS1.2 for SSL/TLS Handshakes.
Complete the following procedures before installing the Entrust Datacard AD FS installer for IntelliTrust:

    •    Add an Authentication API to IntelliTrust
    •    Add a Resource Rule

Add an Authentication API to IntelliTrust
1. Log in to your IntelliTrust account with administrative privileges that allow you to add an
   Authentication API to IntelliTrust.
2. Click Resources > Applications. The Applications List page appears.
3. Click Add. The Add Applications page appears.
4. Under API Applications, click Authentication API. The Add Authentication API page appears.
5. In the Application Name field, type a name for your application.
6. Optional. In the Application Description field, type a description for your application.
7. Optional. Add a custom application logo, as follows:
    a. Click + next to Application Logo. The Upload Logo dialog box appears.
    b. Click the upload icon next to Select image file to select an image file to upload.
    c. Browse to select your file and click Open. The Upload Logo dialog box reappears showing your
       selected image.
    d. If required, resize your image.
    e. Click OK.
8. Click Next. The General Settings page appears.
9. Select Not Provided as the Source of Client IP Address for Risk Conditions.
10. Click Submit. A success message appears containing the Application ID.
11. Copy the Application ID to your clipboard. You need the Application ID when you install the Entrust
    Datacard AD FS Adapter for IntelliTrust.
12. Click Add Resource Rule and follow the instructions in Add the Resource Rule.

Add a Resource Rule
1. Click Add Resource Rule. The Add Resource Rule General Settings page appears with the Select
   Resource and Rule Name pre-populated.
2. From the Groups list, select the group or groups of users restricted by the resource rule.


© Copyright 2019 Entrust Datacard                                                 http://www.entrustdatacard.com
All rights reserved.                                                                                           12
These are the groups to which the resource rule applies. If you do not select any groups, by default the
    resource rule will apply to all groups.
3. Click Next. The Authentication Conditions Settings page appears.
4. Set the Date/Time to set the Date/Time Condition Settings, as follows:
    a. Select Allow Date/Time or Deny Date/Time to either allow or deny access to the application on
       a specific date or time. The Date/Time Context Condition Settings appear.
    b. Select and set one of the following for the Condition Type:
         Specific Date Range Condition—Allows or denies access to the application during a select
         period of days.
         Time-of-day and/or Day of Week Recurring Conditions—Allows or denies access to
         the application on a specific time of day, day of the week, or both. Recurring times selected only
         apply to days not denied.
         Clear Selection—Clears existing Date and Time conditions.
         Note: If you select Allow, Time-of-day and/or Day-of-Week Recurring Condition(s), you must
         select every day. You can Allow nothing. To completely deny access, set the resource rule to
         Inactive from the Resource Rules page. You can also completely block access by denying all
         days; select Deny, Time-of-day and/or Day-of-Week RecurringCondition(s), and enter 00:00AM to
         11:59PM as the time range.
    c. Optional: Select either Use local time zone
         - or -
         In the Begin typing a Timezone field, enter a custom time zone. This time zone is used to
         identify when a day begins and ends.
         -    If you selected Specific Date Range Condition, you must select the Start Date and
              optionally the End Date from the pop-up calendar.
         -    If you select Time-of-day and/or Day of Week Recurring Conditions, you must select the
              Start Time and optionally, the End Time from the pop-up clock.
    d. Click Save to save the date and time conditions. You are returned to the Authentication
       Conditions Settings page.
5. Click Geolocation to set the Location Conditions Settings, as follows:
    e. Select Allow or Deny to build an allowed or denied country list.
    f.   From the Selected Countries drop-down list, select the countries to add or deny access to the
         application. Repeat until all the desired countries are added to the list.
    g. Click Save to save the Geolocation settings. You are returned to the Authentication Conditions
       Settings page.
6. Click Source IP address to set the IP Address Condition Settings, as follows:
    a. Select Allow or Deny to add or deny access to resources with an IP Address/CIDR.
    b. In the IP Address/cidr field, enter the IP Address/CIDR that you want to allow or deny and click
       Add. Repeat until all the desired IP addresses/CIDR are added to the list.
    c. Click Save to save the Source IP address settings. You are returned to the Authentication
       Conditions Settings page.
7. Define the Machine ID, Location History / Known Locations, and Travel Velocity conditions.



© Copyright 2019 Entrust Datacard                                                 http://www.entrustdatacard.com
All rights reserved.                                                                                           13
The settings for these conditions are defined by the Risk-Based Authentication (RBA) settings of your
    IntelliTrust account. See Managing risk-based authentication in the IntelliTrust Administrator Online
    Help for more information.
8. Click Machine ID to set the Machine ID Condition Settings, as follows:
    a. Set Machine Authentication Risk is less than or equal to the value that the machine
       authenticator's total risk score must be less than during authentication to pass this condition.
         The risk score is based on the attribute differences between a user's Machine Authentication
         information and that recorded on IntelliTrust before the condition fails. If an attribute does not
         match, the attribute incurs the number of risk points shown in Non-Matching Risk Points for that
         attribute. The Non-Matching Risk Points values of non-matching attributes are added together,
         resulting in a total risk score. This score is normalized to be out of 100 as follows:
         Total Risk Score = (Total Risk Points of Failing Attributes / Maximum Risk Points of All Enabled
         Attributes) * 100
         The resource rule condition fails when the number of non-matching risk points exceeds the
         Machine Authentication Risk value defined in this step. A value of 0 means that a single attribute
         difference causes the Device Fingerprint condition to fail. The default value is 3. The value
         between 0-50 can be entered.
         The default value is defined by the Machine Risk Limit.
    b. Click Save to save the Machine ID settings. You are returned to the Authentication Conditions
       Settings page.
9. Set the risk score for each condition, as follows:
    a. Click and drag the slider to the right of the condition to the number of risk points a user receives if
       they fail to meet the condition.
         Risk points determine the authentication requirements as set by the Authentication Decisions.
         When a user attempts to authenticate to an application, the final risk score is calculated based on
         the risk assessed for each of the identified conditions.
10. Set the Authentication Decision settings, as follows:
    a. Click the risk threshold range to the right of Medium Risk and High Risk. For example, (21-50
       points) is the default threshold range for Medium Risk. The risk threshold dialog box appears.
    b. Review the number of points assigned to each risk level and modify them as required.
    c. Set the Authentication Decisions risk settings using one of the following options:
         a. Select the First Factor from the drop-down list.
              The type of authenticator selected is the first type of authentication challenge a user must
              complete to access the application. The list of Second Factors authenticators available is
              updated based on the type of First Factor authenticator selected.
         b. Click the checkboxes to select the Second Factors.
              The authenticators you select are those that can be used to complete this authentication
              challenge.
         c. Click and drag the Second Factors authenticators for the risk level so that they are ordered
            from top to bottom in order of preference.
         d. Repeat step d for Medium Risk and High Risk.
              Note: You cannot add second factors to medium and high risk if you select Deny Access is
              selected as the first factor.


© Copyright 2019 Entrust Datacard                                                   http://www.entrustdatacard.com
All rights reserved.                                                                                             14
11. Optional: Select Disable Single Sign-On for Application to force a user to re-authenticate using the
    authenticator level required when the user accesses the application.
12. Optional: Modify the Q&A challenge size and Number of Wrong Answers Allowed for the
    resource rule. This setting is visible only if you have modified the IntelliTrust default settings for
    Knowledge-based authentication.
13. Click Done to create your resource rule.
Note: For more information about resource rules, see the IntelliTrust Administration Online Help for
instructions.




© Copyright 2019 Entrust Datacard                                                     http://www.entrustdatacard.com
All rights reserved.                                                                                               15
Installing the Entrust Datacard AD FS Adapter
The following instructions provide details on installing Entrust Datacard AD FS Adapter.
This section includes the following topics:

    •    Prerequisites
    •    Adding an Authentication API to IntelliTrust
    •    Install the Entrust Datacard AD FS Adapter primary server


Prerequisites
Before you begin the installation, ensure that the following prerequisites are met:

    •    You must install the Entrust Datacard AD FS Adapter Plugin installer on the primary AD FS
         Server first and then later on the secondary AD FS Server Farm.
    •    Microsoft Services Active Directory Federation Services should be in a Running state during the
         installation of the Entrust Datacard AD FS Adapter Plugin installer.
    •    If you are installing on IntelliTrust, you must first add an Authentication API to IntelliTrust to
         generate an Application ID. You need to add the Application ID during the Entrust Datacard AD
         FS Adapter installation. You also need to create a resource rule in IntelliTrust for Entrust
         Datacard AD FS.


Install the Entrust Datacard AD FS Adapter primary server
To install the Entrust Datacard AD FS Adapter
1. Download the Entrust Datacard AD FS Adapter software from Entrust Datacard Trusted Care at
   https://trustedcare.entrustdatacard.com.
2. Copy the software to your computer.
3. Double-click the IG_ADFS_5.0.msi installer file.
    The Entrust Datacard AD FS Adapter Setup Wizard appears.




© Copyright 2019 Entrust Datacard                                                  http://www.entrustdatacard.com
All rights reserved.                                                                                            16
4. Click Next to continue.
5. Click Next to begin the installation. The License Agreement page appears.




6. Read the license agreement for Entrust IdentityGuard software carefully, and select I accept the
   license agreement.
7. Click Next. The Federation Server Setup page appears.




© Copyright 2019 Entrust Datacard                                              http://www.entrustdatacard.com
All rights reserved.                                                                                        17
8. On the Federation Server setup page, select one of the following options:
    •    Select Primary ADFS server if you are installing on a primary server.
    •    Select Other ADFS server if you are installing on another AD FS server.
9. Click Next. The Authentication Server Setup page appears.




10. Select one of the following options:
    •    Entrust IdentityGuard Server to install AD FS for Entrust IdentityGuard authentication.
         –or–

© Copyright 2019 Entrust Datacard                                                http://www.entrustdatacard.com
All rights reserved.                                                                                          18
•    Entrust Datacard IntelliTrust Authentication Service to install AD FS for IntelliTrust
         authentication.
11. Complete Next.
12. Follow these steps if you selected to install AD FS for Entrust IdentityGuard Server authentication:
    On the Authentication Adapter Setup page, complete the following:




    a. Enter the host names of one or more Entrust IdentityGuard Servers in the IdentityGuard Server
       fields.
         If you need to configure more than five Entrust IdentityGuard Servers, you can add the extra
         servers after installation is complete. See “Appendix B: Configuring failover for Entrust
         IdentityGuard Servers.”
         Note: The preferred Entrust IdentityGuard Server (number 1) is the Primary Entrust
         IdentityGuard Server in a high availability failover scenario.
    b. Enter the port number being used by the Entrust IdentityGuard authentication service in the Auth
       Port field.
         Default port assignment numbers:
         8080      non-SSL
         8443      SSL

    c. If needed, select Auth Port Requires SSL.
         Note: If you select SSL, you must already have imported the appropriate certificates into the local
         computer store of the computer where you are installing the Entrust Datacard AD FS Adapter.
    d. Click Next. The Authentication Provider Setup page appears.




© Copyright 2019 Entrust Datacard                                                 http://www.entrustdatacard.com
All rights reserved.                                                                                           19
e. Select the second factor authentication type from the drop-down menu. The default is Policy-
       based.
    f.   Optionally, select Use Risk-Based Authentication if you want to enable machine authentication.
13. Follow these steps if you selected to install AD FS for IntelliTrust authentication:
    On the IntelliTrust Authentication Setup page, complete the following:




    a. In the IntelliTrust Tenant URL field, enter the IntelliTrust Tenant URL. For example,
       ..trustedauthdev.com.


© Copyright 2019 Entrust Datacard                                                  http://www.entrustdatacard.com
All rights reserved.                                                                                            20
b. In the Application ID field, enter the Application ID that what generated when you created the
       Authentication API in IntelliTrust (see the IntelliTrust Administrator Online Help).
14. Click Next. The Cookie Domain page appears.




15. If you are using risk-based authentication, provide the cookie domain for Entrust IdentityGuard
    authentication cookies.
    Note: This step is optional if you are not using risk-based authentication.
16. Click Next. The Destination Folder page appears.




17. Select the folder where you want to install the application and click Next.

© Copyright 2019 Entrust Datacard                                                 http://www.entrustdatacard.com
All rights reserved.                                                                                           21
18. The Ready to Install Entrust Datacard AD FS Adapter page appears.




19. Click Install to start the installation.
20. The Completed Entrust Datacard AD FS Adapter Setup Wizard page appears.
21. Click Finish to exit the Setup Wizard. You must now restart your AD FS service.


Restarting the AD FS service
To restart the AD FS service
1. Go to Control Panel > System and Security > Administrative Tools > Services to display your list of
   services.
2. Right-click Active Directory Federation Services and select Restart from the drop-down menu.




© Copyright 2019 Entrust Datacard                                              http://www.entrustdatacard.com
All rights reserved.                                                                                        22
Configuring AD FS for Entrust Datacard
authentication
To configure AD FS for Entrust Datacard authentication you must create the AD FS policy that invokes
the Entrust Datacard AD FS Adapter.
This section contains the following procedures:

    •    To configure AD FS 5.0 for Entrust Datacard authentication on Windows 2019
    •    To configure AD FS 4.0 for Entrust Datacard authentication on Windows 2016
    •    To configure AD FS 3.0 for Entrust Datacard Authentication on Windows 2012 R2

To configure AD FS 5.0 for Entrust Datacard authentication on Windows 2019
1. Ensure that you have restarted the Active Directory Federation Services after installing the Entrust
   Datacard AD FS Adapter (see Restarting the AD FS service).
2. Go to Start > Administrative Tools and double-click AD FS Management to open the AD FS
   Console.
    The AD FS Console window appears.




3. Click Authentication Methods. The AD FS Authentication Methods Overview page appears.




© Copyright 2019 Entrust Datacard                                                http://www.entrustdatacard.com
All rights reserved.                                                                                          23
4. Click Edit Multi-factor Authentication Methods. The Edit Authentication Methods appears.




© Copyright 2019 Entrust Datacard                                          http://www.entrustdatacard.com
All rights reserved.                                                                                    24
5. Check Entrust Datacard Authentication to invoke Multi-factor authentication using the Entrust
   Datacard AD FS Adapter.
6. Click OK.

To configure AD FS 4.0 for Entrust Datacard authentication on Windows 2016
1. Ensure that you have restarted the Active Directory Federation Services after installing the Entrust
   Datacard AD FS Adapter (see Restarting the AD FS service).
2. Go to Start > Administrative Tools and double-click AD FS Management to open the AD FS
   Console.
    The AD FS Console window appears.




3. Click Authentication Methods. The AD FS Authentication Methods Overview page appears.




4. Click Edit Multi-factor Authentication Methods. The Edit Authentication Methods appears.




© Copyright 2019 Entrust Datacard                                                http://www.entrustdatacard.com
All rights reserved.                                                                                          25
5. Check Entrust Datacard Authentication to invoke Multi-factor authentication using the Entrust
   Datacard AD FS Adapter.
6. Click OK.

To configure AD FS 3.0 for Entrust Datacard Authentication on Windows 2012 R2
1. Ensure that you have restarted the Active Directory Federation Services after installing the Entrust
   Datacard AD FS Adapter (see Restarting the AD FS service).
2. Go to Start > Administrative Tools and double-click AD FS Management to open the AD FS
   Console.
    The AD FS Console window appears.




© Copyright 2019 Entrust Datacard                                                http://www.entrustdatacard.com
All rights reserved.                                                                                          26
3. Click Authentication Policies. The AD FS Authentication Policies Overview page appears.




4. Click Edit Global Multi-factor Authentication. The Edit Global Policy Authentication page appears.




© Copyright 2019 Entrust Datacard                                            http://www.entrustdatacard.com
All rights reserved.                                                                                      27
5. Check Entrust Datacard Authentication to invoke Multi-factor authentication using the Entrust
   Datacard AD FS Adapter.
6. Optional selections:
    a. Under Users/Groups, click Add to add users or groups that require MFA using the Entrust
       Datacard AD FS Adapter
    b. Under Devices, select Unregistered Devices, Registered Devices, or both as the triggers to
       invoke MFA using the Entrust Datacard AD FS Adapter.
    c. Under Locations, select Extranet, Intranet or both as the triggers to invoke MFA using the
       Entrust Datacard AD FS Adapter.
7. Click OK.




© Copyright 2019 Entrust Datacard                                             http://www.entrustdatacard.com
All rights reserved.                                                                                       28
Testing the integration
Before you test your integration, you must create a user in Entrust IdentityGuard or IntelliTrust and assign
an authenticator to the user. After doing so, you should be able to access the WAP published.

To test the integration
1. Go to the starting page for the sample WAP application, for example,
   https://igadfsplugin.mydomain.com/claimapp. WAP redirects to AD FS for first factor
   authentication.
    The First Factor authentication page appears.




2. Enter your userID and password and click Sign in.
    The Entrust Datacard AD FS Adapter second-factor authentication page appears.




© Copyright 2019 Entrust Datacard                                                 http://www.entrustdatacard.com
All rights reserved.                                                                                           29
3. Enter your second factor authentication.
    After successful authentication, a security token is returned with the claim, which WAP is expecting
    from AD FS and the Resource page appears.
    The WAP sample application resource page.




© Copyright 2019 Entrust Datacard                                                 http://www.entrustdatacard.com
All rights reserved.                                                                                           30
© Copyright 2019 Entrust Datacard   http://www.entrustdatacard.com
All rights reserved.                                             31
Post-installation configuration
After installing the Entrust Datacard AD FS Adapter, you complete the following post-installation tasks, as
required. This section includes the following topics:

    •    Configuring AD FS for IntelliTrust
    •    Configuring AD FS for Entrust IdentityGuard
    •    Configuring the second factor authentication method
    •    Configuring alternate authenticators
    •    Configuring the user domain to Entrust IdentityGuard group mapping
    •    Migrating users to Entrust IdentityGuard
    •    Customizing end-user messages
    •    Configuring logging


Configuring AD FS for IntelliTrust
You need to configure the Authentication API to allow authentication using IntelliTrust.

To configure for IntelliTrust authentication
1. Stop Active Directory Federation Services.
2. Go to \IntelliTrust ADFS Adapter\config and open the
   eigadfsplugin.xml file.
3. Set the AuthenticationAPI element to IntelliTrust.
    This setting is used to make REST calls to IntelliTrust and to validate the second factor authenticators
    against IntelliTrust.
    a. To configure the AuthenticationAPI, locate the following:
         

    b. Change the Authentication API as follows:
         IntelliTrust
4. Configure the Application ID.
    The Application ID is the unique identifier of the IntelliTrust authentication API application. This is
    ID is created in IntelliTrust when you add AD FS as an authentication API to IntelliTrust.
    a. To configure the ApplicationID, locate the following:
         
    b. Add the ApplicationID created in IntelliTrust. For example:
         1d123f45-d5c8-45f5-a614-e3f123c45be6
5. Save and close eigadfsplugin.xml.
6. Restart Active Directory Federation Services.




© Copyright 2019 Entrust Datacard                                                  http://www.entrustdatacard.com
All rights reserved.                                                                                            32
Configuring AD FS for Entrust IdentityGuard
You need to configure the Authentication API to allow authentication using Entrust IdentityGuard.

To configure for Entrust identityGuard authentication
1. Stop Active Directory Federation Services.
2. Go to \IdentityGuard ADFS Adapter\config and open the
   eigadfsplugin.xml file.
3. Set the AuthenticationAPI element to IdentityGuard.
    This setting is used to make SOAP calls to IntelliTrust and to validate the second factor authenticators
    against IntelliTrust.
    a. To configure the AuthenticationAPI, locate the following:
         

    b. Change the Authentication API as follows:
         IdentityGuard
4. Provide the Entrust IdentityGuard server and config elements. See Configuring the second factor
   authentication method.
5. Save and close eigadfsplugin.xml.
6. Restart Active Directory Federation Services.


Configuring the second factor authentication method
After installation you can change the second factor authentication by editing the eigadfsplugin.xml
file.

Note: For your changes to take effect, you must comment the authentication second factor method you
no longer want to use and uncomment the new authentication method in the eigadfsplugin.xml file.

For example, if during installation you chose grid as the second factor authentication method but you
want to replace it with another method, such as policy, be sure to comment the definition for grid and
uncomment the definition for policy to ensure that your changes are applied.

This section contains the following topics:

    •    Configuring policy-based authentication
    •    Configuring grid authentication
    •    Configuring token authentication
    •    Configuring knowledge-based authentication
    •    Configuring policy authentication to override Q&A challenge size
    •    Configuring one-time password (OTP) authentication
    •    Configuring Mobile Smart Credential authentication (Identity Assured)
    •    Configuring Mobile Soft Token (TVS) authentication




© Copyright 2019 Entrust Datacard                                                 http://www.entrustdatacard.com
All rights reserved.                                                                                           33
Configuring policy-based authentication
You can use policy-based authentication as your second-factor authentication type by editing the Entrust
Datacard AD FS Adapter configuration file.

To configure policy-based authentication
7. Stop Active Directory Federation Services.
8. Go to \IdentityGuard ADFS Adapter\config and open the
   eigadfsplugin.xml file.
9. Locate the AuthenticationMethods element.
         
                   ...
         

10. Define an AuthMethod element as shown in the example below.
         
               
               
         
11. Be sure to uncomment the policy definition strings.
12. Save and close eigadfsplugin.xml.
13. Restart Active Directory Federation Services.

Configuring grid authentication
You can use grid authentication as your second-factor authentication type by editing the Entrust Datacard
AD FS Adapter configuration file. Additionally, you can configure grid to specify an enhanced RBA and a
particular Entrust IdentityGuard group.

To configure grid authentication
1. Stop Active Directory Federation Services.
2. Go to \IdentityGuard ADFS Adapter\config and open the
   eigadfsplugin.xml file.
3. Locate the AuthenticationMethods element.
         
                   ...
         

4. Define an AuthMethod element as shown in the example below.
         
               
                     
               

© Copyright 2019 Entrust Datacard                                               http://www.entrustdatacard.com
All rights reserved.                                                                                         34
normal
                            false
                            
                                  
                                  
                                  false
                            
               
         
5. Be sure to uncomment the grid definition strings.
6. Save and close eigadfsplugin.xml.
7. Restart Active Directory Federation Services.

To configure grid for enhanced RBA
1. Stop Active Directory Federation Services.
2. Go to \IdentityGuard ADFS Adapter\config and open the
   eigadfsplugin.xml file.
3. Locate the AuthenticationMethods element.
         
                   ...
         

4. Define an AuthMethod element as shown in the example below.
         
               
                     
               
               
                     enhanced
                     false
                     
                           
                           
                           true
                     
                  
         
5. Be sure to uncomment the applicable definition strings.
6. Save and close eigadfsplugin.xml.


© Copyright 2019 Entrust Datacard                                    http://www.entrustdatacard.com
All rights reserved.                                                                              35
7. Restart Active Directory Federation Services.

Configuring token authentication
You can use token as your second-factor authentication type by editing the Entrust Datacard AD FS
Adapter configuration file.

To configure token authentication
1. Stop Active Directory Federation Services.
2. Go to \IdentityGuard ADFS Adapter\config and open the
   eigadfsplugin.xml file.
3. Locate the AuthenticationMethods element.
         
                   ...
         

4. Define an AuthMethod element as shown in the example below.
         
               
                      
               
               
                      normal
                      false
                      
                            
                            
                            false
                      
               
         
5. Be sure to uncomment the token definition strings.
6. Save and close eigadfsplugin.xml.
7. Restart Active Directory Federation Services.

Configuring knowledge-based authentication
You can use knowledge-based as your second-factor authentication type by editing the Entrust Datacard
AD FS Adapter configuration file. Additionally, you can configure knowledge-based authentication to
override the default question and answer challenge size.

To configure knowledge-based authentication
1. Stop Active Directory Federation Services.



© Copyright 2019 Entrust Datacard                                             http://www.entrustdatacard.com
All rights reserved.                                                                                       36
2. Go to \IdentityGuard ADFS Adapter\config and open the
   eigadfsplugin.xml file.
3. Locate the AuthenticationMethods element.
         
                   ...
         

4. Define an AuthMethod element as shown in the example below.
         
               
                      
               
               
                      normal
                      flase
                      
                            
                            
                            false
                      
               
         
5. Be sure to uncomment the KB definition strings.
6. Save and close eigadfsplugin.xml.
7. Restart Active Directory Federation Services.

To configure knowledge-based authentication and override the default question and answer
challenge size
1. Stop Active Directory Federation Services.
2. Go to \IdentityGuard ADFS Adapter\config and open the
   eigadfsplugin.xml file.
3. Locate the AuthenticationMethods element.
         
                   ...
         

4. Define an AuthMethod element as shown in the example below.
         
               
                     
                           
                           false


© Copyright 2019 Entrust Datacard                                         http://www.entrustdatacard.com
All rights reserved.                                                                                   37
normal
                      false
                      
                            
                            
                            false
                      
               
         
5. Be sure to uncomment the applicable definition strings.
6. Save and close eigadfsplugin.xml.
7. Restart Active Directory Federation Services.

Configuring policy authentication to override Q&A challenge size
You can configure policy authentication to override the default question and answer challenge size if
knowledge-based is chosen for the user.

To configure policy authentication and override the default question and answer challenge
size
1. Stop Active Directory Federation Services.
2. Go to \IdentityGuard ADFS Adapter\config and open the
   eigadfsplugin.xml file.
3. Locate the AuthenticationMethods element.
         
                   ...
         

4. Define an AuthMethod element as shown in the example below.
         
               
                     
                         
                         false
                         false
                     
               
               
                         normal
                         false
                         



© Copyright 2019 Entrust Datacard                                                http://www.entrustdatacard.com
All rights reserved.                                                                                          38
false
                       
               
         
5. Be sure to uncomment the applicable definition strings.
6. Save and close eigadfsplugin.xml.
7. Restart Active Directory Federation Services.

Configuring one-time password (OTP) authentication
You can use one-time password as your second-factor authentication type by editing the Entrust
Datacard AD FS Adapter configuration file.

To configure OTP authentication
1. Stop Active Directory Federation Services.
2. Go to \IdentityGuard ADFS Adapter\config and open the
   eigadfsplugin.xml file.
3. Locate the AuthenticationMethods element.
         
                   ...
         

4. Define an AuthMethod element as shown in the example below.
         
               
                      
                        false
                      
               
               
                      normal
                      false
                      
                             
                             
                             false
                      
               
         


© Copyright 2019 Entrust Datacard                                             http://www.entrustdatacard.com
All rights reserved.                                                                                       39
5. Be sure to uncomment the OTP definition strings.
6. Enable optional display and masking of information values in OTP challenges, as shown below:
true

    By default, this element is set to false.
Note: IntelliTrust is not supported if this setting is set to true.

When users initiate the sending of one-time passwords (OTP) to be used for authentication, they choose
the email or phone number to which the OTPs should be sent. This feature shows the contact information
values (with masking) in addition to generic labels such as Work Email and Work Phone. For details, see
"Set policies for out-of-band OTPs" in the Entrust IdentityGuard Server Administration Guide.


7. Save and close eigadfsplugin.xml.
8. Restart Active Directory Federation Services.

Configuring Mobile Smart Credential authentication (Identity Assured)
You can use Mobile SC as your second-factor authentication type by editing the Entrust Datacard AD FS
Adapter configuration file.

To configure Mobile SC authentication
1. Stop Active Directory Federation Services.
2. Go to \IdentityGuard ADFS Adapter\config and open the
   eigadfsplugin.xml file.
3. Locate the AuthenticationMethods element.
         
                   ...
         

4. Define an AuthMethod element as shown in the example below.
         
               
                      
               
               
                      normal
                      false
                      
                            
                            
                            false
                      
               
         

© Copyright 2019 Entrust Datacard                                             http://www.entrustdatacard.com
All rights reserved.                                                                                       40
5. Be sure to uncomment the MobileSC definition strings.
6. Save and close eigadfsplugin.xml.
7. Restart Active Directory Federation Services.

Configuring Mobile Soft Token (TVS) authentication
You can use Mobile ST as your second-factor authentication type by editing the Entrust Datacard AD FS
Adapter configuration file.

To configure Mobile ST authentication
1. Stop Active Directory Federation Services.
2. Go to \IdentityGuard ADFS Adapter\config and open the
   eigadfsplugin.xml file.
3. Locate the AuthenticationMethods element.
         
                   ...
         

4. To enable automatic fall back from Mobile Soft Token (TVS) Authentication to Token Authenticaiton,
   set define an AuthMethod element as shown in the example below.
    
       
              
       
       
              normal
    false
              
                    
                    
                    false
              
       
    
5. To disable automatic fallback from Mobile Soft Token (TVS) authentication to token authentication,
   define an AuthMethod as shown in the following example:
    
       
             
       
       
             normal
    false
             

© Copyright 2019 Entrust Datacard                                              http://www.entrustdatacard.com
All rights reserved.                                                                                        41
false
              
       
    
6. Be sure to uncomment the MobileST definition strings.
7. Save and close eigadfsplugin.xml.
8. Restart Active Directory Federation Services.




© Copyright 2019 Entrust Datacard                            http://www.entrustdatacard.com
All rights reserved.                                                                      42
Configuring alternate authenticators
To have a link for an alternate authenticator appear on the login screen for a given user, that
authenticator must:

    •    be configured for use in the policy for the Entrust IdentityGuard group to which the user belongs
    •    be an authenticator that the user possesses (for example a grid card, knowledge of the answers
         to questions, or a mobile smart credential)
    •    be configured as an alternate authentication method for a given  in
         the eigadfsplugin.xml file
You can configure the Entrust Datacard AD FS Adapter to display alternative second-factor
authenticators on the second-factor authentication page (see Figure 2: Alternative authenticators). Users
can select an alternative if they do not have their primary authenticator.
The following authenticators are supported as alternatives:

    •    grid
    •    token
    •    knowledge-based Q&A
    •    one-time password (OTP)
    •    MobileSC
    •    MobileST
For example, Q&A will be visible as an alternative even if the user has not created Q&A answers yet, if
you allowed Q&A in your policy and it is configured in the configuration file.
Figure 2: Alternative Authenticators




© Copyright 2019 Entrust Datacard                                                 http://www.entrustdatacard.com
All rights reserved.                                                                                           43
Next part ... Cancel