Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.

Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.

Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0. Document issue: 1.0 May 2019

Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.

Entrust is a trademark or a registered trademark of Entrust Datacard Limited in Canada. All Entrust product names and logos are trademarks or registered trademarks of Entrust, Inc. or Entrust Datacard Limited in certain countries. All other company and product names and logos are trademarks or registered trademarks of their respective owners in certain countries. The information is subject to change as Entrust Datacard reserves the right to, without notice, make changes to its products as progress in engineering or manufacturing methods or circumstances may warrant.

You should not act or abstain from acting based upon such information without first consulting a professional. ENTRUST DATACARD DOES NOT WARRANT THE QUALITY, ACCURACY OR COMPLETENESS OF THE INFORMATION CONTAINED IN THIS ARTICLE. SUCH INFORMATION IS PROVIDED "AS IS" WITHOUT ANY REPRESENTATIONS AND/OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, BY USAGE OF TRADE, OR OTHERWISE, AND ENTRUST DATACARD SPECIFICALLY DISCLAIMS ANY AND ALL REPRESENTATIONS, AND/OR WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, NONINFRINGEMENT, OR FITNESS FOR A SPECIFIC PURPOSE.

Copyright © 2019. Entrust Datacard. All rights reserved.

Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 3 Contents Introduction ___ 5
Overview ___ 5
Integration information ___ 5
Authentication overview ___ 6
Two-factor authentication ___ 9
Primary authentication ___ 9
Secondary authentication ___ 9
Authentication flow ___ 9
Multifactor authentication flow process ___ 10
Performing the integration ___ 11
Integrating with IntelliTrust ___ 11
Add an Authentication API to IntelliTrust ___ 12
Add a Resource Rule ___ 12
Installing the Entrust Datacard AD FS Adapter ___ 16
Prerequisites ___ 16
Install the Entrust Datacard AD FS Adapter primary server ___ 16
Restarting the AD FS service ___ 22
Configuring AD FS for Entrust Datacard authentication ___ 23
Testing the integration ___ 29
Post-installation configuration ___ 32
Configuring AD FS for IntelliTrust ___ 32
Configuring AD FS for Entrust IdentityGuard ___ 33
Configuring the second factor authentication method ___ 33
Configuring policy-based authentication ___ 34
Configuring grid authentication ___ 34
Configuring token authentication ___ 36
Configuring knowledge-based authentication ___ 36
Configuring policy authentication to override Q&A challenge size ___ 38
Configuring one-time password (OTP) authentication ___ 39
Configuring Mobile Smart Credential authentication (Identity Assured ___ 40
Configuring Mobile Soft Token (TVS) authentication ___ 41
Configuring alternate authenticators ___ 43
Configuring the user domain to Entrust IdentityGuard group mapping ___ 44
Migrating users to Entrust IdentityGuard or IntelliTrust ___ 45
Forcing migration ___ 45
Phasing in migration ___ 46
Modifying user migration settings ___ 47
Modifying the SkipAuthNoExist element ___ 48
Modifying the SkipAuthNoActive element ___ 48
Customizing end-user messages ___ 49
Configuring logging ___ 49
Location of log files ___ 49
Changing the logging level ___ 50
Configuring the log file settings ___ 50
Uninstalling the Entrust Datacard AD FS Adapter .

Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 4 Appendix A: Installing and Configuring AD FS 3.0 ___ 61
Installing AD FS 3.0 ___ 61
Configuring AD FS ___ 63
Configuring an AD FS sample application ___ 71
Installing WAP ___ 71
Configuring WAP ___ 73
Publishing AD FS 3.0 sample application on WAP ___ 76
Configuring WAP on Windows server 2016 and 2019 ___ 81
Publishing AD FS 4.0 and 5.0 sample application on WAP ___ 83
Appendix B: Configuring failover for Entrust IdentityGuard Servers ___ 89
Appendix C: Known issues .

Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 5 Introduction This Technical Integration Guide provides an overview of how to integrate Entrust® IdentityGuard Adapter with Microsoft® Active Directory Federation Services (AD FS). The aim of this integration is to add Entrust IdentityGuard multi-factor authentication (MFA) to AD FS. The Entrust IdentityGuard Adapter uses the pluggable Multi-factor authentication (MFA) option of AD FS to integrate Entrust IdentityGuard MFA with AD FS.

Overview Entrust Datacard AD FS Adapter integrates the Entrust IdentityGuard Server and IntelliTrust second factor authentication to Microsoft Active Directory Federation Services.

The Entrust IdentityGuard Server is a server-based software product that authenticates and manages users and their authentication data. Entrust IdentityGuard provides strong second-factor authentication. When AD FS is integrated with the Entrust Datacard AD FS Adapter, the Entrust Datacard AD FS Adapter serves as a login and re-authentication device to allow for two-factor authentication for system access or to verify certain secured actions.

Integration information Entrust Product: Entrust IdentityGuard 12.0 FP1 or later Partner name: Microsoft Web site: http://www.microsoft.com Product name: Active Directory Federation Services Product version: 3.0, 4.0, 5.0 Partner Product description: In Windows Server® 2012 R2, Windows Server® 2016, and Windows Server® 2019, AD FS includes a federation service role service that acts as an identity provider (authenticates users to provide security tokens to applications that trust AD FS) or as a federation provider (consumes tokens from other identity providers and then provides security tokens to applications that trust AD FS).

Active Directory Federation Services (AD FS) makes it possible for local users and federated users to use claims-based single sign-on (SSO) to Web sites and services. AD FS can be used to collaborate securely across Active Directory domains with other external organizations by using identity federation. This reduces the need for duplicate accounts, management of multiple logons, and other credential management issues that can occur when establishing crossorganizational trusts. The AD FS platform provides a fully redesigned Windows-based Federation Service that supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols.

Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 6 Authentication overview The following tables describe the supported authentication methods. Table 1: Supported authentication methods for Entrust IdentityGuard Authentication Type Description Entrust IdentityGuard One-Time Password In OTP authentication, the user enters a password that can be used only once. In the classic case, the user receives the password only when it is needed. Entrust IdentityGuard allows users to have multiple OTPs. Since OTPs can be used only once, the user’s supply of OTPs is reduced with each authentication.

When the user’s supply of OTPs falls below a threshold, Entrust IdentityGuard automatically generates and sends a new supply of OTPs.

The operation and refresh threshold are defined in Entrust IdentityGuard policy. OTP authentication can be used with a personal verification number (PVN) if your system is set up to require it. Entrust IdentityGuard Grid In grid authentication, the user enters the user ID and password on one page, and the response to the grid challenge on the next page. Grid authentication can be used with a personal verification number (PVN) if your system is set up to require it. Entrust IdentityGuard Knowledge Based Q & A During user registration, the user sets up answers for some predefined (and sometimes user-defined) questions.

In knowledgebased authentication, the user answers these previously-defined questions.

Entrust IdentityGuard Token In token authentication, the user enters a code generated on a hardware or software token in response to a token challenge. There are two types of hardware tokens:
  • response-only (RO)
  • challenge-response (CR) Token authentication can be used with a personal verification number (PVN) if your system is set up to require it. Entrust IdentityGuard Mobile Soft Token TVS is a strong out-of-band authentication method where an authentication challenge is sent on user’s mobile. This challenge is signed by the Entrust Mobile Soft Token app and verified by Entrust IdentityGuard server. A user can accept or reject the challenge, which results in either a successful or failed authentication. Entrust IdentityGuard Mobile Smart Credentials Identity Assured is a strong out-of-band authentication method where an authentication challenge is sent on user’s mobile. This challenge is signed by the Entrust Mobile smart card app and verified by Entrust IdentityGuard server. A user can accept or reject the challenge, which results in either a successful or failed authentication
Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 7 Authentication Type Description Entrust IdentityGuard Personal Verification Number Provides an extra level of security when using grids, tokens, and temporary PINs. Any grid, token, or temporary PIN challenge can also include a PVN challenge. By default, no authentication methods require a PVN, so you must set the Entrust IdentityGuard policy to require PVNs. An administrator can create PVNs for your users, or you can let users create and update their own PVNs.

The PVN can be any length from 1-255 digits, but you should select a length that makes the value easy to remember and enter, while still providing an acceptable level of security.

You set the length in the PVN policy on the Entrust IdentityGuard Server. Each user can have just one PVN. You can force a user to update their PVN just after an administrator creates it, or anytime the PVN gets too old. If a user’s PVN needs to be changed, the user receives at the next login attempt. The change request appears with the second-factor challenge.

Entrust IdentityGuard Temporary PIN A temporary PIN is a fallback authentication method used when the user:
  • is not yet registered for a grid or token
  • the user has lost or forgotten their grid or token
  • The user requests the temporary PIN, and receives a password (PIN) that can be used to log on. The temporary PIN can be used to replace grid, or token authentication. Temporary PINs can be used with a personal verification number (PVN) if your system is set up to require it. Machine risk-based authentication Supports checking the IP address and additional client information (for example persistent browser cookies) of the user logging in. Table 2: Supported authentication methods for IntelliTrust Authentication Type Description One-time password (OTP) In OTP authentication, the user enters a password that can be used only once. In the classic case, the user receives the password only when it is needed by email, SMS, or voice.

Grid In grid authentication, the user a the response to the grid challenge. Knowledge Based Q & A During user registration, the user sets up answers for some predefined (and sometimes user-defined) questions. In knowledgebased authentication, the user answers these previously-defined questions. Token In token authentication, the user enters a code generated on a hardware or software token in response to a token challenge.

Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.
© Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 8 Authentication Type Description Mobile Soft Token TVS is a strong out-of-band authentication method where an authentication challenge is sent on user’s mobile. This challenge is signed by the Entrust Mobile Soft Token app and verified by IntelliTrust. A user can accept or reject the challenge, which results in either a successful or failed authentication. Mobile Smart Credentials Identity Assured is a strong out-of-band authentication method where an authentication challenge is sent on user’s mobile. This challenge is signed by the Entrust Mobile smart card app and verified by IntelliTrust server. A user can accept or reject the challenge, which results in a successful or failed authentication Entrust IdentityGuard Temporary PIN A temporary PIN is a fallback authentication method used when the user:
  • is not yet registered for a grid or token
  • the user has lost or forgotten their grid or token
  • The user requests the temporary PIN, and receives a password (PIN) that can be used to log on. The temporary PIN can be used to replace grid, or token authentication. Temporary PINs can be used with a personal verification number (PVN) if your system is set up to require it. Machine risk-based authentication Supports checking the IP address and additional client information (for example persistent browser cookies) of the user logging in.
Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.
© Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 9 Two-factor authentication AD FS supports both primary and secondary authentication of users against Active Directory. Primary authentication Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019 support the following primary authentication methods:
  • Windows integrated authentication
  • Username and password
  • Client certificate (client Transport Layer Security (TLS), including SmartCard authentication Secondary authentication Secondary authentication occurs immediately after primary authentication and authenticates the same Active Directory (AD) user. Once primary authentication is complete and successful, AD FS invokes an external authentication handler. This handler invokes an additional authentication provider, either an in-box AD FS provider or an external MFA provider, based on protocol inputs and policy. AD FS passes the primary authenticated user’s identity to the additional authentication provider, which performs the authentication and returns the results. At this point, AD FS continues executing the authentication/authorization policy and issues the token accordingly. Authentication flow AD FS provides extensible Multifactor Authentication by additional authentication providers that are invoked during secondary authentication. AD FS includes, in-box, the x509 certificate authentication provider. Other, external providers developed by AD FS partners can be registered in AD FS by the administrator. Once a provider is registered with AD FS, it is invoked from the AD FS authentication code through specific interfaces and methods that the provider implements and that AD FS calls. Because it provides a bridge from AD FS to the functionality of an external authentication provider, the external authentication provider is also called an AD FS MFA adapter.

Figure 1 provides an overview of the AD FS authentication flow using the AD FS Adapter for second factor authentication with Entrust IdentityGuard.

Technical Integration Guide for Entrust Datacard Adapter 5.0 for Active Directory Federation Services (AD FS) 3.0, 4.0, and 5.0.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 10 Figure 1: Overview of AD FS multifactor authentication flow Multifactor authentication flow process The multifactor authentication flow works as follows: 1. The user accesses a resource protected using AD FS on WAP, for example, Microsoft OWA. 2. The user is redirected to the AD FS primary authentication login page, for example, forms authentication or Integrated Windows Authentication (IWA).

3. AD FS performs the primary authentication by validating the credentials with Active Directory Domain Service.

4. AD FS invokes the Entrust Datacard AD FS Multifactor Authentication Adapter. 5. Entrust Datacard AD FS Adapter submits the SF challenge page to AD FS and then presents it to the user. 6. The user provides SF response to Entrust Datacard AD FS Adapter by way of AD FS. 7. Entrust Datacard AD FS Adapter verifies SF response and returns success or failure to AD FS. 8. AD FS issues a security token (WS-trust, WS federation or SAML 2.0) and redirects to original protected resource.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved.

11 Performing the integration To integrate Active Directory Federation Services and the Entrust Datacard AD FS Adapter for Entrust IdentityGuard, you complete the following steps: To integrate with Entrust IdentityGuard 1. Install and configure AD FS. 2. Install and configure WAP. 3. Publish an AD FS sample application on WAP. 4. Install Entrust IdentityGuard Adapter. 5. Restart the AD FS service. 6. Configure AD FS for Entrust Datacard authentication. 7. Test the integration by publishing a WAP application. Note: This guide assumes that you have WAP, AD FS 3.0, 4.0, 0r 5.0 and at least one Relying Party, protected by AD FS working prior to Entrust Datacard AD FS Adapter integration.

Appendix A provides instructions on installing and configuring AD FS, WAP, and a publishing application. However, it is expected that customers contact Microsoft support if they encounter any issues. To integrate with IntelliTrust 1. Add AD FS as an authentication API to IntelliTrust. 2. Create a resource rule in IntelliTrust to protect access to AD FS. 3. Install and configure AD FS 5.0.

4. Restart the AD FS service. 5. Configure AD FS for Entrust Datacard authentication. 6. Test integration by publishing a WAP application. Integrating with IntelliTrust If you want to install Entrust Datacard AD FS installer for IntelliTrust, you need to add Authentication API to IntelliTrust and copy the Application ID for use in the Entrust Datacard AD FS Adapter installer. You must also create a resource rule to protect your resource. Prerequisites The Entrust Datacard AD FS Adapter IntelliTrust Authentication API uses TLS 1.2. For IntelliTrust Authentication API, you must change the subkeys listed below to establish a successful connection between the IntelliTrust Authentication API and the Entrust Datacard AD FS Adapter.

Subkeys for this new registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]"SchUseStro ng Crypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]"SchUseStro ng Crypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 ]"

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 12 SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727 ]" SchUseStrongCrypto"=dword:00000001 All .net applications using Framework 4.5 use SSL 3.0 and TLS 1.0 by default for all SSL/TLS Handshakes. If you make the registry changes documented in https://support.microsoft.com/enus/help/3194197/considerations-for-disabling-and-replacing-tls-1-0-in-adfs, the default protocols are replaced with TLS 1.0, TLS1.1 and TLS1.2 for SSL/TLS Handshakes.

Complete the following procedures before installing the Entrust Datacard AD FS installer for IntelliTrust:
  • Add an Authentication API to IntelliTrust
  • Add a Resource Rule Add an Authentication API to IntelliTrust 1. Log in to your IntelliTrust account with administrative privileges that allow you to add an Authentication API to IntelliTrust. 2. Click Resources > Applications. The Applications List page appears. 3. Click Add. The Add Applications page appears. 4. Under API Applications, click Authentication API. The Add Authentication API page appears. 5. In the Application Name field, type a name for your application. 6. Optional. In the Application Description field, type a description for your application. 7. Optional. Add a custom application logo, as follows: a. Click + next to Application Logo. The Upload Logo dialog box appears. b. Click the upload icon next to Select image file to select an image file to upload. c. Browse to select your file and click Open. The Upload Logo dialog box reappears showing your selected image.

d. If required, resize your image. e. Click OK. 8. Click Next. The General Settings page appears. 9. Select Not Provided as the Source of Client IP Address for Risk Conditions. 10. Click Submit. A success message appears containing the Application ID. 11. Copy the Application ID to your clipboard. You need the Application ID when you install the Entrust Datacard AD FS Adapter for IntelliTrust. 12. Click Add Resource Rule and follow the instructions in Add the Resource Rule. Add a Resource Rule 1. Click Add Resource Rule. The Add Resource Rule General Settings page appears with the Select Resource and Rule Name pre-populated.

2. From the Groups list, select the group or groups of users restricted by the resource rule.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 13 These are the groups to which the resource rule applies. If you do not select any groups, by default the resource rule will apply to all groups. 3. Click Next. The Authentication Conditions Settings page appears. 4. Set the Date/Time to set the Date/Time Condition Settings, as follows: a. Select Allow Date/Time or Deny Date/Time to either allow or deny access to the application on a specific date or time.

The Date/Time Context Condition Settings appear. b. Select and set one of the following for the Condition Type: Specific Date Range Condition—Allows or denies access to the application during a select period of days.

Time-of-day and/or Day of Week Recurring Conditions—Allows or denies access to the application on a specific time of day, day of the week, or both. Recurring times selected only apply to days not denied. Clear Selection—Clears existing Date and Time conditions. Note: If you select Allow, Time-of-day and/or Day-of-Week Recurring Condition(s), you must select every day. You can Allow nothing. To completely deny access, set the resource rule to Inactive from the Resource Rules page. You can also completely block access by denying all days; select Deny, Time-of-day and/or Day-of-Week RecurringCondition(s), and enter 00:00AM to 11:59PM as the time range.

c. Optional: Select either Use local time zone - or - In the Begin typing a Timezone field, enter a custom time zone. This time zone is used to identify when a day begins and ends. - If you selected Specific Date Range Condition, you must select the Start Date and optionally the End Date from the pop-up calendar. - If you select Time-of-day and/or Day of Week Recurring Conditions, you must select the Start Time and optionally, the End Time from the pop-up clock. d. Click Save to save the date and time conditions. You are returned to the Authentication Conditions Settings page.

5. Click Geolocation to set the Location Conditions Settings, as follows: e.

Select Allow or Deny to build an allowed or denied country list. f. From the Selected Countries drop-down list, select the countries to add or deny access to the application. Repeat until all the desired countries are added to the list. g. Click Save to save the Geolocation settings. You are returned to the Authentication Conditions Settings page. 6. Click Source IP address to set the IP Address Condition Settings, as follows: a. Select Allow or Deny to add or deny access to resources with an IP Address/CIDR. b. In the IP Address/cidr field, enter the IP Address/CIDR that you want to allow or deny and click Add.

Repeat until all the desired IP addresses/CIDR are added to the list. c. Click Save to save the Source IP address settings. You are returned to the Authentication Conditions Settings page.

7. Define the Machine ID, Location History / Known Locations, and Travel Velocity conditions.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 14 The settings for these conditions are defined by the Risk-Based Authentication (RBA) settings of your IntelliTrust account. See Managing risk-based authentication in the IntelliTrust Administrator Online Help for more information. 8. Click Machine ID to set the Machine ID Condition Settings, as follows: a. Set Machine Authentication Risk is less than or equal to the value that the machine authenticator's total risk score must be less than during authentication to pass this condition.

The risk score is based on the attribute differences between a user's Machine Authentication information and that recorded on IntelliTrust before the condition fails. If an attribute does not match, the attribute incurs the number of risk points shown in Non-Matching Risk Points for that attribute. The Non-Matching Risk Points values of non-matching attributes are added together, resulting in a total risk score. This score is normalized to be out of 100 as follows: Total Risk Score = (Total Risk Points of Failing Attributes / Maximum Risk Points of All Enabled Attributes) * 100 The resource rule condition fails when the number of non-matching risk points exceeds the Machine Authentication Risk value defined in this step.

A value of 0 means that a single attribute difference causes the Device Fingerprint condition to fail. The default value is 3. The value between 0-50 can be entered.

The default value is defined by the Machine Risk Limit. b. Click Save to save the Machine ID settings. You are returned to the Authentication Conditions Settings page. 9. Set the risk score for each condition, as follows: a. Click and drag the slider to the right of the condition to the number of risk points a user receives if they fail to meet the condition. Risk points determine the authentication requirements as set by the Authentication Decisions. When a user attempts to authenticate to an application, the final risk score is calculated based on the risk assessed for each of the identified conditions.

10. Set the Authentication Decision settings, as follows: a. Click the risk threshold range to the right of Medium Risk and High Risk. For example, (21-50 points) is the default threshold range for Medium Risk. The risk threshold dialog box appears. b. Review the number of points assigned to each risk level and modify them as required. c. Set the Authentication Decisions risk settings using one of the following options: a. Select the First Factor from the drop-down list. The type of authenticator selected is the first type of authentication challenge a user must complete to access the application.

The list of Second Factors authenticators available is updated based on the type of First Factor authenticator selected. b. Click the checkboxes to select the Second Factors. The authenticators you select are those that can be used to complete this authentication challenge.

c. Click and drag the Second Factors authenticators for the risk level so that they are ordered from top to bottom in order of preference. d. Repeat step d for Medium Risk and High Risk. Note: You cannot add second factors to medium and high risk if you select Deny Access is selected as the first factor.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 15 11. Optional: Select Disable Single Sign-On for Application to force a user to re-authenticate using the authenticator level required when the user accesses the application.

12. Optional: Modify the Q&A challenge size and Number of Wrong Answers Allowed for the resource rule. This setting is visible only if you have modified the IntelliTrust default settings for Knowledge-based authentication. 13. Click Done to create your resource rule. Note: For more information about resource rules, see the IntelliTrust Administration Online Help for instructions.

© Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 16 Installing the Entrust Datacard AD FS Adapter The following instructions provide details on installing Entrust Datacard AD FS Adapter. This section includes the following topics:
  • Prerequisites
  • Adding an Authentication API to IntelliTrust
  • Install the Entrust Datacard AD FS Adapter primary server Prerequisites Before you begin the installation, ensure that the following prerequisites are met:
  • You must install the Entrust Datacard AD FS Adapter Plugin installer on the primary AD FS Server first and then later on the secondary AD FS Server Farm.
  • Microsoft Services Active Directory Federation Services should be in a Running state during the installation of the Entrust Datacard AD FS Adapter Plugin installer.
  • If you are installing on IntelliTrust, you must first add an Authentication API to IntelliTrust to generate an Application ID. You need to add the Application ID during the Entrust Datacard AD FS Adapter installation. You also need to create a resource rule in IntelliTrust for Entrust Datacard AD FS. Install the Entrust Datacard AD FS Adapter primary server To install the Entrust Datacard AD FS Adapter 1. Download the Entrust Datacard AD FS Adapter software from Entrust Datacard Trusted Care at https://trustedcare.entrustdatacard.com.

2. Copy the software to your computer. 3. Double-click the IG_ADFS_5.0.msi installer file. The Entrust Datacard AD FS Adapter Setup Wizard appears.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 17 4. Click Next to continue. 5. Click Next to begin the installation. The License Agreement page appears. 6. Read the license agreement for Entrust IdentityGuard software carefully, and select I accept the license agreement. 7. Click Next. The Federation Server Setup page appears.

© Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 18 8. On the Federation Server setup page, select one of the following options:
  • Select Primary ADFS server if you are installing on a primary server.
  • Select Other ADFS server if you are installing on another AD FS server. 9. Click Next. The Authentication Server Setup page appears. 10. Select one of the following options:
  • Entrust IdentityGuard Server to install AD FS for Entrust IdentityGuard authentication. –or–
  • © Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 19
  • Entrust Datacard IntelliTrust Authentication Service to install AD FS for IntelliTrust authentication. 11. Complete Next. 12. Follow these steps if you selected to install AD FS for Entrust IdentityGuard Server authentication: On the Authentication Adapter Setup page, complete the following: a. Enter the host names of one or more Entrust IdentityGuard Servers in the IdentityGuard Server fields. If you need to configure more than five Entrust IdentityGuard Servers, you can add the extra servers after installation is complete. See “Appendix B: Configuring failover for Entrust IdentityGuard Servers.” Note: The preferred Entrust IdentityGuard Server (number 1) is the Primary Entrust IdentityGuard Server in a high availability failover scenario. b. Enter the port number being used by the Entrust IdentityGuard authentication service in the Auth Port field.

Default port assignment numbers: 8080 non-SSL 8443 SSL c. If needed, select Auth Port Requires SSL. Note: If you select SSL, you must already have imported the appropriate certificates into the local computer store of the computer where you are installing the Entrust Datacard AD FS Adapter. d. Click Next. The Authentication Provider Setup page appears.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 20 e. Select the second factor authentication type from the drop-down menu. The default is Policybased. f. Optionally, select Use Risk-Based Authentication if you want to enable machine authentication.

13. Follow these steps if you selected to install AD FS for IntelliTrust authentication: On the IntelliTrust Authentication Setup page, complete the following: a. In the IntelliTrust Tenant URL field, enter the IntelliTrust Tenant URL. For example, ..trustedauthdev.com.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 21 b. In the Application ID field, enter the Application ID that what generated when you created the Authentication API in IntelliTrust (see the IntelliTrust Administrator Online Help). 14. Click Next. The Cookie Domain page appears. 15. If you are using risk-based authentication, provide the cookie domain for Entrust IdentityGuard authentication cookies. Note: This step is optional if you are not using risk-based authentication. 16. Click Next. The Destination Folder page appears.

17. Select the folder where you want to install the application and click Next.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 22 18. The Ready to Install Entrust Datacard AD FS Adapter page appears. 19. Click Install to start the installation. 20. The Completed Entrust Datacard AD FS Adapter Setup Wizard page appears. 21. Click Finish to exit the Setup Wizard. You must now restart your AD FS service. Restarting the AD FS service To restart the AD FS service 1. Go to Control Panel > System and Security > Administrative Tools > Services to display your list of services.

2. Right-click Active Directory Federation Services and select Restart from the drop-down menu.

© Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 23 Configuring AD FS for Entrust Datacard authentication To configure AD FS for Entrust Datacard authentication you must create the AD FS policy that invokes the Entrust Datacard AD FS Adapter. This section contains the following procedures:
  • To configure AD FS 5.0 for Entrust Datacard authentication on Windows 2019
  • To configure AD FS 4.0 for Entrust Datacard authentication on Windows 2016
  • To configure AD FS 3.0 for Entrust Datacard Authentication on Windows 2012 R2 To configure AD FS 5.0 for Entrust Datacard authentication on Windows 2019 1. Ensure that you have restarted the Active Directory Federation Services after installing the Entrust Datacard AD FS Adapter (see Restarting the AD FS service).

2. Go to Start > Administrative Tools and double-click AD FS Management to open the AD FS Console. The AD FS Console window appears. 3. Click Authentication Methods. The AD FS Authentication Methods Overview page appears.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 24 4. Click Edit Multi-factor Authentication Methods. The Edit Authentication Methods appears.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 25 5. Check Entrust Datacard Authentication to invoke Multi-factor authentication using the Entrust Datacard AD FS Adapter.

6. Click OK. To configure AD FS 4.0 for Entrust Datacard authentication on Windows 2016 1. Ensure that you have restarted the Active Directory Federation Services after installing the Entrust Datacard AD FS Adapter (see Restarting the AD FS service). 2. Go to Start > Administrative Tools and double-click AD FS Management to open the AD FS Console.

The AD FS Console window appears. 3. Click Authentication Methods. The AD FS Authentication Methods Overview page appears. 4. Click Edit Multi-factor Authentication Methods. The Edit Authentication Methods appears.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 26 5. Check Entrust Datacard Authentication to invoke Multi-factor authentication using the Entrust Datacard AD FS Adapter. 6. Click OK. To configure AD FS 3.0 for Entrust Datacard Authentication on Windows 2012 R2 1. Ensure that you have restarted the Active Directory Federation Services after installing the Entrust Datacard AD FS Adapter (see Restarting the AD FS service).

2. Go to Start > Administrative Tools and double-click AD FS Management to open the AD FS Console.

The AD FS Console window appears.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 27 3. Click Authentication Policies. The AD FS Authentication Policies Overview page appears. 4. Click Edit Global Multi-factor Authentication. The Edit Global Policy Authentication page appears.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 28 5. Check Entrust Datacard Authentication to invoke Multi-factor authentication using the Entrust Datacard AD FS Adapter.

6. Optional selections: a. Under Users/Groups, click Add to add users or groups that require MFA using the Entrust Datacard AD FS Adapter b. Under Devices, select Unregistered Devices, Registered Devices, or both as the triggers to invoke MFA using the Entrust Datacard AD FS Adapter. c. Under Locations, select Extranet, Intranet or both as the triggers to invoke MFA using the Entrust Datacard AD FS Adapter.

7. Click OK.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 29 Testing the integration Before you test your integration, you must create a user in Entrust IdentityGuard or IntelliTrust and assign an authenticator to the user. After doing so, you should be able to access the WAP published. To test the integration 1. Go to the starting page for the sample WAP application, for example, https://igadfsplugin.mydomain.com/claimapp. WAP redirects to AD FS for first factor authentication.

The First Factor authentication page appears.

2. Enter your userID and password and click Sign in. The Entrust Datacard AD FS Adapter second-factor authentication page appears.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 30 3. Enter your second factor authentication. After successful authentication, a security token is returned with the claim, which WAP is expecting from AD FS and the Resource page appears. The WAP sample application resource page.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 31

© Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 32 Post-installation configuration After installing the Entrust Datacard AD FS Adapter, you complete the following post-installation tasks, as required. This section includes the following topics:
  • Configuring AD FS for IntelliTrust
  • Configuring AD FS for Entrust IdentityGuard
  • Configuring the second factor authentication method
  • Configuring alternate authenticators
  • Configuring the user domain to Entrust IdentityGuard group mapping
  • Migrating users to Entrust IdentityGuard
  • Customizing end-user messages
  • Configuring logging Configuring AD FS for IntelliTrust You need to configure the Authentication API to allow authentication using IntelliTrust. To configure for IntelliTrust authentication 1. Stop Active Directory Federation Services. 2. Go to \IntelliTrust ADFS Adapter\config and open the eigadfsplugin.xml file.

3. Set the AuthenticationAPI element to IntelliTrust. This setting is used to make REST calls to IntelliTrust and to validate the second factor authenticators against IntelliTrust. a. To configure the AuthenticationAPI, locate the following: b. Change the Authentication API as follows: IntelliTrust 4. Configure the Application ID. The Application ID is the unique identifier of the IntelliTrust authentication API application. This is ID is created in IntelliTrust when you add AD FS as an authentication API to IntelliTrust. a. To configure the ApplicationID, locate the following: b. Add the ApplicationID created in IntelliTrust.

For example: 1d123f45-d5c8-45f5-a614-e3f123c45be6 5. Save and close eigadfsplugin.xml. 6. Restart Active Directory Federation Services.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 33 Configuring AD FS for Entrust IdentityGuard You need to configure the Authentication API to allow authentication using Entrust IdentityGuard. To configure for Entrust identityGuard authentication 1. Stop Active Directory Federation Services. 2. Go to \IdentityGuard ADFS Adapter\config and open the eigadfsplugin.xml file. 3. Set the AuthenticationAPI element to IdentityGuard. This setting is used to make SOAP calls to IntelliTrust and to validate the second factor authenticators against IntelliTrust.

a. To configure the AuthenticationAPI, locate the following: b. Change the Authentication API as follows: IdentityGuard 4. Provide the Entrust IdentityGuard server and config elements. See Configuring the second factor authentication method. 5. Save and close eigadfsplugin.xml. 6. Restart Active Directory Federation Services. Configuring the second factor authentication method After installation you can change the second factor authentication by editing the eigadfsplugin.xml file. Note: For your changes to take effect, you must comment the authentication second factor method you no longer want to use and uncomment the new authentication method in the eigadfsplugin.xml file. For example, if during installation you chose grid as the second factor authentication method but you want to replace it with another method, such as policy, be sure to comment the definition for grid and uncomment the definition for policy to ensure that your changes are applied. This section contains the following topics:
  • Configuring policy-based authentication
  • Configuring grid authentication
  • Configuring token authentication
  • Configuring knowledge-based authentication
  • Configuring policy authentication to override Q&A challenge size
  • Configuring one-time password (OTP) authentication
  • Configuring Mobile Smart Credential authentication (Identity Assured)
  • Configuring Mobile Soft Token (TVS) authentication

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 34 Configuring policy-based authentication You can use policy-based authentication as your second-factor authentication type by editing the Entrust Datacard AD FS Adapter configuration file. To configure policy-based authentication 7. Stop Active Directory Federation Services. 8. Go to \IdentityGuard ADFS Adapter\config and open the eigadfsplugin.xml file. 9. Locate the AuthenticationMethods element. ... 10. Define an AuthMethod element as shown in the example below. 11. Be sure to uncomment the policy definition strings.

12. Save and close eigadfsplugin.xml.

13. Restart Active Directory Federation Services. Configuring grid authentication You can use grid authentication as your second-factor authentication type by editing the Entrust Datacard AD FS Adapter configuration file. Additionally, you can configure grid to specify an enhanced RBA and a particular Entrust IdentityGuard group. To configure grid authentication 1. Stop Active Directory Federation Services. 2. Go to \IdentityGuard ADFS Adapter\config and open the eigadfsplugin.xml file. 3. Locate the AuthenticationMethods element. ...

4. Define an AuthMethod element as shown in the example below.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 35 normal false false 5. Be sure to uncomment the grid definition strings. 6. Save and close eigadfsplugin.xml. 7. Restart Active Directory Federation Services. To configure grid for enhanced RBA 1. Stop Active Directory Federation Services. 2. Go to \IdentityGuard ADFS Adapter\config and open the eigadfsplugin.xml file. 3. Locate the AuthenticationMethods element. ... 4. Define an AuthMethod element as shown in the example below. enhanced false true 5. Be sure to uncomment the applicable definition strings.

6. Save and close eigadfsplugin.xml.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 36 7. Restart Active Directory Federation Services. Configuring token authentication You can use token as your second-factor authentication type by editing the Entrust Datacard AD FS Adapter configuration file. To configure token authentication 1. Stop Active Directory Federation Services. 2. Go to \IdentityGuard ADFS Adapter\config and open the eigadfsplugin.xml file. 3. Locate the AuthenticationMethods element. ... 4. Define an AuthMethod element as shown in the example below. normal false false 5. Be sure to uncomment the token definition strings.

6. Save and close eigadfsplugin.xml.

7. Restart Active Directory Federation Services. Configuring knowledge-based authentication You can use knowledge-based as your second-factor authentication type by editing the Entrust Datacard AD FS Adapter configuration file. Additionally, you can configure knowledge-based authentication to override the default question and answer challenge size. To configure knowledge-based authentication 1. Stop Active Directory Federation Services.

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 37 2. Go to \IdentityGuard ADFS Adapter\config and open the eigadfsplugin.xml file.

3. Locate the AuthenticationMethods element. ... 4. Define an AuthMethod element as shown in the example below. normal flase false 5. Be sure to uncomment the KB definition strings. 6. Save and close eigadfsplugin.xml. 7. Restart Active Directory Federation Services. To configure knowledge-based authentication and override the default question and answer challenge size 1. Stop Active Directory Federation Services. 2. Go to \IdentityGuard ADFS Adapter\config and open the eigadfsplugin.xml file.

3. Locate the AuthenticationMethods element. ... 4. Define an AuthMethod element as shown in the example below. false

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 38 normal false false 5. Be sure to uncomment the applicable definition strings. 6. Save and close eigadfsplugin.xml. 7. Restart Active Directory Federation Services. Configuring policy authentication to override Q&A challenge size You can configure policy authentication to override the default question and answer challenge size if knowledge-based is chosen for the user.

To configure policy authentication and override the default question and answer challenge size 1. Stop Active Directory Federation Services. 2. Go to \IdentityGuard ADFS Adapter\config and open the eigadfsplugin.xml file.

3. Locate the AuthenticationMethods element. ... 4. Define an AuthMethod element as shown in the example below. false false normal false

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 39 false 5. Be sure to uncomment the applicable definition strings. 6. Save and close eigadfsplugin.xml. 7. Restart Active Directory Federation Services. Configuring one-time password (OTP) authentication You can use one-time password as your second-factor authentication type by editing the Entrust Datacard AD FS Adapter configuration file.

To configure OTP authentication 1. Stop Active Directory Federation Services. 2. Go to \IdentityGuard ADFS Adapter\config and open the eigadfsplugin.xml file.

3. Locate the AuthenticationMethods element. ... 4. Define an AuthMethod element as shown in the example below. false normal false false

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 40 5. Be sure to uncomment the OTP definition strings. 6. Enable optional display and masking of information values in OTP challenges, as shown below: true By default, this element is set to false. Note: IntelliTrust is not supported if this setting is set to true. When users initiate the sending of one-time passwords (OTP) to be used for authentication, they choose the email or phone number to which the OTPs should be sent.

This feature shows the contact information values (with masking) in addition to generic labels such as Work Email and Work Phone. For details, see "Set policies for out-of-band OTPs" in the Entrust IdentityGuard Server Administration Guide. 7. Save and close eigadfsplugin.xml.

8. Restart Active Directory Federation Services. Configuring Mobile Smart Credential authentication (Identity Assured) You can use Mobile SC as your second-factor authentication type by editing the Entrust Datacard AD FS Adapter configuration file. To configure Mobile SC authentication 1. Stop Active Directory Federation Services. 2. Go to \IdentityGuard ADFS Adapter\config and open the eigadfsplugin.xml file. 3. Locate the AuthenticationMethods element. ... 4. Define an AuthMethod element as shown in the example below. normal false false

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved.

41 5. Be sure to uncomment the MobileSC definition strings. 6. Save and close eigadfsplugin.xml. 7. Restart Active Directory Federation Services. Configuring Mobile Soft Token (TVS) authentication You can use Mobile ST as your second-factor authentication type by editing the Entrust Datacard AD FS Adapter configuration file. To configure Mobile ST authentication 1. Stop Active Directory Federation Services. 2. Go to \IdentityGuard ADFS Adapter\config and open the eigadfsplugin.xml file.

3. Locate the AuthenticationMethods element. ... 4. To enable automatic fall back from Mobile Soft Token (TVS) Authentication to Token Authenticaiton, set define an AuthMethod element as shown in the example below. normal false false 5. To disable automatic fallback from Mobile Soft Token (TVS) authentication to token authentication, define an AuthMethod as shown in the following example: normal false

Copyright 2019 Entrust Datacard http://www.entrustdatacard.com All rights reserved. 42 false 6. Be sure to uncomment the MobileST definition strings. 7.

Save and close eigadfsplugin.xml. 8. Restart Active Directory Federation Services.

Next part ... Cancel