How To: Leverage ADFS Multi-Factor Authentication
An ADFS server can require the user to perform a Multi-Factor Authentication (MFA) before successful authentication. If The Identity Hub is configured to also require MFA, the user has to perform 2 separate MFA validations. This can be experienced as inconvenient.
Send MFA information from ADFS to The Identity Hub.
If the ADFS server provides the MFA information to The Identity Hub, The Identity Hub will skip its proper MFA step.
To pass the information from the ADFS to The Identity Hub configure the following Claim Rule on the Relying Party in the ADFS Management Console. For more information on Claim Rules see https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-claim-rules.
c:[Type == "http://schemas.microsoft.com/claims/authnmethodsreferences"] => issue(claim = c);
The Identity Hub will skip MFA if the claim is present and has the http://schemas.microsoft.com/claims/multipleauthn value.
For more information on MFA and ADFS see https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa
Configure the SAMLP Account Provider to leverage the MFA information.
- Navigate to the Account Provider Admin Page (https://www.theidentityhub.com/{tenant}/Admin/AccountProvider) of your Tenant. If you don't have a Tenant yet, you can register one for free.
- You will see a list of Account Providers. Click Edit on the Account Provider entry.
- Check Allow processing of external two factor authentication. If Is responsible for two factor authentication is checked, you need to uncheck this first.
- Click Save