How to configure Salesforce Authenticator as a MFA method in ADSelfService Plus

How to configure Salesforce Authenticator as a MFA method in ADSelfService Plus

Objective   

This article provides detailed instructions on how to set up and use Salesforce Authenticator as a multi-factor authentication (MFA) method in ADSelfService Plus using the custom TOTP authenticator feature. By leveraging this, administrators can enhance security for a variety of user actions, including:
  • Self-service password resets and account unlocks
  • Logins to Windows, macOS, and Linux machines
  • Access to VPNs, OWA, and other enterprise applications

Prerequisites   

  • Have administrative privileges for the ADSelfService Plus portal.
  • A self-service policy must be created and applied to the target OUs or groups.
  • Users must install the Salesforce Authenticator app on their mobile devices from the Google Play Store or App Store.

Steps to configure Salesforce Authenticator  

1. Configuring Salesforce Authenticator in ADSelfService Plus   

First, you need to add Salesforce Authenticator as a custom TOTP method.
  1. Log in to the ADSelfService Plus admin portal.
  2. Navigate to Configuration > Self-Service > Multi-factor Authentication > Authenticators Setup.
  3. From the Choose the Policy drop-down menu, select the policy to which you want to apply the configuration.
  4. Click Custom TOTP Authenticator.
  5. In the configuration window, fill in the following fields:
    • Authenticator Name (e.g., Salesforce Authenticator)
    • Passcode Length
    • Passcode Expiration Time
    • Passcode Hashing Algorithm
    • Username Pattern
  6. Optionally, upload the Salesforce Authenticator logo in the Authenticator Logo field. If left empty, a default icon will be used.
  7. For Token Type, select Software Token.
  8. Click Save.

  

Fig. 1: Configuring Salesforce Authenticator using the Custom TOTP Authenticator feature in ADSelfService Plus.

2. Enabling Salesforce Authenticator for self-service actions 

Once configured, you must enable the authenticator for specific functions.
For password resets and account unlocks:
  1. Navigate to Configuration > Self-Service > Multi-factor Authentication > MFA for Reset/Unlock.
  2. Select the same policy from the Choose the Policy drop-down.
  3. Choose the number of authenticators required for identity verification from the drop-down list.
  4. In the Select the authenticators required list, check the box next to Salesforce Authenticator.
  5. Click Save Settings.
 
For endpoint and application logins:
  1. Navigate to Configuration > Self-Service > Multi-factor Authentication > MFA for Endpoints.
  2. Select the appropriate policy.
  3. Enable MFA for the required endpoints such as machine login, OWA & VPN login, enterprise applications and check the box for Salesforce Authenticator under each one.
  4. Click Save Settings.

3. End user enrollment process

Users must enroll their devices before they can use the authenticator.
  1. The user must log in to the ADSelfService Plus user portal. (If forced enrollment is enabled, they will be prompted to enroll immediately after login)
  2. Navigate to Enrollment > Salesforce Authenticator.
  3. A QR code will be displayed on the screen.

Fig. 2: Enrolling for Salesforce Authenticator in ADSelfService Plus.
  1. The user should open the Salesforce Authenticator app on their phone.
  2. Tap Add an Account > Select Scan QR Code and then scan the displayed QR code.

Fig. 3: Adding an account in the Salesforce Authenticator app.
Fig. 4: Using the Scan QR code option for enrollment in the Salesforce Authenticator app.
  1. The account will be automatically added to the dashboard.
  2. To verify their identity, the user must enter the passcode displayed in the Salesforce Authenticator app in the ADSelfService Plus portal.

Fig. 5: Identity verification in ADSelfService Plus using Salesforce Authenticator.

 

4. Managing the configuration  

To modify or remove the authenticator:
  1. Navigate to Configuration → Self-Service → Multi-factor Authentication → Authenticators Setup and select the policy.
  2. Click Custom TOTP Authenticator.
  3. Click Modify to update the configuration, or Remove Configuration to delete it.
  4. Click Save.
Notes Note:
Modifying or removing the configuration will delete all user enrollment data associated with this authenticator.  
If a user is moved to a policy to where Salesforce Authenticator is not configured,  they will be required to re-enroll.

How to reach support             

If the issue persists, contact our support team here


      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                      Related Products