How to enable MFA for web applications 

This article describes the steps to integrate and enable MFA for web application powered by either SAML Version 2 or OAuth/OIDC, using ADSelfService Plus.

Step 1: Enable SSO to the web application through ADSelfService Plus.

 For SAML-based applications 

Prerequisites:  

1. Log in to the enterprise application (service provider).

2. Get the metadata file or the Entity ID/SAML Redirect URL and Assertion Consumer Service (ACS) URL from the enterprise application.

Create a custom application  

The steps given below will guide you through setting up SSO for your custom SAML applications using ADSelfService Plus.

1. Log in to the ADSelfService Plus web console as an administrator.

2. Navigate to Password Sync/Single Sign On > Add Application > Custom Application.

3. Enter your Application Name and Description.

4. Enter the domain name of your email address in the Domain Name field. For example, if you use johndoe@mydomain.com to log in, then mydomain.com is the domain name.

5. Upload an image for the app icon in both sizes.

6. Provide a suitable option for the Supported SSO Flow.

Note: We advise contacting your service provider and verifying the supported SSO flow before choosing the Supported SSO Flow option.

7. Automatic Configuration: If you downloaded metadata from Step 2 of Prerequisites section, upload the downloaded metadata file in the Upload Metadata field or follow step 8 below.

8. Manual configuration: Based on the SSO flow you selected earlier, enter the required details.

• If you had selected SP flow:

• Enter the SAML redirect URL your application service provider supplies in the SAML Redirect URL field. The URL value can be found in the application’s default login page or the SSO configuration page.

• Enter the ACS URL your application service provider provides in the ACS URL field. This value can also be found in the application's SSO configuration page.

• If you selected IdP flow:

• Enter the ACS URL your application service provider supplies in the ACS URL field. This value can also be found in the application's SSO configuration page.

• Enter the entity ID that your application service provider supplies in the Entity ID field. This value can also be found in the application’s SSO configuration page.

9. Under provider settings:

• Choose the RSA-SHA1 or RSA-SHA256 algorithm depending on the encryption your application supports.

• Pick a SAML response (signed/unsigned).

• Choose the XML canonicalization method to be used. The canonicalization method is the process of converting the XML content to a standardized format by the IdP and SP. The algorithm you choose is used for signing the SAML response and assertion.

• Choose the Name ID format that has to be sent in the SAML response. The Name ID format will specify the type of value sent in the SAML response for user identity verification.

10. Click Create Custom Application.

Note: Check with your service provider to identify the supported SSO flow and the SAML response. By default, the SAML assertion will be signed.

 For OAuth (or) OIDC-based applications 

Prerequisite  s

1. Log in to the Service Provider using administrator credentials. The Service Provider is the custom application for which you want to configure OpenID Connect.

2. Get the Authorization redirect or callback URL(s) from the Service Provider.

Create a custom application in ADSelfService Plus  

1. Log in to ADSelfService Plus using administrator credentials.

2. Navigate to Configuration > Self-Service > Password Sync/Single Sign On.

3. Click Add Application.

4. Click on the Custom Application option in the left pane.

5. Enter a suitable Name and Description for the application.

6. Enter the Domain Name for your application account. For example, if your username is johndoe@thinktodaytech.com, then thinktodaytech.com is your domain name.

7. Choose the policies you want to assign from the Assign Policies drop-down.

8. You can also add a small or large Icon of the application, if desired.

9. Under the OAuth/OpenID Connect tab, select the Enable OAuth/OpenID Connect checkbox.

10. From the Support SSO Flow drop-down, choose SP Initiated or IdP Initiated.

Note: It is advisable to contact the support team of your Service Provider application and verify the supported SSO flow before choosing the correct option.

If you select SP Initiated flow:  

In the Login Redirect URL(s) field, enter all the available Authorization redirect or callback URLs obtained from your Service Provider in step 2 of prerequisites. The URL(s) can be found in the Service Provider's OAuth/OIDC SSO configuration page.

If you select IdP Initiated flow:  

The IdP Login Initiate URL is used to send id_token from Identity Provider to Service Provider. Once this URL is configured, users will be able to log in to the Service Provider by clicking on that particular application in the Applications tab in ADSelfService Plus.

In the Login Redirect URL(s) field, enter all the available Authorization redirect or callback URL(s) obtained from your Service Provider in step 2 of prerequisites. The URL(s) can be found in the Service Provider's OAuth/OIDC SSO configuration page.

11. Under Response Type, choose one or more options from Authorization code, Access Token and ID Token.

Note: This value will be reflected in the Well-known configuration section under IdP details, and shared to the Service Provider application. Response Type is used to reference the authorization request modes, from Service Provider to Identity Provider. This can be chosen based on the Service Provider's login requirement.

• Authorization code - Using this response type, the Identity Provider (IdP) sends an authorization code to the Service Provider, after successful authorization request. With this authorization code, Service Provider then sends an access token request to the IdP. Using this access token the Service Provider obtains user information to perform user login.

• Access Token - Using this response type, the Identity Provider (IdP) sends an access token to the Service Provider, after successful authorization request. Using this access token, the Service Provider obtains user information to perform user login.

• ID Token - Using this response type, the Identity Provider (IdP) sends an ID token to the Service Provider, after successful authorization request. Using this ID token, the Service Provider obtains user information to perform user login.

12. Tick the Allow Refresh Token checkbox, to allow the Service Provider to obtain access tokens without needing the user to re-authenticate every time.

13. The Access Token Validity field is set to 3600 seconds by default. You can change this value if required.

Note: Access Token Validity denotes the time limit for which the token sent by the Identity Provider would be accessible by the Service Provider.

14. Choose Key Algorithm as HS256, RS256, RS384, or RS512 depending on the algorithm used for Access Token or id_token signature.

HS256 - A symmetric algorithm that uses one shared secret (i.e. client_secret generated during custom application creation in IdP), to sign and validate the token instead of using a public key pair.

RS256 - RSA signature with SHA-256. It is an asymmetric algorithm which uses a public or private key pair, generated and managed by IdP (the IdP uses the private key to generate the signature, and the application uses a public key to validate the signature).

RS384 - Same as RS256. Only difference is this uses a SHA-384 hashing algorithm for creating the RSA signature.

RS512 - Same as RS256. Only difference is this uses a SHA-512 hashing algorithm for creating the RSA signature.

15. From the Client Authentication Mode drop-down, choose the modes required. These are the modes using which the IdP will authenticate the Service Provider's access token request.

Client Secret Basic: The IdP generates a client_id and client_secret and shares it with the Service Provider in advance. While sending access token request, the Service Provider encodes the client_id and client_secret in BASE64 and sets it in the authorization header. The IdP verifies this authorization header to authorize the request.

Client Secret Post: The IdP generates a client_id and client_secret and shares it with the Service Provider in advance. While sending access token request, the Service Provider sets the client_id and client_secret in the access token request body. The IdP verifies the client_id and client_secret in the request body to authorize the request.

PKCE Code Challenge: In this authentication method, the Service Provider generates a random value called code_verifier, which is hashed to form a code_challenge. While sending access token request, the Service Provider sends this code_challenge to the IdP. The IdP checks this code_challenge to authorize the request.

Client Secret JWT: The IdP generates a client secret (client_secret_jwt) and shares it with the Service Provider in advance. While sending access token request, the Service Provider, uses this secret to generate a digital signature. The IdP checks for the signature to authorize the request.

Private Key JWT: The IdP gets a JWKS URL (JSON web key set) from the Service Provider that consists of a public key. While sending access token request, the Service Provider, uses a private key to generate a digital signature. The IdP checks for the signature using the public key obtained from JWKS URL, to authorize the request.

16. On choosing the Private Key JWT mode, ADSelfService Plus will need the JWKS URL details from the Service Provider to obtain the public key, which will then be used to verify the signature.

17. Click on Advanced Configuration in the top-right corner.

18. Under OAuth/OpenID Connect Claim Attributes Configuration, map the attributes as given in the image below.

19. Click Create Custom Application.

Step 2: Enable MFA for the SSO-enabled application.

1. In the MFA for ADSelfService Plus Login section, check the box next to Enable authenticators, enter the number of authentication methods to be enforced and select the authentication methods from the drop-down.

2. Click on the asterisk (*) symbol next to the authentication method to set it as mandatory. You can also reorder the authenticators too.

3. In the MFA for Cloud Applications Login section, check the box next to Enable authenticators, enter the number of authentication methods to be enforced and select the authentication methods from the drop-down.

Note: This MFA process will be triggered when a user attempts to access an SSO-enabled application directly.

4. Click Save Settings.

You can further configure the idle time limit, trusted device, and other relevant settings in the Advanced Settings tab.

 Passwordless Login   

With ADSelfService Plus' Passwordless Login feature, users can finally be free from the trouble of managing passwords. This feature eliminates the need to remember, change, or reset passwords periodically for ADSelfService Plus portal and all enterprise application logins through single-sign-on(SSO). You can now deploy a much stronger and advanced authentication method than passwords, such as biometrics, YubiKey, Google Authenticator, and more.

 How Passwordless Login works   

1. A user attempts to login to ADSelfService Plus or SSO-enabled enterprise applications with their username in the ADSelfService Plus login page.

2. ADSelfService Plus verifies the given username with Active Directory and redirects the user to the MFA page.

Note: If the user is logging in to ADSelfService Plus for the first time, they will be required to complete password authentication.

3. Here, the user's identity is verified through multiple authentication factors that do not involve passwords, such as Face ID, fingerprint, Google Authentication, and push notifications, as configured by the admin.

4. If the identity verification is successful, the user is logged in to the application.

 Enabling Passwordless Login   

1. Passwordless Login for ADSelfService Plus login:

• Go to Configuration > Self-Service > Multi-Factor Authentication > Advanced > Applications MFA.

• Check the box next to Enable Passwordless Login under ADSelfService Plus login MFA.

• Click Save Settings.

2. Passwordless Login for SAML SSO:

• Go to Configuration > Self-Service > Multi-Factor Authentication > Advanced > Applications MFA.

• Check the box next to Enable Passwordless Login under the Cloud Application Login MFA.

• Click Save Settings.