Documentation for MFA IdentityServer 1.x

MFA IdentityServer 2.0

New Features Included in version 2.0

  • Security

    • Removed all sensitive information from pages (Security context and hidden fields). The TOTP key is never transmitted or inserted into a page.

    • Multiple algorithms available for generating the user key
      • RNG - a strong number generator (it was the default in versions 1.x)

      • RSA - The user keys are encrypted with RSA (certificate, verification information is included to be validated when checking the TOTP code)

      • Custom – Each user RSA key is encrypted with a distinct certificate, and validation is done when checking the TOTP code. this require a new database for storing certs (demo)

      • Possibility to manage your own keys, an API is provided: ISecretKeyManager

  • Deployment

Following the various questions regarding the deployment of assemblies in the GAC, we provide an MSI installation file. The deployment of binaries is now fully automated.

The MSI file must be deployed on each ADFS server of your farm (never on proxy servers

  • Configuration

All configuration actions can be performed using PowerShell CmdLets (see later)

All configuration actions can be performed with an MMC extension (not yet operational in this beta version)

  • Administration

Policies for integrating users with MFA

    • Free : (BypassDisabled, BypassUnRegistered, AllowManageOptions, AllowChangePassword)
      • Access is allowed if MFA account is disabled
      • Access is allowed if user is not registered
      • User can manage password and options (after successful MFA process)
    • Open : (BypassDisabled, AllowUnRegistered, AllowManageOptions, AllowChangePassword)
      • Access is allowed if MFA is disabled
      • Access is allowed if user account is not registered, user is prompted to set his metadata (email, phone, …)
      • User can manage password and options (after successful MFA process)
    • Default : (AllowDisabled, AllowUnRegistered, AllowManageOptions, AllowChangePassword) (similar to the default mode of prior versions (1.x)
      • Access is allowed if MFA is disabled, but user is prompted to set his metadata (email, phone,…)
      • Access is allowed if user account is not registered, but user is prompted to set his metadata (email, phone,…)
      • User can manage password and options (after successful MFA process)
    • Managed : (BypassDisabled, AllowUnRegistered, AllowProvideInformations, AllowChangePassword)
      • Access is allowed if MFA is disabled
      • Access is allowed if user account is not registered, but user is prompted for sending activation request to administrators by email, metadata validation is made by admins
      • User can manage his password (after successful MFA process)
    • Strict : (AllowProvideInformations)
      • Access not allowed, if MFA account is not registered or not enabled. the user is prompted for sending activation request to administrators by email
    • Administrative (AdministrativeMode)
      • Access not allowed, if MFA account is not registered or not enabled. the user must contact administrators to gain access.

Custom templates for emails

Users management

  1. Adding, Deleting, Updating, Enabling users (PS, MMC)
  2. Import Users (PS, MMC) – not available in this beta

Configuration management

  1. Management of all config properties (ADDS, SQL, Mail, Keys, SMS, Common) via PS and MMC, no need to edit xml file.
  2. Soft update between server farm (no need to restart instances)
  3. Upgrade from previous versions of adfsmfa.

 

Installation and Configuration

  • Installation

    • Download adfsmfa.msi from codeplex or github
    • Log on each adfs server (2012r2 or 2016) as administrator
    • Launch installation of the msi file on each server.
    • Done !

 

  • Configuration
    • log as administrator on the primary adfs server
    • Open a PowerShell session as administrator
    • execute PS Cmdlet : Register-MFASystem
    • log as administrator on other adfs servers
    • Open a PowerShell session as administrator
    • execute PS Cmdlet : Register-MFAComputer
    • Get-MFAFarmInformation
    • Get-MFAConfig

If you are upgrading from previous versions (1.x) you must run the registration as follow :

Register-MFASystem –Activate –RestartFarm –AllowUpgrade –BackupFilePath “.\myconfig 1.2.xml”

No need to unintall prior version

 

  • Revert to prior version

No need to uninstall this beta version, you can run the following as follow :

UnRegister-AdfsAuthenticationProvider -Name "MultifactorAuthenticationProvider" -Confirm:$false

$typeName = "Neos.IdentityServer.MultiFactor.AuthenticationProvider, Neos.IdentityServer.MultiFactor, Version=1.2.0.0, Culture=neutral, PublicKeyToken=175aa5ee756d2aa2"

Register-AdfsAuthenticationProvider -TypeName $typeName -Name "MultiFactorAuthenticationProvider" -Verbose -ConfigurationFilePath ".\myconfig 1.2.xml"

net stop adfssrv

net start adfssrv

Using PowerShell Cmdlets

to get the complete list of MFA CmdLets :  get-help *-MFA*

To get the list of each mfa CmdLet you must press <TAB>

 

Farm management

Register-MFASystem

Unregister-MFASystem

Register-MFAComputer

Unregister-MFAComputer

Enable-MFASystem                 

Disable-MFASystem

Get-MFAComputers

Restart-MFAComputerServices

Get-MFAFarmInformation

Restart-MFAFarmServices

Install-MFACertificate

New-MFADatabase

New-MFASecretKeysDatabase

 

Users management

Get-MFAUsers

Set-MFAUsers

Add-MFAUsers

Remove-MFAUsers

Enable-MFAUsers

Disable-MFAUsers                 

 

General configuration management

Get-MFAConfig

Set-MFAConfig

Set-MFAPolicyTemplate            

 

SQL configuration management


Get-MFAConfigSQL

Set-MFAConfigSQL

New-MFADatabase

 

ADDS configuration management

Get-MFAConfigADDS

Set-MFAConfigADDS                

 

SMTP configuration management

Get-MFAConfigMails

Set-MFAConfigMails

 

KEYS Manager configuration management (RNG, RSA)

Get-MFAConfigKeys

Set-MFAConfigKeys

 

SMS configuration management

Get-MFAExternalOTPProvider

Set-MFAExternalOTPProvider       

Last edited Wed at 11:27 PM by redhook, version 59