Authentication
Configure Keyless as an MFA method for your AD FS connected applications.
This guide details the steps required to configure Keyless to be used as the authentications method for your AD FS instance.
Make sure you have completed Integrating Keyless with Active Directory Federation Services before moving on to this guide.
This guide assumes that you have experience installing and configuring Windows Server 2016 or 2019, Active Directory, and Active Directory Federation Services (AD FS) 2016 or 2019.
For more information on installing AD FS, please see the AD FS 2016 Deployment Guide.
Step 1: Create Claims Provider Trust
Log in to your AD FS Management portal from your Server Manager by clicking "Tools" from the top navigation bar and selecting "AD FS Management
Once you are in the AD FS Management Portal, right click on “Relying Party Trust” and select “Add Relying Party Trust…” from the right-pane menu, as shown in the image below.
This will open a 4-step wizard. In the first step of the wizard, select the default value of “Claims Aware” and click “Start”.
In the following screen, import data about the claims provider published online. Enter your metadata URL which was provided during the provisioning of your account. For this example we are using
https://<acme-idp>.keyless.technology/metadata/where<acme-idp>represents the handle used to identify your instance.Optionally, change the Display name for the claims provider, and add a note. This is a friendly name that will be displayed to administrators in the AD FS console and to end users. Click “Next” once done.
Review the parameters configured
Step 2: Configure Claim Rules
After completing Step 1 above, you should be able to see the new Claims Provider Trust you’ve just created under the “Claims Provider Trust” folder in your AD FS Management Portal.
Right-click on the Claims Provider Trust you’ve just added, and select “Edit Claim Rules” from the menu.
In this step you will define the rules that will transform the claims sent to the AD FS from Keyless.
Define three rules by clicking “Add Rule” in the bottom part of the dialog:
Rule 1: Pass through Name ID as Windows account name
Rule Template: Transform an incoming claim
Claim rule name: “Pass through Name ID as Windows account name"
Incoming claim type: Name ID
Incoming name ID format: Unspecified
Outgoing claim type: Windows account name
Select the "Pass through all claim values" bullet button.
Rule 2: Pass through Name ID as UPN
Rule Template: Transform an incoming claim
Claim rule name: “Pass through Name ID as UPN"
Incoming claim type: Name ID
Incoming name ID format: Unspecified
Outgoing claim type: UPN
Select the "Pass through all claim values" bullet button.
Rule 3: Set Group Keyless
Rule Template: Send Claims Using a Custom Rule
Claim rule name: “Set Group Keyless"
Custom rule:
c:[]=> issue(Type = "http://schemas.xmlsoap.org/claims/Group", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = "keyless", ValueType = c.ValueType);
Click "Apply" and "OK" to save your changes.
open PowerShell as administrator on your AD FS and enter this command (after replacing
<keyless-registration-domain>with the domain provided to you by Keyless):
Congratulations, you can now use Keyless to authenticate to your AD FS connected applications!** 😎
Verifying that AD FS and Keyless IdP are configured
This verification requires that there is at least one user already enrolled with Keyless and that can be used for this test.
Go to
https://<your-adsf-domain>/adfs/ls/idpinitiatedsignon.htmand select the "Sign in to this site" option.Click on the identity provider associated with Keyless IdP:
Provide the username (UPN format) of the test user and click the 'Continue' button.
At this point, the user should receive a push notification to the Keyless Authenticator app on their mobile phone. Once authenticated on the phone, the user should be logged in.
Last updated
