Documentation Hub
Workforce
Workforce
  • Keyless Integrations Docs
  • ✅Prerequisites
  • IAM and SSO Integrations
    • Overview
    • Okta
      • Account Linking Config
      • Identity Provider Config
    • Microsoft AD FS
      • Prerequisites
      • Integration
      • Authentication
      • Troubleshooting
    • AWS Cognito
    • Auth0
    • ForgeRock
      • ForgeRock Authentication Node
      • Forgerock Identity Cloud
    • OneLogin
    • Ping Identity
      • PingOne SSO
    • Microsoft Entra ID
    • Salesforce
  • Post Integration
    • 🏁Post Integration
      • 📢Employee Onboarding
        • Prerequisites
        • Email Templates
      • 🎧Admin Onboarding
        • Common Terms
        • Enrollment and Activation
        • Authentication
        • Troubleshooting and Support
Powered by GitBook
On this page
  • Step 1: Create Claims Provider Trust
  • Step 2: Configure Claim Rules
  • Verifying that AD FS and Keyless IdP are configured

Was this helpful?

  1. IAM and SSO Integrations
  2. Microsoft AD FS

Authentication

Configure Keyless as an MFA method for your AD FS connected applications.

Last updated 7 months ago

Was this helpful?

This guide details the steps required to configure Keyless to be used as the authentications method for your AD FS instance.

Make sure you have completed before moving on to this guide.

This guide assumes that you have experience installing and configuring Windows Server 2016 or 2019, Active Directory, and Active Directory Federation Services (AD FS) 2016 or 2019.

For more information on installing AD FS, please see the .

Step 1: Create Claims Provider Trust

  1. Log in to your AD FS Management portal from your Server Manager by clicking "Tools" from the top navigation bar and selecting "AD FS Management

  2. Once you are in the AD FS Management Portal, right click on “Relying Party Trust” and select “Add Relying Party Trust…” from the right-pane menu, as shown in the image below.

  3. This will open a 4-step wizard. In the first step of the wizard, select the default value of “Claims Aware” and click “Start”.

  4. In the following screen, import data about the claims provider published online. Enter your metadata URL which was provided during the provisioning of your account. For this example we are using https://<acme-idp>.keyless.technology/metadata/ where <acme-idp> represents the handle used to identify your instance.

  5. Optionally, change the Display name for the claims provider, and add a note. This is a friendly name that will be displayed to administrators in the AD FS console and to end users. Click “Next” once done.

  6. Review the parameters configured

Step 2: Configure Claim Rules

After completing Step 1 above, you should be able to see the new Claims Provider Trust you’ve just created under the “Claims Provider Trust” folder in your AD FS Management Portal.

  1. Right-click on the Claims Provider Trust you’ve just added, and select “Edit Claim Rules” from the menu.

  2. In this step you will define the rules that will transform the claims sent to the AD FS from Keyless.

  3. Define three rules by clicking “Add Rule” in the bottom part of the dialog:

    • Rule 1: Pass through Name ID as Windows account name

      • Rule Template: Transform an incoming claim

      • Claim rule name: “Pass through Name ID as Windows account name"

      • Incoming claim type: Name ID

      • Incoming name ID format: Unspecified

      • Outgoing claim type: Windows account name

      • Select the "Pass through all claim values" bullet button.

    • Rule 2: Pass through Name ID as UPN

      • Rule Template: Transform an incoming claim

      • Claim rule name: “Pass through Name ID as UPN"

      • Incoming claim type: Name ID

      • Incoming name ID format: Unspecified

      • Outgoing claim type: UPN

      • Select the "Pass through all claim values" bullet button.

    • Rule 3: Set Group Keyless

      • Rule Template: Send Claims Using a Custom Rule

      • Claim rule name: “Set Group Keyless"

      • Custom rule: c:[] => issue(Type = "http://schemas.xmlsoap.org/claims/Group", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = "keyless", ValueType = c.ValueType);

  4. Click "Apply" and "OK" to save your changes.

  5. open PowerShell as administrator on your AD FS and enter this command (after replacing <keyless-registration-domain> with the domain provided to you by Keyless):

    Set-AdfsRelyingPartyTrust -TargetName <keyless-registration-domain> -ClaimsProviderName @("Active Directory")

Congratulations, you can now use Keyless to authenticate to your AD FS connected applications!** 😎

Verifying that AD FS and Keyless IdP are configured

This verification requires that there is at least one user already enrolled with Keyless and that can be used for this test.

  1. Go to https://<your-adsf-domain>/adfs/ls/idpinitiatedsignon.htm and select the "Sign in to this site" option.

  2. Click on the identity provider associated with Keyless IdP:

  3. Provide the username (UPN format) of the test user and click the 'Continue' button.

At this point, the user should receive a push notification to the Keyless Authenticator app on their mobile phone. Once authenticated on the phone, the user should be logged in.

Integrating Keyless with Active Directory Federation Services
AD FS 2016 Deployment Guide
Add Claims Provider Trust.
First step of "Add Claims Provider Trust" wizard.
Enter the federation metadata address.
Add an optional display name and note.
Review your configurations.
Select "Edit Claim Rules" from the menu.
Rule 1: Pass through Name ID as Windows account name
Rule 2: Pass through Name ID as UPN
Rule 3: Set Group Keyless
Go to your AD FS login page.
Associated identity provider.
After clicking 'Continue', the user should authenticate with the Keyless Authenticator app.