Authentication
Configure Keyless as an MFA method for your ADFS connected applications.
This guide details the steps required to configure Keyless to be used as the authentications method for your ADFS instance.
Please complete Integrating Keyless with Active Directory Federation Services before moving on to this guide.
This guide assumes that you have experience installing and configuring Windows Server 2016 or 2019, Active Directory, and Active Directory Federation Services (ADFS) 2016 or 2019.
For more information on installing ADFS, please see the ADFS 2016 Deployment Guide.

Step 1: Create Claims Provider Trust

Login to your ADFS Management portal from your Server Manager by clicking "Tools" from the top navigation bar and selecting "AD FS Management
Once you are in the AD FS Management Portal, right click on “Relying Party Trust” and select “Add Relying Party Trust…” from the right-pane menu, as shown in the image below.
Add Claims Provider Trust.
This will open a 4-step wizard. In the first step of the wizard, select the default value of “Claims Aware” and click “Start”.
First step of "Add Claims Provider Trust" wizard.
In the following screen, import data about the claims provider published online. Enter your metadata URL which was provided during the provisioning of your account. For this example we are using https://<acme-idp>.keyless.technology/metadata/ where <acme-idp> represents the handle used to identify your instance.
For provisioning questions, contact [email protected]io
Enter the federation metadata address.
You may now optionally change the Display name for the claims provider, and add an optional note. This is a friendly name that will be displayed to administrators in the AD FS console and to end users. Click “Next” once done.
Add an optional display name and note.
The next step, called “Ready to Add Trust”, is an overview of the configuration from the previous steps. Please take a minute to review the parameters configured.
Review your configurations.

Step 2: Configure Claim Rules

After completing Step 1 above, you should be able to see the new Claims Provider Trust you’ve just created under the “Claims Provider Trust” folder in your AD FS Management Portal.
Right-click on the Claims Provider Trust you’ve just added, and select “Edit Claim Rules” from the menu.
Select "Edit Claim Rules" from the menu.
In this step you will define the rules that will transform the claims sent to the AD FS from Keyless.
Go ahead and define three rules by clicking “Add Rule” in the bottom part of the dialog:
Rule 1: Pass through Name ID as Windows account name
  • Rule Template: Transform an incoming claim
  • Claim rule name: “Pass through Name ID as Windows account name"
  • Incoming claim type: Name ID
  • Incoming name ID format: Unspecified
  • Outgoing claim type: Windows account name
  • Select the "Pass through all claim values" bullet button.
Rule 1: Pass through Name ID as Windows account name
Rule 2: Pass through Name ID as UPN
  • Rule Template: Transform an incoming claim
  • Claim rule name: “Pass through Name ID as UPN"
  • Incoming claim type: Name ID
  • Incoming name ID format: Unspecified
  • Outgoing claim type: UPN
  • Select the "Pass through all claim values" bullet button.
Rule 2: Pass through Name ID as UPN
Rule 3: Set Group Keyless
  • Rule Template: Send Claims Using a Custom Rule
  • Claim rule name: “Set Group Keyless"
  • Custom rule: c:[] => issue(Type = "http://schemas.xmlsoap.org/claims/Group", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = "keyless", ValueType = c.ValueType);
Rule 3: Set Group Keyless
Click "Apply" and "OK" to save your changes.
Please open PowerShell as administrator on your ADFS and enter this command (after replacing <keyless-registration-domain> with the domain provided to you by Keyless):
Set-AdfsRelyingPartyTrust -TargetName <keyless-registration-domain> -ClaimsProviderName @("Active Directory")

Congratulations, you can now use Keyless to authenticate to your ADFS connected applications! 😎

Verifying that ADFS and Keyless IdP is configured

This assumes that there is at least one user already enrolled with Keyless and that can be used for this test.
Go to https://<your-adsf-domain>/adfs/ls/idpinitiatedsignon.htm and select the "Sign in to this site" option.
Go to your ADFS login page.
Click on the identity provider associated with Keyless IdP:
Associated identity provider.
Here, provide the username (UPN format) of the test user and click the 'Continue' button.
After clicking 'Continue', the user should authenticate with the Keyless Authenticator app.
At this point, the user should receive a push notification to the Keyless Authenticator app on his mobile phone. Once authenticated on the phone, the user should be logged in.