Workforce Docs
SDKWorkforceEnd User GuideSupport
Searchโ€ฆ
๐Ÿ‘‹
Welcome
๐Ÿ”‘
Why Go Passwordless?
๐Ÿ“ข
Internal Communication
๐ŸŽง
Helpdesk Onboarding
Identity and Access Mgmnt
Okta
AWS Cognito
ForgeRock
Auth0
OneLogin
Ping Identity
Microsoft ADFS
Prerequisites
Integration
Authentication
Troubleshooting
Salesforce
Extensions
RADIUS
Workstation
Windows Login
RDP Access
VDI Access
VPN
Fortinet FortiClient
Palo Alto Networks GlobalProtect
OpenVPN
Check Point VPN
Powered By GitBook
Authentication
Configure Keyless as an MFA method for your ADFS connected applications.
This guide details the steps required to configure Keyless to be used as the authentications method for your ADFS instance.
Please complete Integrating Keyless with Active Directory Federation Services before moving on to this guide.
This guide assumes that you have experience installing and configuring Windows Server 2016 or 2019, Active Directory, and Active Directory Federation Services (ADFS) 2016 or 2019.
For more information on installing ADFS, please see the ADFS 2016 Deployment Guide.

Step 1: Create Claims Provider Trust

Login to your ADFS Management portal from your Server Manager by clicking "Tools" from the top navigation bar and selecting "AD FS Management
Once you are in the AD FS Management Portal, right click on โ€œRelying Party Trustโ€ and select โ€œAdd Relying Party Trustโ€ฆโ€ from the right-pane menu, as shown in the image below.
Add Claims Provider Trust.
This will open a 4-step wizard. In the first step of the wizard, select the default value of โ€œClaims Awareโ€ and click โ€œStartโ€.
First step of "Add Claims Provider Trust" wizard.
โ€‹
In the following screen, import data about the claims provider published online. Enter your metadata URL which was provided during the provisioning of your account. For this example we are using https://<acme-idp>.keyless.technology/metadata/ where <acme-idp> represents the handle used to identify your instance.
For provisioning questions, contact [email protected]io
Enter the federation metadata address.
You may now optionally change the Display name for the claims provider, and add an optional note. This is a friendly name that will be displayed to administrators in the AD FS console and to end users. Click โ€œNextโ€ once done.
Add an optional display name and note.
The next step, called โ€œReady to Add Trustโ€, is an overview of the configuration from the previous steps. Please take a minute to review the parameters configured.
Review your configurations.

Step 2: Configure Claim Rules

After completing Step 1 above, you should be able to see the new Claims Provider Trust youโ€™ve just created under the โ€œClaims Provider Trustโ€ folder in your AD FS Management Portal.
Right-click on the Claims Provider Trust youโ€™ve just added, and select โ€œEdit Claim Rulesโ€ from the menu.
Select "Edit Claim Rules" from the menu.
In this step you will define the rules that will transform the claims sent to the AD FS from Keyless.
Go ahead and define three rules by clicking โ€œAdd Ruleโ€ in the bottom part of the dialog:
Rule 1: Pass through Name ID as Windows account name
  • Rule Template: Transform an incoming claim
  • Claim rule name: โ€œPass through Name ID as Windows account name"
  • Incoming claim type: Name ID
  • Incoming name ID format: Unspecified
  • Outgoing claim type: Windows account name
  • Select the "Pass through all claim values" bullet button.
Rule 1: Pass through Name ID as Windows account name
Rule 2: Pass through Name ID as UPN
  • Rule Template: Transform an incoming claim
  • Claim rule name: โ€œPass through Name ID as UPN"
  • Incoming claim type: Name ID
  • Incoming name ID format: Unspecified
  • Outgoing claim type: UPN
  • Select the "Pass through all claim values" bullet button.
Rule 2: Pass through Name ID as UPN
Rule 3: Set Group Keyless
  • Rule Template: Send Claims Using a Custom Rule
  • Claim rule name: โ€œSet Group Keyless"
  • Custom rule: c:[] => issue(Type = "http://schemas.xmlsoap.org/claims/Group", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = "keyless", ValueType = c.ValueType);
Rule 3: Set Group Keyless
Click "Apply" and "OK" to save your changes.
Please open PowerShell as administrator on your ADFS and enter this command (after replacing <keyless-registration-domain> with the domain provided to you by Keyless):
Set-AdfsRelyingPartyTrust -TargetName <keyless-registration-domain> -ClaimsProviderName @("Active Directory")

Congratulations, you can now use Keyless to authenticate to your ADFS connected applications! ๐Ÿ˜Ž

Verifying that ADFS and Keyless IdP is configured

This assumes that there is at least one user already enrolled with Keyless and that can be used for this test.
Go to https://<your-adsf-domain>/adfs/ls/idpinitiatedsignon.htm and select the "Sign in to this site" option.
Go to your ADFS login page.
Click on the identity provider associated with Keyless IdP:
Associated identity provider.
Here, provide the username (UPN format) of the test user and click the 'Continue' button.
After clicking 'Continue', the user should authenticate with the Keyless Authenticator app.
At this point, the user should receive a push notification to the Keyless Authenticator app on his mobile phone. Once authenticated on the phone, the user should be logged in.
Previous
Integration
Next
Troubleshooting
Last modified 1yr ago
Export as PDF
Copy link
Outline
Step 1: Create Claims Provider Trust
Step 2: Configure Claim Rules
Congratulations, you can now use Keyless to authenticate to your ADFS connected applications! ๐Ÿ˜Ž
Verifying that ADFS and Keyless IdP is configured