Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Agent previews

SafeNet Agent for ADFS

search

Please Note:

SafeNet Agent for ADFS

Active Directory Federation Services (ADFS) supports a federated identity management solution extending distributed identification, authentication, and authorization services to web-based applications across organization and platform boundaries.

Multi-Factor Authentication (MFA) has traditionally meant using a smart card or other second factor with AD-based authentication, such as Integrated Windows Authentication. This type of MFA can impose client-side requirements, such as smart card drivers, USB ports, or other client hardware or software that cannot always be expected with Bring Your Own Device (BYOD) client devices. ADFS introduces a pluggable MFA concept focused on integration with the ADFS policy.

ADFS authentication concepts

This section describes some important ADFS concepts.

Primary and secondary authentication

Previous versions of ADFS have supported authenticating users against Active Directory using any of the following methods:

  • Integrated windows authentication
  • Username and password
  • Client certificate [client Transport Layer Security (TLS), including smart card authentication]

The above methods are still supported, but are now called “primary authentication” because Microsoft has introduced a new feature called secondary, or “additional”, authentication. This is where the SafeNet Agent for ADFS, an MFA plugin, comes in.

Secondary authentication occurs immediately after primary authentication and authenticates the same AD user. Once primary authentication is complete and successful, ADFS invokes the external authentication handler. This handler invokes an additional authentication provider, either an in-box ADFS provider or an external MFA provider, based on protocol inputs and policy. ADFS passes the primary authenticated user’s identity to the additional authentication provider, which performs the authentication and hands the result back. At this point, ADFS continues executing the authentication/authorization policy and issues the authenticator accordingly.

Authentication flow

ADFS provides extensible MFA through the concept of additional authentication provider that is invoked during secondary authentication. External providers can be registered in ADFS. Once a provider is registered with ADFS, it is invoked from the ADFS authentication code via specific interfaces and methods that the provider implements and that ADFS calls. Because it provides a bridge between ADFS and an external authentication provider, the external authentication provider is also called an ADFS MFA adapter.

Invoking MFA

There are two ways to configure ADFS to invoke MFA: policy configuration, or via the WS-Federation or SAML protocol authenticator request.

  1. Via policy, ADFS introduces a new rule set called Additional Authentication Rules that are used for triggering MFA. As with many other settings in ADFS, you can set these rules at a global level or at the relying party trust level.

  2. As part of the new rule set, ADFS introduces a new claim type and value to refer to MFA. When this claim type and value is generated via an additional authentication rule, ADFS will invoke the external authentication handler, and hence the providers configured on the system. If more than one provider is enabled in ADFS, the user will see a method choice page that displays the friendly name of each provider and allows the user to select one by clicking on it.

Authentication management platforms

The SafeNet Agent for ADFS supports the following authentication platforms:

  • SafeNet Authentication Service Private Cloud Edition (SAS PCE) 3.9.1 and later

  • SafeNet Trusted Access (STA)

User choice of authenticator

The SafeNet Agent for ADFS supports the user choice of authenticator (UCA). UCA allows users to select from their available authentication methods during AD FS sign-in. When a user signs in, they are presented with a list of the authentication methods that they have enrolled in SAS PCE.

You must configure UCA support before users can use the UCA flow.

MobilePASS+ push OTP support

The SafeNet Agent for ADFS supports the push OTP function with MobilePASS+ for:

  • SAS PCE 3.9.1 and later

  • STA

Users can sign in with the push OTP function, including push with number matching.

FIDO support

SAS PCE leverages FIDO (Fast IDentity Online) standards to deliver secure, simplified passwordless and multi-factor authentication (MFA) for enterprises. This integration helps minimize password-related risks, prevent phishing attacks, and enhance the overall user experience.

You must configure FIDO before users can use the FIDO flows.

System requirements

Windows Server version AD FS version
Windows Server 2025 AD FS 5.0
Windows Server 2022 AD FS 2022
Windows Server 2019 AD FS 2019
Windows Server 2016 AD FS 4.0

  • Architecture: 64-bit

  • Additional software components: Microsoft .NET Framework 4.8

  • Authentication methods: All authenticators and authentication methods supported by the SafeNet server.

  • Web browsers:

    • Microsoft Edge (not supported on mobile devices)
    • Mozilla Firefox
    • Google Chrome

On this page