Configure authenticator support

You can configure the SafeNet Agent for Active Directory Federation Services (ADFS) to support multiple types of authenticators:

• User choice of authenticator (UCA): UCA allows users to select from their available authentication methods during AD FS sign-in. When a user signs in, they are presented with a list of the authentication methods that they have enrolled in SafeNet Authentication Service Private Cloud Edition (SAS PCE).

  

• FIDO authenticators: In addition, you can configure the agent to support FIDO authenticators as one of the authentication methods that users can select.

Configure UCA support

After you install SafeNet Agent for ADFS, you can configure the agent to support UCA. Users can then choose their preferred authentication method when they sign in.

To configure UCA support, you must update the following files:

• ADFSConfig.agent is the agent configuration file.

• SAFENET-MFA.ini is the agent initialization file.

Update the agent configuration file

In the agent configuration file (ADFSConfig.agent), replace the required values with the corresponding information from SAS PCE.

1. In SAS PCE, go to System > Setup > Agent Communication with JWT Token.

   

2. Under Generate the JSON Web Token (JWT), select Generate.

   

3. Copy the entire generated JWT and paste it in a text editor.

4. In SAS PCE, go to Virtual Servers > Comms > Authentication Processing > Authentication Agent Settings.

   

5. At the end of the Token Validator URL, copy the orgCode value and paste it in the text editor.

6. On the local drive where you installed the agent, go to Program Files > SafeNet > SAS > SafeNetMFA > bin, and open the ADFSConfig.agent file in a text editor.

   

7. Locate the string:

   "AgentCommunicationJWT": "<AGENT_COMMUNICATION_JWT>"

8. Select the <AGENT_COMMUNICATION_JWT> value, and paste the JWT value that you generated in SAS PCE.

   All the content in the ADFSConfig.agent file must be in one line.

   

9. Locate the string:

   "orgCode": "<ORG_CODE>"

10. Select the <ORG_CODE> value, and paste the token validator orgCode that you copied in SAS PCE.

    

    The AD FS sign-in page can now list multiple authenticator options.

Update the INI file

Update the configuration parameters in the SAFENET-MFA.ini file.

1. On the local drive where you installed the agent, go to Program Files > SafeNet > SAS > SafeNetMFA > ini, and open the SAFENET-MFA.ini file in a text editor.

   

2. Set the IdpEnvironment value to 0 or 1:

   - `0` (Default) Indicates that UCA is enabled.
   - `1` Indicates that legacy variant of the agent is enabled.
   

3. For the AuthAttempts value, specify the maximum number of allowed authentication failure attempts. This value must exactly match the Account lock threshold that is defined in the account lockout policy in SAS PCE. The default value is 3.

4. To ensure that all changes made in the ADFSConfig.agent and SAFENET-MFA.ini files are applied successfully, on the ADFS Management Console (SafeNet Agent for ADFS), disable and then re-enable the agent.

Configure FIDO support

FIDO authenticators enable strong, phishing-resistant authentication with passkeys and platform authenticators.

After you configure UCA support, you can configure SafeNet Agent for ADFS to support FIDO authenticators. FIDO authentication does not work without UCA.

To configure FIDO support, you need to provide values in the agent configuration (ADFSConfig.agent) and initialization (SAFENET-MFA.ini) files. You can get the values from SAS PCE.

After you configure FIDO support, users can sign in with their FIDO authenticator.

1. In SAS PCE, go to System > Communications > FIDO Server Settings.

   

2. Copy the following values and paste them in a text editor:

   • FIDO URL
   • SAE URL

3. Go to Virtual Server > Self-Service > Configuring Self-Service > FIDO Enrollment.

   

4. Copy the FIDO Enrollment URL and paste it in your text editor.

5. On the local drive where you installed the agent, go to Program Files > SafeNet > SAS > SafeNetMFA > bin, and open the ADFSConfig.agent file in a text editor.

   

6. Locate the string:

   "SAE":{"url":"<SAE_URL>","realmName":"<SAE_REALM_NAME>","tenantId":"<SAE_TENANT_ID>","username":"<SAE_USERNAME>","password":"<SAE_PASSWORD>"}

7. Replace the values in the agent configuration file with the information that you copied from SAS PCE as follows:

   Value in ADFSConfig.agent	Value to use
   url	Enter the SAE URL from the FIDO Server Settings
   realmName	Enter the realm name, for example master.
   tenantId	Located at the end of the FIDO Enrollment URL, after realms.
   userName	Enter the SafeNet Access Exchange (SAE) administrator credentials.
   password	Enter the SAE administrator credentials.

   

   All the content in the ADFSConfig.agent file must be in one line.

8. On the local drive where you installed the agent, go to Program Files > SafeNet > SAS > SafeNetMFA > ini, and open the SAFENET-MFA.ini file in a text editor.

   

9. Replace the values in the agent initialization file with the information that you copied from SAS PCE as follows:

   Value in SAFENET-MFA.ini	Value to use
   FIDO2_API_URL	FIDO URL from FIDO Server Settings
   FIDO_ENROLLMENT_URL	FIDO Enrollment URL from FIDO Enrollment

10. Save both the ADFSConfig.agent and SAFENET-MFA.ini files.

11. To ensure that all changes made in the ADFSConfig.agent and SAFENET-MFA.ini files are applied successfully, on the ADFS Management Console (SafeNet Agent for ADFS), disable and then re-enable the agent.