This guide describes how you can integrate Buypass Code in Microsoft ADFS 3.0 to activate 2-factor authentication for Office365 and other applications. Buypass offers a small integration packet that works as a custom authentication provider in ADFS 3.0 to require a Buypass Code OTP for users signing in.

Technical requirements

Software requirements

• Windows 2012 R2
• .NET 4.5
• An installed and configured Buypass Code Service Connector (See Service_Connector_8.0.3_installationGuide)
• Office365 has been setup for SSO to an on-premise ADFS 3.0 server and has working SSO based on user’s existing AD password

Network connectivity

• The ADFS 3.0 integration packet needs to communicate with the Service Connector via Radius (default port 1812)

Integration setup

Buypass Code Manager configuration

Login to Buypass Code manager and create a new radius configuration. The IP-address should be the IP of the ADFS 3.0 server.

For more information about Radius configuration, see Radius klienter

Installation and configuration of Buypass Code ADFS 3.0 integration

1. Download Buypass_Code_ADFS_3_0_Integration.exe from Buypass Ekstranett.
2. Make sure you Active Directory Federation Service is running

3. Run Buypass_Code_ADFS_3_0_Integration.exe on the ADFS 3.0 server

4. Click next
   

5. Enter configurations, table bellow describes parameters

   

   Configuration parameter	Description
   Service Connector IP	IP address of the service connector
   Service Connector port	Port that the Service Connector is configured to listen to. Default is 1812
   Retries	The number of times to send Radius access request to the Service Connector if no response
   Timeout	Time in milliseconds between Radius access request retries
   Shared secret	The shared secret that is configured in Buypass Code Manager
   NAS-Identifier	Optional Radius attribute to be used to differentiate between Radius clients
   NAS-IP-Address	Optional Radius attribute to be used to differentiate between Radius clients
   Normalize user name	Check if user names should be normalized (e.g. "oott@bpcodedemo.no” and ”bplab01\oott” will be normalized to "oott")
   Display Radius response message	Check if it is desired that error messages containing more information should be displayed to the user in case of Access Reject message from Buypass
   Debug logging	Check to activate debug logging to be used while configuring or debugging the setup
   Debug log file dir	Path for log file

   
   

6. The Redundant Service Connector parameters are optional and should be entered if you a second Service Connector is used for redundancy.
7. Click next
8. Click install
9. Check the "Restart ADFS Service" check box and click Finish
   
10. In the ADFS Management view, open "Edit Global Multi-factor Authentication..."
    
11. Buypass Code should be visible as an additional authentication method
    
12. Check the Buypass Code option and click Apply
    
13. Restart the ADFS Service

14. The installation of Buypass Code ADFS 3.0 integration is now complete and after the user has entered credentials another view will be displayed and require a Buypass Code OTP before the user is authenticated.

    Image Modified

Change configuration

1. To change configurations for an existing installation, start the installer again.
2. The installer will load the settings from ADFS. (If you get an error saying that a script failed, try starting the installer again.)
3. Click Next
   
4. Click Change
   
5. Make the configuration changes and click Next
   
6. Click install
   
7. Check the Restart ADFS service check box and click Finish
   
8. The new configurations have been loaded into ADFS