This guide describes how you can integrate Buypass Code in Microsoft ADFS 3.0 to activate 2-factor authentication for Office365 and other applications. Buypass offers a small integration packet that works as a custom authentication provider in ADFS 3.0 to require a Buypass Code OTP for users signing in.
Technical requirements
Software requirements
- Windows 2012 R2
- .NET 4.5
- An installed and configured Buypass Code Service Connector (See Service_Connector_8.0.3_installationGuide)
- Office365 has been setup for SSO to an on-premise ADFS 3.0 server and has working SSO based on user’s existing AD password
Network connectivity
- The ADFS 3.0 integration packet needs to communicate with the Service Connector via Radius (default port 1812)
Integration setup
Buypass Code Manager configuration
Login to Buypass Code manager and create a new radius configuration. The IP-address should be the IP of the ADFS 3.0 server.
For more information about Radius configuration, see Radius klienter
Installation and configuration of Buypass Code ADFS 3.0 integration
- Download Buypass_Code_ADFS_3_0_Integration.exe from Buypass Ekstranett.
- Make sure you Active Directory Federation Service is running
Run Buypass_Code_ADFS_3_0_Integration.exe on the ADFS 3.0 server
Click next
Enter configurations, table bellow describes parameters
Configuration parameter Description Service Connector IP IP address of the service connector Service Connector port Port that the Service Connector is configured to listen to. Default is 1812 Retries The number of times to send Radius access request to the Service Connector if no response Timeout Time in milliseconds between Radius access request retries Shared secret The shared secret that is configured in Buypass Code Manager NAS-Identifier Optional Radius attribute to be used to differentiate between Radius clients NAS-IP-Address Optional Radius attribute to be used to differentiate between Radius clients Normalize user name Check if user names should be normalized (e.g. "oott@bpcodedemo.no” and ”bplab01\oott” will be normalized to "oott") Display Radius response message Check if it is desired that error messages containing more information should be displayed to the user in case of Access Reject message from Buypass Debug logging Check to activate debug logging to be used while configuring or debugging the setup Debug log file dir Path for log file - The Redundant Service Connector parameters are optional and should be entered if you a second Service Connector is used for redundancy.
- Click next
- Click install
- Check the "Restart ADFS Service" check box and click Finish
- In the ADFS Management view, open "Edit Global Multi-factor Authentication..."
- Buypass Code should be visible as an additional authentication method
- Check the Buypass Code option and click Apply
- Restart the ADFS Service
The installation of Buypass Code ADFS 3.0 integration is now complete and after the user has entered credentials another view will be displayed and require a Buypass Code OTP before the user is authenticated.
Change configuration
- To change configurations for an existing installation, start the installer again.
- The installer will load the settings from ADFS. (If you get an error saying that a script failed, try starting the installer again.)
- Click Next
- Click Change
- Make the configuration changes and click Next
- Click install
- Check the Restart ADFS service check box and click Finish
- The new configurations have been loaded into ADFS