Strong authentication for applications connected to Microsoft ADFS

Extra security for sensitive applications

Since 2015, SURFconext Strong Authentication has made it possible to make cloud services connected to SURFconext more secure by using a second factor, in addition to the username/password combination. Until recently, using SURFconext Strong Authentication was not possible for applications connected to Microsoft Active Directory Federation Services (ADFS).

A SURFnet survey showed that institutions feel that this is desirable. For example, some applications connected to ADFS allow users access to privacy-sensitive data. Other applications manage critical business processes. Institutions want better security for these types of sensitive applications.

Plug-in for ADFS

SURFnet set to work to meet this demand. We wrote a Multi-Factor Authentication (MFA) plug-in for ADFS. This plug-in allows multi-factor authentication via SURFconext Strong Authentication for applications connected to their own ADFS.

Many institutions connected to SURFconext use ADFS. ADFS makes it possible to set up a federated identity with SURFconext, for example. This allows the institution’s users to log on to SURFconext with the username and password they use for their own institution.

Multi-factor authentication via ADFS

ADFS also offers the option of multi-factor authentication. The first factor (username and password combination) is still handled via Microsoft Active Directory Domain Services (ADDS). The second factor requires a plug-in for ADFS. The plug-in we developed ensures that SURFconext Strong Authentication handles the second factor.

Multi-factor authentication process

The multi-factor authentication of the applications then occurs as follows:

1. The user goes to the application connected to ADFS. The user is then redirected to ADFS, which asks the user for his or her username and password.
2. ADDS authenticates the user based on their entry. If the authentication is successful, this is passed on to ADFS.
3. ADFS now starts the authentication’s second factor using the ADFS plug-in for SURFconext Strong Authentication. In SURFconext Strong Authentication, the user chooses their own authentication method (tiqr, SMS or a YubiKey). If the authentication is successful, this is passed on to ADFS.
4. If the multi-factor authentication is successful, the user is directed back to the application for access.

Successful experiences with plug-in

In the past few months, a first pilot using this plug-in was set up in collaboration with Windesheim University of Applied Sciences and Clusius College. These institutions have installed the ADFS plug-in in their test environment and tested SURFconext Strong Authentication with their applications.

The use of the plug-in was very successful in the initial pilots. It makes it possible for multi-factor authentication to be to required or not required for ADDS security groups for each federated application. This scenario turned out to be very workable in practice, so Clusius and Windesheim were enthusiastic about the plug-in. 

Connecting to other authentication systems

The ADFS MFA plug-in uses a standardised SURFconext Strong Authentication interface. Other authentication systems used at institutions can also use this SURFconext Strong Authentication interface. Institutions have already connected in the past from Citrix Netscaler and F5 BIG-IP. We have also done this now with ADFS by using a plug-in.

Want to participate in the pilot?

The pilot period for the plug-in will continue until April 2018. During this period, support will be provided to allow institutions to find out whether this is something they want. If you are interested in using the plug-in, or if you want to use SURFconext Strong Authentication with another existing authentication system, please contact the SURFconext team at info@surfconext.nl.