Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Note
This is the procedure to integrate inWebo multi factor authentication service with "Microsoft Active Directory Federation Services 3.0"

Introduction

In-Webo provides innovative, no-hardware, 100% SaaS, strong authentication solutions for employee and consumer secure transactions.

The purpose of this guide is to explain how to use InWebo products with various existing products running as a relying party trust with ADFS 3.0 (examples : MS SharePoint, MS Office 365, etc…).

ADFS v3 is fully integrated in Windows 2012 server as a role to be activated on Server Manager.

Requirements

Before continuing, please ensure that the following requirements are fullfilled

  • Firewalls/TCP Filtering : your ADFS server will need to communicate with the InWebo Cloud service. Thus, you have to open the network stream and route TCP packets from your ADFS server to api.myinwebo.com on HTTPS port (443)

  • InWebo ADFS v3 Connector binary : you'll need to install the connector on your ADFS server. You can download it directly here. Once downloaded, upload it to any accessible place from your ADFS server.

  • PKCS12 Certificate file for the InWebo Web Services API Access, dowloaded from your your MyInWebo Administration Console following these steps :

    • under the 'Secure Sites' tab, click on “Download a certificate for API access”

    • type a passphrase (7 characters or more)

    • choose a validity period (10 years by default)

    • click on “PKCS12 format (.p12)”

Creating an InWebo secure site 

  1. Open a browser and login to your InWebo administration console.

  2. Once logged in, memorize the ServiceID as this information is needed by the connector.

  3. In the “Secure Sites” tab, “Add a secure site of type…” and choose “Web Service Connector”.

  4. In the opening window, enter the following properties for the secure site :

    Code Block
    languagexml
           Called URL: https://<your_ADFS_server>/adfs/ls/idpinitiatedsignon
           Authentication page: //<your_ADFS_server>/adfs/ls/*
              Regular expression used in path = "Yes"
           Form name: loginForm
           Login field name: heliumlogin
           Password field name: token 


  5. Click the “Add” button

  6. Then Click the “Browser token activation” and copy the Bookmark alias long string to your clipboard. (32 char string)

Installing the InWebo ADFS3 connector 

If you have several ADFS servers in your farm, the inWebo ADFS plugin must be installed on each server.

  1. Create manually a C:\InWebo directory on your ADFS server

  2. Copy the InWebo PKCS12 API certificate file (format PKCS12) to it.

  3. Double click the InWebo Connector installer file you downloaded,

  4. Enter “C:\InWebo” for target destination directory.

  5. Type successively C:\InWebo\<cert_name>.p12 (or browse to it), the cert passphrase, your InWebo serviceID and finally paste the Secure Site Bookmark alias from the clipboard.
    (See screen capture above)

6. Choose the right options depending on your context :

  • Browser Token parameter : this setting depends on your service type :

    1. Standard service, must be 'Virtual Authenticator'

    2. White Label service, must be 'Helium'

    3. Services created before May 10 2016, both values are acceptable (if the chosen token is activated on the service)

    AD Attribute for login : the inWebo logins for the end-users must correspond exactly in both cases :

    1. userPrincipalName (UPN) : the AD username 'user@domain.ext' form is used

    2. SamAccountName : the short AD username 'user' form is used

    Pin Mode : this parameter is useful to override the global service pin parameter :

    1. 'Ask for pin' : the connector will use the global service policy

    2. 'Force no pin' : must be set if your global service policy is set to pin activated, and you want inWebo authentication to be transparent for the end user. No pin code is asked in this case. inWebo is used as a second factor only.

7. For multiple Active Directory forests, when using the "SamAccountName" attribute login, if needed you can provide the Global Catalog search path: "GC://DC=mycompanu,DC=com

8. Once all settings are correct, press the 'Install' button

9. Restart the ADFS service.

This installation is complete. 


Important note:
 the service account that runs ADFS Federation Service must have administrator rights on the server.

Activating inWebo Authentication provider in ADFS 3.0 (Windows server 2012)

To enable inWebo as an Authentication method in ADFS 3.0 management:

In the section Authentication Policies, you'll find Multi-factor Authentication.

You have to EDIT the Global Settings and enable inWebo Authentication provider

You should now see “inWebo Authentication Provider” in the “Multi-Factor authentication settings” list of your ADFS management console :

Activating inWebo Authentication provider in ADFS 4.0 (Windows server 2016)

To enable inWebo as an Authentication method, in ADFS 4.0 management:

In the Service / Authentication Methods section

Inside this page under the Multi-factor Authentication Methods section you can EDIT your "Authentication methods"

You should check inWebo Authentication Provider in the Multi-factor tab.


Panel
borderColor#C5C5C5
borderWidth1

Table of Contents
stylesquare