Microsoft ADFS 3.0, ADFS 4.0 and ADFS 2019

This is the procedure to integrate inWebo multi factor authentication service with "Microsoft Active Directory Federation Services 3.0".

Introduction

In-Webo provides innovative, no-hardware, 100% SaaS, strong authentication solutions for employee and consumer secure transactions.

The purpose of this guide is to explain how to use InWebo products with various existing products running as a relying party trust with ADFS 3.0 (examples : MS SharePoint, MS Office 365, etc…).

ADFS v3 is fully integrated in Windows 2012 server as a role to be activated on Server Manager.

Requirements

Before continuing, please ensure that the following requirements are fullfilled

  • An inWebo service with administrator rights : if you don't have any inWebo service yet, you can register for a trial account here.

  • Firewalls/TCP Filtering : your ADFS server will need to communicate with the InWebo Cloud service. Thus, you have to open the network stream and route TCP packets from your ADFS server to api.myinwebo.com on HTTPS port (443)

  • InWebo ADFS v3 Connector binary : you'll need to install the connector on your ADFS server. You can download it directly here. Once downloaded, upload it to any accessible place from your ADFS server.

  • A PKCS12 Certificate file for the InWebo Web Services API Access, dowloaded from your your MyInWebo Administration Console following these steps :

    • under the 'Secure Sites' tab, click on “Download a certificate for API access”

    • type a passphrase (7 characters or more)

    • choose a validity period (10 years by default)

    • click on “PKCS12 format (.p12)”

Creating an InWebo secure site 

  • Open a browser and login to your InWebo administration console.

  • Once logged in, memorize the ServiceID as this information is needed by the connector.

  • In the “Secure Sites” tab, “Add a secure site of type…” and choose “Web Service Connector”.

  • In the opening window, enter the following properties for the secure site :

    For ADFS authentication it's mandatory to fill the following fields:

    • Called URL: https://<your_ADFS_server>/yourApp

    • Authentication page: //<your_ADFS_server>/adfs/ls/*      (Warning the adfs/fs format is mandatory)

    • Wildcard used in path: Yes

    • Form name: loginForm

    • Login field name: heliumlogin

    • Password field name: token

  • Click on “Add”

  • Click on “Browser token activation”

  • Copy the "Bookmark alias" long string to your clipboard. (32 char string)

Installing the InWebo ADFS3 connector 

If you have several ADFS servers in your farm, the inWebo ADFS plugin must be installed on each server.

  1. Create manually a C:\InWebo directory on your ADFS server

  2. Copy the InWebo PKCS12 API certificate file (format PKCS12) to it.

  3. Double click the InWebo Connector installer file you downloaded,

  4. Enter “C:\InWebo” for target destination directory.

  5. Type successively C:\InWebo\<cert_name>.p12 (or browse to it), the cert passphrase, your InWebo serviceID and finally paste the Secure Site Bookmark alias from the clipboard.
    (See screen capture above)

  6. Choose the right options depending on your context :

 

  • Browser Token parameter - this setting depends on your service type :

  1. Standard service, must be 'Virtual Authenticator'

  2. White Label service, must be 'Helium'

  3. Services created before May 10 2016, both values are acceptable (if the chosen token is activated on the service)

  • AD Attribute for login - the inWebo logins for the end-users must correspond exactly in both cases :

  1. userPrincipalName (UPN) : the AD username 'user@domain.ext' form is used

  2. SamAccountName : the short AD username 'user' form is used

  • Pin Mode - this parameter is useful to override the global service pin parameter :

  1. 'Ask for pin' : the connector will use the global service policy

  2. 'Force no pin' : must be set if your global service policy is set to pin activated, and you want inWebo authentication to be transparent for the end user. No pin code is asked in this case. inWebo is used as a second factor only.

 

7. For multiple Active Directory forests, when using the "SamAccountName" attribute login, if needed you can provide the Global Catalog search path: "

GC://DC=mycompanu,DC=com

8. Once all settings are correct, press the 'Install' button

9. Restart the ADFS service.

This installation is complete. 

 The service account that runs ADFS Federation Service must have administrator rights on the server.

Activating inWebo Authentication provider in ADFS 3.0 (Windows server 2012)

To enable inWebo as an Authentication method in ADFS 3.0 management:

In the section Authentication Policies, you'll find Multi-factor Authentication.

You have to EDIT the Global Settings and enable inWebo Authentication provider

You should now see “inWebo Authentication Provider” in the “Multi-Factor authentication settings” list of your ADFS management console :

Activating inWebo Authentication provider in ADFS 4.0 (Windows server 2016)

To enable inWebo as an Authentication method, in ADFS 4.0 management:

In the Service / Authentication Methods section

Inside this page under the Multi-factor Authentication Methods section you can EDIT your "Authentication methods"

You should check inWebo Authentication Provider in the Multi-factor tab.

How to move the inWebo log storage to another destination

inWebo.log4net file modification

You will find this file at the root of the inWebo directory "C: \ inwebo"

In this file, you can modify the line:
<file value = "C: \ inWebo \ inwebo.log" />
with the destination path you have chosen for your logs

You must restart the ADFS service for the change to the log storage path to take effect

Security and installation changes for Microsoft ADFS 2019

Allow read/write permissions to c:/inwebo for ADFS service account

ADFS is unable to modify / read inWebo.config

  • Verify c:\inwebo\inWebo.log for read/write error

Operation

On the c:\inwebo folder change security settings (security tab of the folder) EDIT to change permissions
Click "Add" to Security Objects, select "Object Types" check "Service Accounts" and type the ADFS service account created in Active Directory (ex: FsGmsa)
then OK check read /write options for the ADFS service and "OK" to close twice.

The following error message should have disappeared.

Error message displayed in inWebo.log

1 2 3 4 5 6 2019-03-19 07:47:10,797 [5] ERROR inWebo.AuthenticationAdapter - System.UnauthorizedAccessException: Access to the path 'C:\inwebo\inWebo.config' is denied. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy) at System.IO.FileStream..ctor(String path, FileMode mode) at inWebo.AuthenticationAdapter.loadConfig()

Customize HTTP security response headers in ADFS 2019 for inWebo external authentication

To protect against common security vulnerabilities and provide administrators the ability to take advantage of the latest advancements in browser-based protection mechanisms,
AD FS 2019 added the functionality to customize the HTTP security response headers sent by AD FS.
This is accomplished through the introduction of two new cmdlets: Get-AdfsResponseHeaders and Set-AdfsResponseHeaders.

You have to add the address https://ult-inwebo.com to the default CSP header for ADFS on 2019 Windows server
Default Windows 2019 Content-Security-Policy: default-src ‘self’ ‘unsafe-inline’ ‘’unsafe-eval’; img-src ‘self’ data:; 

Powershell Command lines to add inWebo in Cross Origin Resource Sharing (CORS) and Content Security Policy (CSP) headers 

inWebo settings
1 2 3 4 5 6 7 8 9 10 11 12 13 # ****** To check current HTTP security current settings***** Get-AdfsResponseHeaders # ****** To change HTTP security settings for inWebo***** # *** restraining the access in HTTPS *** Set-AdfsResponseHeaders -SetHeaderName "Strict-Transport-Security" -SetHeaderValue "max-age=31536000; includeSubDomains" # *** Modifying Content-Security-Policy values to accept script from ult-inwebo.com *** Set-AdfsResponseHeaders -SetHeaderName "Content-Security-Policy" -SetHeaderValue "default-src 'self' 'unsafe-inline' 'unsafe-eval' https://ult-inwebo.com;" # *** Modifying CORS values to accept access to ult-inwebo.com *** Set-AdfsResponseHeaders -EnableCORS $true Set-AdfsResponseHeaders -CORSTrustedOrigins https://ult-inwebo.com

Get-AdfsResponseHeaders result

References

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/customize-http-security-headers-ad-fs