Two Factor Auth with ADFS 2.0?

General Single Sign-On

Two Factor Auth with ADFS 2.0?

http://community.office365.com/en-us/f/178/t/678.aspx

Da Kadre Posted on 2010-Dec-20 2:24 PM

Hi all, does anyone know if there are any two factor authentication solutions for ADFS 2.0?
We need to secure external originating client requests via two factor authentication.

We currently use RSA integration for a number of applications.

 

 

Thanks,
Da

Was this helpful?

• Yes
• |
• No
• Share
• |
• Report Abuse
• • {0}

Verified Answer

• dkershaw_MSFT Post replied on 2010-Dec-20 3:28 PM Verified Answer Verified by Da Kadre

  Hi Da,

  We will be providing more information on 2FA support together with ADFS2.0 and O365 shortly.  In the meantime there are a few scenarios that we will support (that you could try out in Beta).

  If you want to secure all your external originating client requests with 2FA (using RSA), there are 2 options for you - as long as your are securing web apps (like OWA, SharePoint etc - rich client apps like Outlook and Lync are not supported with 2FA currently in this mode):

  1.  Deploy an AD FS 2.0 proxy in your DMZ and then customize the AD FS proxy login page (which is an ASPX page) to integrate with the RSA servers.  We don't yet have sample code for this I'm afraid, but we'll likely have something on this in the future.

  2. Deploy ForeFront UAG SP1 in your DMZ.  This proxy will publish the AD FS endpoints, and in additional to all the other great gateway features UAG has, it also boasts out of the box integration with RSA (plus libraries for integrating with other 2FA technologies).  See:

  ·         Overview of AD FS 2.0 with Forefront UAG

  ·         Remote partner employee access using claims (this is similar to the Office 365 scenarios)

  ·         Deploying Forefront UAG with AD FS 2.0

  ·         Planning for front-end authentication (how to enable two-factor authentication)

  Hope this helps.  Please let me know if there are other scenarios that you are interested in for 2FA.  I'd love to hear if you have any 2FA requirements around rich client and/or smart phones,

  Dan.

  • 
  • rated by 0 users

  • Share
  • |
  • Report Abuse
  • • {0}
    • dkershaw_MSFT
    • Answered (Verified)

All Replies

• Da Kadre Post replied on 2010-Dec-21 10:45 AM

  Thanks for the info Dan, I'll engage the policy makers and let them do their thing.

  I know all clients access requests originating from the internet are in scope for 2-Factor auth, which would include fat clients like Outlook rpc over https and Lync.

  Intranet-originating requests are normal internal adfs 2.0 pass-through auth.

  I suspect will need to be getting up to speed on the new Forefront very shortly. Even if we can only secure internet-originating OWA requests with two-factor, that would still be better than nothing.

  Thanks,

  Da

  • 
  • 
  • rated by 0 users