Want to Improve ADFS Authentication? Just Add SecureAuth

March 10, 2017

 

Many organizations have already deployed and invested in an Active Directory Federation Services (ADFS) installation, providing basic authentication and access into cloud applications.

ADFS now supports limited MFA support via voice OTP, SMS OTP and Push to Accept technologies. This approach does provide a minimal approach to authentication, is it enough? The challenge is really bringing ADFS authentication up to world class levels, improving the ADFS authentication story, yet not having to replace ADFS.

The ability to leverage best-of-breed authentication techniques from a specialist security vendor such as SecureAuth without impacting an existing ADFS integration is a powerful combination.

As a security vendor it is imperative that we advise and consult on best practices to leverage existing investments, delivering value in the best way possible. Organizations should not always be restricted by the limitations of their existing platform, it should be possible to compliment those existing deployments without ripping and replacing.

ADFS allows authentication requests to be processed by dedicated Claims providers. Typically, ADFS deployments are only ever configured to use Active Directory as the claims provider. However, it need not stop there!

Once we start to combine adaptive authentication platforms such as SecureAuth with ADFS we create a very powerful solution that is configured with minimal fuss, training or end user impact. This approach would allow for the following immediate benefits:

  • Best-of-breed authentication options (25+)
  • Adaptive authentication workflows to adjust the user experience as required
  • Pre-authentication risk analysis to add detailed intelligence to the authentication flow – (Defence in depth approach using a layered approach)
  • Additional SSO support for all common web SSO protocols
  • No user experience impact

If we break this down into individual areas, we can see why this becomes a powerful combination with an existing ADFS installation.

Firstly, SecureAuth adds pre-authentication risk analysis to the authentication flow – including:

 

Adaptive Multi-factor authentication protection layers

 

From these pre-authentication checks we are adding rich intelligence into the existing ADFS workflows. This intelligence forms decisions points, allowing decisions to be made as to how a user should (or indeed if they should) proceed.

Immediately we have achieved something impressive – ADFS authentication workflows / integrations have become truly adaptive. In other words, we are now in control of which authentication options make sense based on the risk score. Not only that but now we also have the ability to perform actions based on the risk score and intelligence capture. Actions such as:

  • Step-up
  • Step-down
  • Block
  • Redirect
  • Resume Authentication

We are no longer restricted by the static nature of the ADFS workflows.

Based on the risk score and determined action points we can provide the best authentication options to the end user. (Of course as we have the intelligence provided by the layered risk analysis we can also step the user down as well.)

Available options include:

  • Voice OTP
  • SMS OTP
  • Email OTP
  • Push to Accept
  • Push OTP
  • Symbol to Accept
  • Soft Token (TOTP)
  • Hard Token
  • Smart Card
  • X509 user / device certificate
  • Device Fingerprint
  • YubiKey
  • Social ID’s
  • Kerberos/IWA
  • Static PIN
  • KBA/KBQ

We can provide friction where we need to with the most appropriate option, backed by world class threat feeds and real time intelligence.

The workflows are on a per user / identity basis, meaning the user experience can be completely tailored to suit.

The beauty of this integration is its simplicity.  By simply adding SecureAuth as a claims provider trust within ADFS for a relying party(ies) an organization benefits from the world class authentication techniques available through the SecureAuth platform. No configuration changes are required at the relying party (application) end.

Of course we can completely replace ADFS, the point being that it may not be possible to do so based on a number of factors. Nor should it be necessary to do so if an organisation chooses.

Using the above complimentary approach, you can still add the best adaptive security platform in the word to an existing ADFS deployment.  Thus removing the authentication shackles imposed by solely relying on ADFS.

Ready to learn more? Read about our unique layered approach to authentication or contact us for a personalized demo to see the SecureAuth/ADFS integration in action.

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!