Want to Improve ADFS Authentication? Just Add SecureAuth

Back to Blog
March 10, 2017
James Romer

 

Many organizations have already deployed and invested in an Active Directory Federation Services (ADFS) installation, providing basic authentication and access into cloud applications.

ADFS now supports limited MFA support via voice OTP, SMS OTP and Push to Accept technologies. This approach does provide a minimal approach to authentication, is it enough? The challenge is really bringing ADFS authentication up to world class levels, improving the ADFS authentication story, yet not having to replace ADFS.

The ability to leverage best-of-breed authentication techniques from a specialist security vendor such as SecureAuth without impacting an existing ADFS integration is a powerful combination.

As a security vendor it is imperative that we advise and consult on best practices to leverage existing investments, delivering value in the best way possible. Organizations should not always be restricted by the limitations of their existing platform, it should be possible to compliment those existing deployments without ripping and replacing.

ADFS allows authentication requests to be processed by dedicated Claims providers. Typically, ADFS deployments are only ever configured to use Active Directory as the claims provider. However, it need not stop there!

Once we start to combine adaptive authentication platforms such as SecureAuth with ADFS we create a very powerful solution that is configured with minimal fuss, training or end user impact. This approach would allow for the following immediate benefits:

  • Best-of-breed authentication options (25+)
  • Adaptive authentication workflows to adjust the user experience as required
  • Pre-authentication risk analysis to add detailed intelligence to the authentication flow – (Defence in depth approach using a layered approach)
  • Additional SSO support for all common web SSO protocols
  • No user experience impact

If we break this down into individual areas, we can see why this becomes a powerful combination with an existing ADFS installation.

Firstly, SecureAuth adds pre-authentication risk analysis to the authentication flow – including:

 

Adaptive Multi-factor authentication protection layers

 

From these pre-authentication checks we are adding rich intelligence into the existing ADFS workflows. This intelligence forms decisions points, allowing decisions to be made as to how a user should (or indeed if they should) proceed.

Immediately we have achieved something impressive – ADFS authentication workflows / integrations have become truly adaptive. In other words, we are now in control of which authentication options make sense based on the risk score. Not only that but now we also have the ability to perform actions based on the risk score and intelligence capture. Actions such as:

  • Step-up
  • Step-down
  • Block
  • Redirect
  • Resume Authentication

We are no longer restricted by the static nature of the ADFS workflows.

Based on the risk score and determined action points we can provide the best authentication options to the end user. (Of course as we have the intelligence provided by the layered risk analysis we can also step the user down as well.)

Available options include:

  • Voice OTP
  • SMS OTP
  • Email OTP
  • Push to Accept
  • Push OTP
  • Symbol to Accept
  • Soft Token (TOTP)
  • Hard Token
  • Smart Card
  • X509 user / device certificate
  • Device Fingerprint
  • YubiKey
  • Social ID’s
  • Kerberos/IWA
  • Static PIN
  • KBA/KBQ

We can provide friction where we need to with the most appropriate option, backed by world class threat feeds and real time intelligence.

The workflows are on a per user / identity basis, meaning the user experience can be completely tailored to suit.

The beauty of this integration is its simplicity.  By simply adding SecureAuth as a claims provider trust within ADFS for a relying party(ies) an organization benefits from the world class authentication techniques available through the SecureAuth platform. No configuration changes are required at the relying party (application) end.

Of course we can completely replace ADFS, the point being that it may not be possible to do so based on a number of factors. Nor should it be necessary to do so if an organisation chooses.

Using the above complimentary approach, you can still add the best adaptive security platform in the word to an existing ADFS deployment.  Thus removing the authentication shackles imposed by solely relying on ADFS.

Ready to learn more? Read about our unique layered approach to authentication or contact us for a personalized demo to see the SecureAuth/ADFS integration in action.

Never Miss a Beat
Subscribe to Our Blog

SecureAuth Identity Platform Adaptative Authentication

Identity and Access Management

Empower your digital initiatives with secure access for everyone and everything connecting to your business

Product Features

Adaptive Authentication

Extend verification of a user identity with contextual risk checks

Multi-Factor Authentication

Leverage a broad portfolio of authentication factors for desktop and mobile

Intelligent Risk Engine

Protect your identities with advanced risk profiling analytics

Single Sign-On

Provide app discovery and one-click login through portal or desktop SSO

User Lifecycle Management

Enable admins with strong CRUD capabilities and users with self-service tools

Secure All Identities

CIAM

Customer Identities

Deliver a frictionless customer experience safeguarding user data and privacy

B2E

Workforce Identities

Govern and control access rights for employees, partners, and contractors

Moving Beyond Passwords

Learn how passwords alone no longer provide the appropriate level of protection, nor confidence, required to secure valuable resources

Initiatives

Passwordless Authentication

Reduce the risk of breaches by eliminating passwords

2FA is Not Enough

Block popular phishing and brute force attacks used by bad actors

Protecting Office 365

Extend adaptive authentication and flexible MFA to all apps including Office 365

Securing Portals and Web Apps

Balance strong security and an exceptional user experience

RSA Migration

Transition to a modern identity and access management solution

Industries

Healthcare

Financial Services

Retail

Energy and Utilities

Public Sector

Resources

White Papers

eBooks

Recorded Webinars

Analyst Reports

Innovation Labs

Documentation

Support Portal

Events & Webinars

Events

Webinars

Calculate Your Savings

Lower support costs by enabling your users the control to reset passwords, account unlocks, device enrollment and update profiles

Meet SecureAuth

About SecureAuth

Leadership

Newsroom

Careers

Contact