Securing an Existing ADFS Environment with Okta MFA
Since the introduction of Active Directory Federation Services (ADFS) in 2015, companies have been widely adopting the idea of using this technology to leverage claims-based authentication to provide a means of single sign-on for different services within their own organization or even others.
At a high level, ADFS allows a user to authenticate with Active Directory credentials from their own organization, while simultaneously providing access to a claims-aware service such as Microsoft Office 365, Salesforce, etc.
This means that applications both on-premise and off-premise can be accessed using a single factor of authentication. While this makes for a simplified means of password-management and access management for end users, meaning they will only have to remember one password, it introduces a high level of risk. If the user’s Active Directory password is compromised, any of those services will now be accessible to the malicious entity that captured the user’s password.
Some of the claims-aware services offer a means of providing multi-factor authentication (MFA). For example, Microsoft offers Azure MFA as a solution to provide multi-factor authentication to their various service offerings such as Microsoft Office 365. One problem with Azure MFA is the cost associated with it.
Microsoft offers different pricing levels for their Azure MFA offerings, but depending on the size of the organization, and/or the number of authentications processed by Azure MFA, these costs could grow very quickly. Below is the pricing model taken from the Microsoft Azure pricing site:
This is achieved by simply installing an agent that resides on your Active Directory Federation Services (ADFS) server or servers. Once the agent is installed, it must be enabled as a multi-factor option within the on-premises ADFS console.
Once the Okta MFA agent has been installed and configured, an organization can synchronize their Active Directory Users and Groups to the Okta dashboard using Okta’s AD agent. With this agent, it is possible to select which users and groups synchronize to Okta.
Once an organization has the users and groups are synchronized to the Okta dashboard, they can begin to leverage Okta’s MFA. This provides significant security for the existing ADFS environment because an attacker would not only need to compromise the user’s password(s), but also compromise their second factor of authentication.
Okta allows for various means of second-factor authentication as well, which can be selectively enabled for users within the Okta dashboard.
After the user logs in to their organization’s ADFS web interface with their Active Directory credentials, they will be prompted with options for a second factor. Some of the options and screen shots of the user experience are presented in the images below:
Okta Verify (Push):
Okta Verify (Code):
One great feature of Okta’s solution is that they make a Developer/Preview environment that can be leveraged for free as a demo. Organizations can use this preview platform as a sandbox or TEST platform for moving their services to the Okta dashboard.
This option can be found at https://developer.okta.com and provides a great option for organizations looking to familiarize themselves with the platform or to simply “test the waters”.
With Okta MFA in place, an organization can protect their ADFS environment and services provided behind it. This ensures that a much higher level of security is maintained for their end users.
With the peace of mind knowing that the existing environment is more secure, organizations can take the time needed to deploy better solutions to their end users and maintain the highest level of satisfaction.
Have questions about Okta configuration? Feel free to contact me on LinkedIn to start a conversation.
Critical Design Associates