Configure Microsoft ADFS to Work with the Digipass Authentication Module

Configure the authentication type

Complete these steps to configure the authentication type in Microsoft ADFS.

To configure the authentication type

1. Open Microsoft ADFS Management Console.

2. Select ADFS > Services > Authentication Methods.

3. Click Edit  Multi-Factor Authentication Methods in the Actions pane.

   The Edit Authentication Methods dialog appears.

4. In the Select additional authentication methods list, select Digipass Authentication.

5. Click OK to close the Edit Authentication Methods dailog.

Configure Digipass Authentication Module as primary authentication method

Digipass Authentication Module was introduced to be used as a primary authentication method, so that OTPs could be used as the first factor. As of Microsoft ADFS 2019, you can configure additional authentication providers to be set as primary authentication method.

This feature is available only for Window Server 2019 and later.

To configure Digipass Authentication Module as primary authentication method

1. Open Microsoft ADFS Management Console.

2. Switch to the Service tab and click Authentication Methods.

3. In the Actions pane, select Edit Primary Authentication Methods.

4. In the Primary tab of the Edit Authentication Methods window, select Allow additional authentication providers as primary.

5. Click Apply, and confirm this selection by clicking OK.

6. Reopen the Edit Primary Authentication Methods window.

7. In the Additonal tab, clear the Digipass Authentication for Microsoft ADFS box.

8. Switch back to the Primary tab.

9. Select Digipass Authentication for Microsoft ADFS for either Extranet or Intranet, depending on the setting you want to use Digipass Authentication Module to authenticate these requests with. In the default setting, both options are selected.

10. Click Apply to confirm your choice, then click OK to close the Edit Authentication Methods window.

11. Select the Relying Party Trusts folder, then select the entry you are using for the Digipass Authentication. In the Actions pane, select Edit Access Control Policy.

12. Select the policy that does not require multi-factor authentication. The default setting is Permit everyone. If you have checked Digipass Authentication Module to only authenticate with the intranet, you can select Permit everyone for the intranet access.

13. Click Apply to confirm your choice, then click OK to close the window.

14. Digipass Authentication Module is now available as the primary authentication provider.

You can also set additional authentication methods as primary authentication via PowerShell (interchangeably with steps 4 and 5) by running the following command:

Set-AdfsGlobalAuthenticationPolicy -AllowAdditionalAuthenticationAsPrimary $true

SSO timeout issue

Microsoft ADFS creates a web SSO session immediately after a successful AD password authentication. This session is independent of any subsequent authentication factors, i.e. Microsoft ADFS will not re-authenticate users via AD for the duration of that session.

The default web SSO lifetime is 480 minutes (8 hours). When using the default ADFS configuration, there can be 8 hours between 2 factors of authentication, which makes the two-factor authentication less reliable. It is a trade-off between security and ease of use, where Microsoft ADFS favors ease of use by default.

To increase security, the Digipass Authentication for Microsoft ADFS setup automatically reduces the web SSO lifetime to 10 minutes. You can change this value via Edit Federation Services Properties in Microsoft ADFS Management Console.