Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only you know or have access to. Acceptto™ integrates Salesforce.com™ with Active Directory for single sign-on (SSO) MFA provisioning. SSO refers to the technology for the user authentication process that allows access to multiple applications with one set of user credentials. Cloud SSO has become desirable as more companies adopt applications using multiple cloud services. However, providers must not jeopardize security. Acceptto MFA ensures that customers and providers use the convenience of cloud SSO without its potential security risks. Acceptto adds multi-factor authentication for Salesforce.com via the Acceptto AD FS MFA authentication provider.
- Sign up for an Acceptto account here, download the It’sMeTM mobile app and sign in with your account.
- From an Organizational Admin account, log in to the Acceptto Admin Panel and navigate to Applications.
- Click the New Application button to make an application for protecting the AD FS and get your UID and Secret codes (See Setting Up for help).
Treat your UID and Secret code like any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
- Once the application is created, add usernames to the application by selecting the control “Usernames.” Add the usernames and emails of the users that are going to be logging in using AD FS.
- Download the Acceptto AD FS MFA authentication provider. Please contact firstname.lastname@example.org for the download link.
- Install the “Remote Server Administration Tools” feature on the AD FS server.
Install Acceptto AD FS MFA Authentication Provider
- Run the Acceptto AD FS MFA authentication provider as a user with administrator privileges on each of your AD FS servers.
- Enter your UID and Secret code that you obtained in the Initial Steps when you created the application and finish the installation. Then, restart the server.
Configure AD FS Multi-factor Authentication
- Launch the AD FS Management console on your server. Expand AD FS, click Authentication Policies, then click the Edit Global Multi-factor Authentication.
- On the multi-factor tab, check the box next to the Acceptto Authentication Provider and click ok.
- You need the following information, which can be accessed in Service | Endpoints | Metadata, to configure Salesforce in the next section.
AD FS metadata URL (can be used for automatic configuration of Service Provider in Salesforce.com)
https://AD FS FQDN/FederationMetadata/2007-06/FederationMetadata.xml
AD FS SAML 2.0 URL (Identity Provider Login URL in Salesforce.com) https://AD FS FQDN/adfs/ls/
AD FS trust URL (Issuer Address in Salesforce.com) http://AD FS FQDN/adfs/services/trust
Salesforce Custom Domain and Configuration
Salesforce SSO requires a custom domain. If you don't already have a domain for your organization, create one, and enable SSO on it.
- Sign in to your Salesforce site as an administrator and type My Domain in quick find box located on the top-left corner of the page. Then, create a subdomain.
Sign out and back in as an administrator using your new domain. Navigate back to the "My Domain" page and click the Deploy to Users button.
Type Single sign-on in the quick find box and click on it.
- On the Single Sign-On Settings page, click Edit and check the SAML Enabled box to enable the use of SAML Single-Sign-On, then click Save.
- Click the New SAML Single Sign-on Settings button.
Enter the following (unless otherwise noted, leave the default values as-is) and click Save.
Name: Enter a name
SAML Version: 2.0
Issuer: http://adfs2.lab.acceptto.com/adfs/services/trust [change “adfs2.lab.acceptto.com” to your AD FS FQDN]
Identity Provider Certificate: Browse and select the token-signing certificate you exported from your AD FS server Note, Salesforce does not accept a self-signed certificate. Use a valid certificate and make sure you removed any self-signed certificate from the Certificate section of your AD FS management console.
Request Signing Certificate: Select as default or a self-signed certificate you created earlier at your salesforce domain.
Request Signature Method: RSA-SHA-1
SAML Identity Type: Assertion contains the Federation ID from the User object
SAML Identity Location: Identity is in the NameIdentifier element of the Subject statement
Service Provider Initiated Request Binding:
Identity Provider Login URL: https://adfs2.lab.acceptto.com/adfs/ls/ [change “adfs2.lab.acceptto.com” to your AD FS FQDN and be sure to insert a slash at the end of the URL]
Custom Logout URL: You can configure a URL to which the user is sent after logging out; for example https://acceptto.com/
API Name: Enter an API name of your choice
Entity ID: https://acceptto-dev-ed.my.salesforce.com [Change “acceptto-dev-ed” to your custom domain name]
- Download metadata file to import in AD FS for creating the Salesforce relying party at the next section.
- Type my domain in the quick find box and click on it, in the “authentication configuration” tab click Edit.
- In the Authentication Service, check the box next to the Acceptto instance you’ve set up in Single-Sign-On settings.
- Now, when you go to your Salesforce custom domain, a webpage similar to the following will be shown:
- Type users in quick find box and click on it. Then, Edit users that should be authenticated with Acceptto MFA for cloud SSO.
- Set the Federation ID to the user’s Acceptto It’sMe account.
Create and Configure Salesforce Relying Party in AD FS
- Launch the AD FS Management console on your server. Click Action and then Add Relying Party Trust.
- Click Next and import your Salesforce metadata file which you downloaded in the previous section.
- Set a Name and click Next and continue with the defaults.
- At the finish window, ensure the box is checked and click close.
- A new window comes up. Click Add Rule and continue as the following pictures. We are going to send the email address of our Active Directory users to Salesforce as Name ID (our user’s Salesforce Federation ID). The email address of our Active Directory users are also our Acceptto It’sMeTM account users.
- At the Relying Party Trusts of AD FS management console, click on your Acceptto Salesforce relying party. In the Advanced tab, change the secure hash algorithm to SHA-1.
- Expand Authentication Policies. Click Per Relying Party Trust and Right-click the relying party where you want to apply Acceptto MFA. Choose Edit custom multi-factor Authentication. On the multi-factor tab, select the ‘Devices’ and ‘locations’ you need and click Ok.
Test Your Setup
Open your browser and go to your Salesforce custom domain page.
Click on your Acceptto MFA link which redirects you to the AD FS login page. Log in with your user credentials. Note that the user is now requested to perform Multi-Factor Authentication using the Acceptto It’sMe mobile application before access is allowed.
As you can see, the user logged in with its Active Directory credential which is protected with Acceptto MFA instead of a Salesforce account.
Uninstalling the Acceptto AD FS MFA Authentication Provider
The Acceptto AD FS MFA authentication provider is an in-process DLL, as such the Microsoft™ AD™ FS service needs to be stopped before removing the product. Before you begin, please note that when the AD FS service is stopped, the server will not be able to process user authentication to Salesforce.
- Select the Windows menu, Administrative Tools, Services
- Locate the Active Directory Federation Services service
- Select Stop the service
- Using the right mouse button select the Windows menu, Programs, and Features
- Locate the Acceptto Corporation program and select Uninstall.
- Once the uninstall is complete, repeat step 1 and 2 and select Start the service.
- The uninstall is complete.
If you require assistance, please email us at email@example.com
Want to learn more about our MFA solutions? Contact our Professional Services for a Demo today.
All product names, trademarks, and registered trademarks are the property of their respective owners.
All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the Acceptto Corporation.
Salesforce and Salesforce.com are either registered trademarks or trademarks of Salesforce.com, inc. and/or one or more of its subsidiaries in the United States and/or other countries.
'Active Directory' and Microsoft are either registered trademarks or trademarks of Microsoft and/or one or more of its subsidiaries in the United States and/or other countries.