on Jun 14, 2016Article Content
| Article Number | 000029586 |
| Applies To | RSA Product Set: SecurID RSA Product/Service Type: Authentication Manager RSA Version/Condition: 8.1.0 Platform: VMware Platform (Other): null O/S Version: null Product Name: RSA-0010810 Product Description: RSA-0010810 |
| Resolution | Through the AD FS Management tool, one can set a global authentication policy that applies to all relying party apps, or a per relying party trust policy that applies to a specific replying party app. The first screen shot below shows an example of a global policy configured to require all extranet users to use multi-factor authentication (MFA) when accessing any web app protected by AD FS. Note the extranet and intranet checkboxes. Extranet means that the authentication request is coming through a Web Application Proxy (see https://technet.microsoft.com/en-us/library/hh831502.aspx). MFA policy can also be applied to specific users and groups as well as to registered and unregistered devices. (Device registration is Microsoft’s lightweight domain registration support where a device like an iPhone can be registered and used as an authentication factor.) When requiring a user or group to use MFA, it is Active Directory users and groups that are used. (AD FS can be thought of as an IDP for Active Directory.) The second screen shot shows an example of an MFA policy defined for a specific relying party app, Outlook Web App (OWA). The policy requires that external users of OWA perform a SecurID authentication. Internal users of OWA are not required to perform a SecurID authentication. OWA is an example of an Office 365 web app. |
