000029586 - How to selectively challenge users and applications with RSA AD FS agent

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Dec 11, 2019
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000029586
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Platform: VMware
Product Name: RSA-0010810
Product Description: RSA-0010810

Through the AD FS Management tool, one can set a global authentication policy that applies to all relying party apps, or a per a relying party trust policy that applies to a specific relying party app. The first screenshot below shows an example of a global policy configured to require all extranet users to use multi-factor authentication (MFA) when accessing any web app protected by AD FS.


 User-added image

Note the extranet and intranet checkboxes. Extranet means that the authentication request is coming through a Web Application Proxy (see https://technet.microsoft.com/en-us/library/hh831502.aspx).

MFA policy can also be applied to specific users and groups as well as to registered and unregistered devices. (Device registration is Microsoft’s lightweight domain registration support where a device like an iPhone can be registered and used as an authentication factor.) When requiring a user or group to use MFA, it is Active Directory users and groups that are used. (AD FS can be thought of as an IDP for Active Directory.)

The second screenshot shows an example of an MFA policy defined for a specific relying party app, Outlook Web App (OWA). The policy requires that external users of OWA perform a SecurID authentication. Internal users of OWA are not required to perform a SecurID authentication. OWA is an example of an Office 365 web app.

User-added image