000029586 - How to selectively challenge users and applications with RSA AD FS agent

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000029586
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0
Platform: VMware
Platform (Other): null
O/S Version: null
Product Name: RSA-0010810
Product Description: RSA-0010810
ResolutionThrough the AD FS Management tool, one can set a global authentication policy that applies to all relying party apps, or a per relying party trust policy that applies to a specific replying party app. The first screen shot below shows an example of a global policy configured to require all extranet users to use multi-factor authentication (MFA) when accessing any web app protected by AD FS.
Note the extranet and intranet checkboxes. Extranet means that the authentication request is coming through a Web Application Proxy (see https://technet.microsoft.com/en-us/library/hh831502.aspx). MFA policy can also be applied to specific users and groups as well as to registered and unregistered devices. (Device registration is Microsoft’s lightweight domain registration support where a device like an iPhone can be registered and used as an authentication factor.) When requiring a user or group to use MFA, it is Active Directory users and groups that are used. (AD FS can be thought of as an IDP for Active Directory.)
The second screen shot shows an example of an MFA policy defined for a specific relying party app, Outlook Web App (OWA). The policy requires that external users of OWA perform a SecurID authentication. Internal users of OWA are not required to perform a SecurID authentication. OWA is an example of an Office 365 web app.