Enable MFA as a service for existing installations configured for OIDC
To enable MFA as a service for existing ADFS installations:
-
Enable an existing application for MFA as a service.
- Sign on to your Okta tenant as an administrator.
- Navigate to Applications> Applications, then select an existing ADFS app.
- Select the Sign On tab and in the Settings section click Edit.
- Select MFA as a service.
- Click Save.
-
Enable ADFS plugin for MFA as a service.
- Connect to the machine where the ADFS plugin was installed. .
- Using a text editor open C:\Program Files\Okta\Okta MFA Provider\config\okta_adfs_adapter.json.
Note: By default the okta_adfs_adapter.json file can be found in c:\Program Files\Okta\Okta MFA Provider\config\okta_adfs_adapter.json.
See Configure MFA for Active Directory Federation Services (ADFS) for more information. - Search for and modify the useOIDC property, setting its value to false.
for example: useOIDC:false - Save your changes and close the editor.
-
Using a text editor copy and create the following Microsoft Powershell script and save as ApplyConfigurationSettingChanges.ps1.If required, change the values of the BinDir and ConfigDir variables to match your environment.Copy
ApplyConfigurationSettingChanges.ps1
# ApplyConfigurationSettingChanges.ps1
[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
$BinDir = "C:\Program Files\Okta\Okta MFA Provider\bin"
$ConfigDir = "C:\Program Files\Okta\Okta MFA Provider\config"
Start-Service adfssrv
# Remove Okta MFA Provider
$providers = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
$providers.Remove("OktaMfaAdfs")
Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $providers
# Unregister
Unregister-AdfsAuthenticationProvider -Name "OktaMfaAdfs" -Confirm:$false -ErrorAction Stop
# restart the ADFS service
Restart-Service adfssrv -Force
# register MFA adapter again
$OktaMfaAssamply = [Reflection.Assembly]::Loadfile($BinDir + "\OktaMfaAdfs.dll")
$typeName = "OktaMfaAdfs.AuthenticationAdapter, OktaMfaAdfs, Version=" + $OktaMfaAssamply.GetName().Version + ", Culture=neutral, PublicKeyToken=3c924b535afa849b"
Register-AdfsAuthenticationProvider -TypeName $typeName -Name "OktaMfaAdfs" -Verbose -ConfigurationFilePath "$ConfigDir\okta_adfs_adapter.json"
# restart the service
Restart-Service adfssrv -Force
# Enable Okta MFA adapter
$providers = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
$providers.Add("OktaMfaAdfs")
Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $providers
- As administrator open a Microsoft PowerShell and execute the script ApplyConfigurationSettingChanges.ps1.
- Verify that a user can authenticate.
You have successfully configured MFA as a service.