This document describes how to integrate Microsoft’s Online Services for Office 365™ with single sign-on (SSO) configured for a local ADFS 2.0 service with HOTPin.
Microsoft Office 365 is a cloud-based service that can be configured to use a local Active Directory® Federation Service (ADFS) to enable local users to sign on with their existing AD credential to gain access to various Microsoft online services such as Office, SharePoint and Lync.
HOTPin provides two-factor (2FA), strong authentication for remote access and cloud solutions (like SSL VPN, IPSec VPN and Web authentication) from any device, without the complication of deploying hardware tokens or smartcards.
HOTPin 2FA uses your PIN and your phone, SMS, email, desktop software to receive a one-time passcode (OTP).
Shown below is a sample Office365 with ADFS and HOTPin architecture:
HOTPin is designed as an easy to deploy/easy to use technology. It integrates directly into AD and negates the need for additional user security databases. HOTPin consists of two core elements: a RADIUS server and authentication server. The authentication server is directly integrated with LDAP or Active Directory in real time.
The content in this integration guide refers to this type of approach.
- Office365 Cloud Account
- Microsoft Server 2008R2 with ADFS 2.0 Installed
- Optional (Microsoft Server 2008R2 with ADFS 2.0 Installed as a proxy)
- Active Directory installed
- Windows Server® 2008 R2 64-bit (Standard or Enterprise)
- IIS installed with SSL certificate (required for management and remote administration)
- HOTPin 3.7 Server software
It is expected that Office365 has already been setup for SSO to an on-premise ADFS server that uses existing AD user passwords.
For reference on how to setup ADFS Server and SSO, refer to the Microsoft article “Setting up ADFS Proxy Server – Part 1” .
Install HOTPin ADFS Agent
For proxy or standalone ADFS setup, two HOTPin packages need to be installed.
Install the HOTPin Server software client and HOTPin ADFS agent on the ADFS server.
Install the HOTPin Server software client and HOTPin ADFS agent only on the ADFS proxy server.
Note: For proxy server setup, it is assumed that all user requests will go to proxy server and not the ADFS server, even if the client is on the intranet.
For more information about HOTPin server installation and configuration, please refer to HOTPin Knowledge Base.
Note: Before you integrate HOTPin with ADFS, HOTPin server needs to be provisioned and all Office 365 user accounts need to be created in HOTPin. The AD Sync agent in the HOTPin web UI can automatically add the user accounts. For more information please refer to the article “AD Synchronization”.
Configure HOTPin Agent
- Open the HOTPin Agent Console on the ADFS server or ADFS proxy server.
- Enter the HOTPin server IP address for the standalone or primary server.
- If HOTPin high availability is deployed, include backup server details.
- Select Log authentication events when you need to debug the integration.
Configure HOTPin ADFS Agent
- Open the HOTPin ADFS Console on the ADFS server or ADFS proxy server.
- If necessary, select the ADFS tab.
Note : ADFS uses multiple options to authenticate an Office 365 user profile. To achieve 2FA, we will be using forms-based authentication where a user will be required to enter their federated username, AD password and HOTPin OTP.
The following configuration options are available:
- Enable – activate HOTPin authentication for the ADFS environment.
- Check Set Forms as the default authentication method to use HOTPin authentication first.
- Disable – disable the HOTPin Forms authentication.
- Check Set Forms as the last authentication method to use HOTPin authentication as the last option.
- Edit – open the web.config file in Notepad to edit.
Additional configuration options depend on ADFS agent configuration. Details are discussed in the next sections.
ADFS Agent Properties
- If necessary, open the HOTPin ADFS Console on the ADFS server or ADFS proxy server.
- Select the Properties tab.
Configuration options are discussed in the following sections.
- Enable Authentication – enable or disable HOTPin authentication in the sign in form. By default the option is True.
- EnableSAMParse – parse out the HOTPin username from SAM (domain\username) login name.
When logging in to Office 365, end users can enter either their federated ID or UPN name. For example:
HOTPin allows four account name options:
SAM Account Name
Domain and SAM Account Name
- EnableUPNParse – parse out the HOTPin username from UPN (email@example.com) login name.
- ExcludedUserNames – exclude users who do not use2FA while logging to Office 365
- InitUserName – uses the Office 365 login name to auto populate the ADFS login form.
- ShowErrorMessages – the default for this option is set to false to avoid showing API related errors in the front end. This should be enabled only when you need to troubleshoot.
See an example of the ADFS login screen below.
QR Authentication Options:
- QRAlwaysReturnChallenge – end users can use either OTPs or QR codes to log in. The choice requires that user profiles be mobile enabled. For reference please refer to the HOTPin Knowledge Base
When this option is enabled users will be prompted to use a QR code for authentication even if they enter the wrong user name.
Note: QR authentication requires an internet connection for the challenge/response authentication mechanism.
- QRApplicationIconUrl – assign an icon which will appear on the Smart device.
- QRApplicationMessage – assign a message which will appear on the smart device.
- QRApplicationName – assign an application name which will appear on the smart device.
- QREnableAuthentication – enable or disable QR authentication system wide.
- QRimageSize – assign the size for the QR image that appears on the smart device.
- QRResponseUrl – assign a URL different from the host name to appear for the on the smart device.