MFA Email Time Based Pass-code Provider v1.0.0.6

Features

Unlicensed adapter

  • Authorization codes are 19 digits long.
  • Authorization codes are valid up to 60 min.
  • Support of ADFS CSS themes.
  • Authorization code is delivered via e-mail set in user’s AD account attribute.
  • Logs are stored in Windows application log.
  • Runs on ADFS 2016 and ADFS 2019 servers.
  • Supports unlimited users.

Licensed adapter

  • Authorization codes are 6 digits long for unlimited user accounts of licensed organization.
  • Authorization code validity can be customized.
  • Text customization for adapter’s interface.
  • Free version note is removed.

Release information

Version: 1.0.0.6

  • Adds support for Text customization.
  • Supports authorization code validity customization.
  • Security enhancements.
  • Release date 28/03/2019


Download SecureMFA Email TBP version 1.0.0.6

Deploy SecureMFAEmail Time Based Pass-code Adapter into ADFS Farm

Preparation steps

Before you can start using “SecureMFAEmailTBP” in your ADFS farm you must complete bellow steps

1) Download latest “SecureMFAEmailTBP” adapter from https://www.securemfa.com/downloads .

2) Content will be downloaded as a zip file. Extract it on the primary ADFS server into “C:\SecureMFAEmailOtpProvider” location.

3) Within the directory update “SecureMFAEmailOtpProvider.json”

If you are using a free license you only need to modify "smtpserver" server settings. If you will buy a license to enable short auth codes, you will need to update "company" and "serialkey" information to unlock the app.

Below is a sample of a json file :

{  
  "company": "MyCompany",
  "serialkey": "m00000000",
  "smtpserver": "smtp.adatum.labnet",
  "smtpmailfrom": "mfa.no.reply@adatum.labnet",
  "smtpport": "25",
  "auth_code_valid_inteval_seconds": "3600",
  "login_text": "Enter a code received from MFA Email Authenticator."
}

SecureMfaEmailOtp adapter installation

Before a SecureMfaEmailOtpprovider will be invoked by AD FS, it must be registered in the system. Bellow powersehll script performs the necessary installation actions including installation in the GAC, and registration in AD FS farm.

Script to install SecureMfaEmailOtpProvider on primary ADFS node

#Open elevated PowerShell command window on your federation server and execute the following commands
#Note that if you are using federation server farm that uses Windows Internal Database, you must execute these commands on the primary federation server of the farm
#Bellow commands needs to be executed on one server in ADFS farm
 
#Check if windows events source for application log exist, if not create one.
if ([System.Diagnostics.EventLog]::SourceExists("Secure MFA Email OTP") -eq $False) {New-EventLog -LogName "Application" -Source "Secure MFA Email OTP"}
 
#Remove additional authentication providers from ADFS global policy and unregister SecureMfaEmailOtpProvider
Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider ""
unregister-AdfsAuthenticationProvider -Name “SecureMfaEmailOtpProvider” -Confirm:$false
 
#Restart ADFS service
net stop adfssrv
net start adfssrv
 
#Remove SecureMfaEmailOtpProvider DLL from GAC assembly
Set-location "c:\SecureMfaEmailOtpProvider"            
[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a") 
$publish = New-Object System.EnterpriseServices.Internal.Publish            
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\SecureMfaEmailOtpProvider.dll")       
 
#Add SecureMfaEmailOtpProvider DLL to GAC assembly
Set-location "c:\SecureMfaEmailOtpProvider"            
[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")            
$publish = New-Object System.EnterpriseServices.Internal.Publish            
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\SecureMfaEmailOtpProvider.dll")     
 
#Register SecureMfaEmailOtpProvider addapter
$typeName = “SecureMfaEmailOtpProvider.AuthenticationAdapter, SecureMfaEmailOtpProvider, Version=1.0.0.6, Culture=neutral, PublicKeyToken=1ecd877c866018d2, processorArchitecture=MSIL”
Register-AdfsAuthenticationProvider -TypeName $typeName -Name “SecureMfaEmailOtpProvider” -ConfigurationFilePath 'C:\SecureMfaEmailOtpProvider\SecureMfaEmailOtpProvider.json'
 
#Restart ADFS service
net stop adfssrv
net start adfssrv
 
#Add SecureMfaEmailOtpProvider as additional authentication provider in ADFS
Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider "SecureMfaEmailOtpProvider"   

If you have more servers in ADFS farm execute following script on remaining nodes

Script to install SecureMfaEmailOtpProvider on other ADFS nodes

#Open elevated PowerShell command window on your federation server and execute the following commands
#Note that you don't need to register DLL on ADFS proxy servers
 
#Check if windows events source for application log exist, if not create one.
if ([System.Diagnostics.EventLog]::SourceExists("Secure MFA Email OTP") -eq $False) {New-EventLog -LogName "Application" -Source "Secure MFA Email OTP"}
 
#Remove SecureMfaOtpProvider DLL from GAC assembly
Set-location "c:\SecureMfaEmailOtpProvider"            
[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a") 
$publish = New-Object System.EnterpriseServices.Internal.Publish            
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\SecureMfaEmailOtpProvider.dll")       
 
#Add SecureMfaOtpProvider DLL to GAC assembly
Set-location "c:\SecureMfaEmailOtpProvider"            
[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")            
$publish = New-Object System.EnterpriseServices.Internal.Publish            
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\SecureMfaEmailOtpProvider.dll")     
 
#Restart ADFS service
net stop adfssrv
net start adfssrv
 
#List all authentication providers
Get-AdfsAuthenticationProvider | select name 

Verification

To verify if “SecureMfaEmailOtpProvider” has been installed successfully.

1) Open the AD FS Management Snapin (from Server Manager Tools menu)

2) Click Authentication Policies at left

3) In the center pane, under Multi-Factor Authentication, click the blue Edit link to the right of Global Settings.

4) Under Select additional authentication methods at the bottom of the page, check if “Email Time Based OTP Authentication Provider” is selected.

Application

When you will login into your ADFS application which requires multifactor authentication user will be able to request authorization code to an e-mail address which is registered with user’s Active Directory account.

Below is print screen of SecureMFAEmail OTP provider.

By default, authorization pass-code which will be send to user’s e-mail address is valid up to 1 hour.

Text customizations

Licensed clients can customize adapter text which is presented to the users during logon. You can use some simple html code like links to provide users with self-service portal links etc. Text is configured in configuration file “SecureMfaEmailOtpProvider.json” .

SecureMfaEmailOtpProvider.json config settings for text customization:

"login_text": "Enter a code received from MFA Email Authenticator.”

Authorization code validity customization

By default authorization pass-code is valid up to 1h. Licensed clients can modify up to time interval by updating “SecureMfaOtpProvider.json” config file. Bellow sample sets authorization code validity up to 5 min. Validity time is set in seconds.

" auth_code_valid_inteval_seconds": "300"