Microsoft Active Directory Federation Services (ADFS) is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet. When a user needs to access a Web application from one of its federation partners, the user's own organization is responsible for authenticating the user and providing identity information in the form of "claims" to the partner that hosts the Web application. The hosting partner uses its trust policy to map the incoming claims to claims that are understood by its Web application, which uses the claims to make authorization decisions.
One of the key elements of conditional access in ADFS is multi-factor authentication. Multi-factor authentication requires a user to provide the
system that is authentication the user not only with a set of credentials (which the user knows) but amends this set with something that user
must physically own.
You can simply plugin a TOTPRadius authentication provider in ADFS to ensure the same end-user experience all the time. Furthermore, since AD FS now has the possibility
to differentiate between internal and external logons, so you could also enable this multi-factor authentication only for external logons.
TOTPRadius authentication provider for MS ADFS supports self-service enrollment as shown in the video below.
1. Unzip the archive to C:\Temp on the adfs server
2. Launch Powershell as admin and navigate to the folder created above, i.e. C:\Temp\Token2ADFS-0.0.1
3. Execute Install.ps1 (set execution policy if needed)
4. Provide the FQDN and Radius secret of your appliance and click Install
5. If no errors, restart the ADFS service
6. Enable MFA for your users