QUICK START GUIDE
Deployment full details can be found in https://www.securemfa.com/downloads/mfa-api-otp
Before you can start registering “SecureMfaApiOtpProvider” into your ADFS farm you must complete bellow steps.
All commands must be executed in elevated PowerShell (PS) command prompt.
1. Deploy latest “SecureMfaApiOtpProvider” PowerShell module from Microsoft PSGallery using bellow PS command:
Install-Module -Name SecureMFA_API_OTP -Repository PSGallery -Scope AllUsers
NOTE: If your ADFS server doesn’t have access to the Internet you can:
- Pull PowerShell module from Windows client which will have Internet access and copy “C:\Program Files\WindowsPowerShell\Modules\SecureMFA_API_OTP” folder from client’s computer into ADFS server (same location).
- As alternative you can download “SecureMFA_API_OTP” nupkg file manually from https://www.powershellgallery.com/ website. Rename nupkg file’s extension into ZIP. Unzip content into a folder “SecureMFA_API_OTP” and place it into PS Modules default location on the server. That will work the same way as pulling package with native windows PS Tools.
2. Within “C:\Program Files\WindowsPowerShell\Modules\SecureMFA_API_OTP” directory you will find “sql_Create_Database_SecureMfaOTP.txt”
Modify FILENAME location to reflect your sql server storage configuration. Open the script in SQL manager and execute it. This will create a new SQL database for “SecureMfaApiOtpProvider”
3. Within “C:\Program Files\WindowsPowerShell\Modules\SecureMFA_API_OTP” directory update “SecureMfaApiOtpProvider.json” file.
- If you are using a free license you only need to modify "sqlserver" server settings. If you will buy a license for unlimited users you will need to update "company" and "serialkey" information to unlock the app.
- If you are not running ADFS servers using service account and you cannot use SQL integrated security to access database, you need to change: "sqlintegratedsecurity": "false“ and update "sqluseraccount" and "sqluserpassword" with relevant information.
4. If you need to generate verbose logs in windows events for troubleshooting reasons change verboselog value from “false” to “true”. Please note that verbose logging can affect your servers’ performance, use it only for troubleshooting reasons. Don’t enable “verboselog” in production environments as it may reveal configuration secrets
5. Using SQL manager provision dbo access to “SecureMfaOTP” database for ADFS service account or SQL user.
6. Before a SecureMfaApiOtpProvider will be invoked by AD FS, it must be registered in the system. with PowerShell command which performs the necessary installation actions including installation in the GAC, and registration in AD FS farm.
- Bellow PS command will install OTP authentication provider on the MAIN ADFS node:
- Bellow PS command will install OTP authentication provider on OTHER ADFS node(s):
NOTE: If you are using federation server farm that uses Windows Internal Database, you must start installation using the primary federation server of the farm as a MAIN node.
Installation needs to be executed on ADFS farm server (not web application proxy servers).