AD FS eParaksts Mobile Authentication Module

Requirements

Windows Server 2019 (also tested on Server 2016)
Installed and configured AD FS service
Administrator privileges
Network access:
- https://eidas.eparaksts.lv/
- https://eidas-demo.eparaksts.lv/
ℹ️
Before starting this functionality, read Two-factor authentication with eParaksts.

Installation

Run:
```
eParaksts-ADFS-Adapter-{version}.msi
```
Provide configuration JSON file during installation.
AD FS service will restart automatically.

Configuration Example

{
  "host": "eidas-demo.eparaksts.lv",
  "client_id": "test",
  "client_secret": "password",
  "authorization_server": "lvrtc-eipsign-as",
  "authorization_scope": "urn:lvrtc:fpeil:aa",
  "userinfo_givenname_field": "given_name",
  "userinfo_familyname_field": "family_name",
  "userinfo_identity_field": "serial_number",
  "acr_values": "urn:eparaksts:authentication:flow:mobileid",
  "ldap_trustedx_identity_attribute": "eParakstsADFSIdentity",
  "ldap_trustedx_login_hint_attribute": "eParakstsADFSUserName",
  "identity_linking_policy": "link_identity_by_fullname"
}

Enable Module

Open AD FS Management
Navigate to:
```
Services > Authentication Methods
```
Edit Multi-factor Authentication Methods
Enable:

eParaksts EIDAS Authentication Adapter

AD Attributes

If required AD attributes do not exist:

Run:

Create_EparakstsProvider_AD_attributes.ps1

Execute on the AD server used by AD FS.

Testing

Microsoft provides a tool to test ADFS. Configuration should be performed according to the instructions available at: AD FS eParaksts Mobile Authentication Module - Administrator's Guide

📘
The Administrator's Guide
The administrator's guide for performing a successful installation of the AD FS module can be found here.