Use PhenixID with Microsoft ADFS

Microsoft Active Directory Federation Services (ADFS) is a software component to provide users with single sign-on access to systems and applications located across organizational boundaries. ADFS is shipped as a part of Microsoft Windows Server.

PhenixID is used with ADFS to add sign-in method(s) such as national e-identities, mobile apps, username-token, eIDAS and other password-less sign-in methods.

ADFS is still used as the federative identity hub, controlling application (RP) claims issuance, permissions, SSO and authentication flow logic.

Integrate ADFS with PhenixID

There are two options for integrating ADFS with PhenixID:

1. Add PhenixID MFA Adapter(s) to ADFS.

With this option, PhenixID will be added as the second-factor authentication step (called Additional Authentication in ADFS) whereas ADFS will control the first-factor authentication step (called Primary Authentication in ADFS). ADFS Primary Authentication is limited to username-password or SSL Client certificate (smartcard).

From ADFS 2019, an additional authentication method can be used as primary authentication which means PhenixID methods can be used as primary authentication. (See movie below for end user experience).

With this option, the end user client will be connected to the ADFS web server only. ADFS will communicate with the PAS, over https, in the background.

2. Add PhenixID as an additional Claims Provider

With this option, the first and second factor of the authentication will be carried out by PhenixID solely.
With this option, the end user client will be redirected to the PhenixID Server for authentication by ADFS.