4.2 AD FS Adapter Mobile prerequisites

The following prerequisites must be in place before you install the AD FS Adapter Mobile:

• Relying Party Trust

  A Relying Party Trust must exist under AD FS Management > AD FS > Relying Party Trusts to add the AD FS Adapter as a primary or additional authentication method.

• Access Control Policy

  A suitable access control policy for controlling access to the Relying Party Trust under AD FS Management > AD FS > Access Control Policies; for example, “Permit everyone and require MFA” if the AD FS Adapter is used as an additional authentication method, or “Permit everyone” if the AD FS Adapter is used as a primary authentication method.

• Authentication Certificate

  An authentication certificate must exist to secure communication to the MyID Verification Service. This certificate with private key must be installed on the AD FS server. The installed location and thumbprint of this certificate is required when you run the installation program.

  See section 4.2.1, Mutual TLS for more information.

• AD FS Service Account

  The AD FS service account must be a member of the “domain users”. The AD FS service account needs “log on as a service” permission. To set this option, from AD FS Server Manager > Tools > Local Security Policy > Security Settings > Local Policies > User Rights Assignment > Log on as a service > Local Security Setting tab > Add User or Group, add the AD FS service account user.

  This is required to allow the AD FS Adapter to use two-way TLS to the MyID Verification Service.