Before proceeding, please verify that your ADFS server is running and operational. In the process of installation, ADFS will be restarted several times
The procedure to follow for installation will depend on what ADFS setup you are working with. This could be one of:
Standard / Windows Internal Database (WID) installation. In this case, the plugin is first installed with configuration details (client ID, Client secret etc.) on the primary server. The installer must then be run on all secondary servers, in which case it will be automatically detected that configuration details do not need to be added again.
To prevent installation errors, make sure that the Azure MFA method is not selected as an additional authentication method. Please see the troubleshooting section for details
The installer file for the plugin can be found at
http://repo.miracl.com/?prefix=windows/adfs-plugin/ (note that the highest numbered build is the latest stable version, while the un-numbered Miracl.Zfa.Adfs.Installer.exe is the absolute latest version which may not be stable)
The installation procedure is then a two-step process:
Run the installer on the primary ADFS server
You will be asked to accept our License Agreement:
On a primary server, the next screen will display the Deploy Configuration tick-box. Make sure this is ticked if you are running the installer for the only primary server in a standard / WID setup, or for the first primary server in a SQL server farm:
The Session Secret parameter is a secret used to encrypt the state data passed around during the authentication process. It must be a hard to guess strong string and it is subject to the following rules:
Advanced configuration options are then displayed.
Note that these are for expert users only, and should be left as is unless there is a specific requirement to change them
Server Base Address displays the IssuerURL (https://api.mpin.io) of the MIRACL Trust ZFA service. Server Base Address combines with the Discovery Path to give the url (https://api.mpin.io/.well-known/openid-configuration) which returns the OIDC parameters which are used by the service. You can set the network timeout parameter and enable debugging which will display hostname and version number during ADFS authentication, and stack trace info if errors occur.
Code Pad Uri should be set as https://mcl.cdn.mpin.io/mpad/mpad.js (note that it begins with mcl)
Debugging mode should only be enabled for test purposes and should never be enabled in production. For debugging in production, the Windows server event log gives stack trace and other information.
Also note that, due to limitations with ADFS, the only way to turn off debugging mode is to re-run the MIRACL installer
At this point you will be asked to choose the name for the ADFS web theme. The MIRACL Trust ADFS installer makes a slight adjustment to the original ADFS web theme, which is made active immediately. If you name the theme exactly the same as the original theme, it will overwrite the original. Otherwise the original will be left intact:
Run the installer on the remaining ADFS servers
It is now necessary to run the installer on all remaining servers.
When, in a standard / WID setup, you run the installer on a secondary server, you will not be asked to enter any configuration options. You will only be asked to confirm the License Agreement and then begin the installation:
However, in a SQL setup, all servers are primary servers, so it is necessary to make sure the Deploy Configuration box is unticked:
You will then be asked to confirm the installation without re-entering config details.