Configure NetIQ Advanced Authentication to provide Multi-Factor Authentication for MFDC 20 Server


Micro Focus Desktop Containers (MFDC) 20 Server is a solution for remotely executing applications through a web browser. To ensure proper authentication prior to accessing the published applications MFDC Server supports either Username/Password based authentication using LDAP authentication against Active Directory or eDirectory and SAML v2 for authenticating through a SAML Identity Provider (IDP). This document describes how to use the in-built SAML IDP found in NetIQ Advanced Authentication to enable multi-factor authentication for Turbo Server.

This document assumes that you have already installed and configured the NetIQ Advanced Authentication Server and have created at least one authentication chain. If you need help getting started with AAF, please refer to the Advanced Authentication documentation.

  • Create an event for MFDC Server in the Advanced Authentication administration console.
    1. Browse to https://<your aaf server>/admin
    2. Login as a user with administrative privileges
    3. Select Events.
    4. Click New Event.
    5. In the Name field, enter MFDC Server.
    6. In the Event Type field, select SAML2
    7. Select on or more chains you want to use to provide authentication.
    8. For the SP SAML 2.0 metadata use the following: <?xml version="1.0"?> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="" entityID="https://<your mfdc server>" ID="http___turbo_server">   <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">     <NameIDFormat/>     <AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<your mfdc server>" /auth/saml/return"/>   </SPSSODescriptor> </EntityDescriptor>
    9. Set Send SAMAccount as NameID.
    10. Click Save.
  • Ensure that the Advanced Authentication Framework Server’s IDP URL has been set.
    1. Select Policies > Web Authentication
    2. Ensure that the Identity Provider URL is set to an IP or DNS address of the AAF server that your devices can reach for authentication.
    3. Click Save.
  • Download the Server Signing Key and import it on your MFDC Server. If you have multiple MFDC servers you must import the certificates on each of them.
    1. Click Server Options.
    2. Under OSPKeystores, click Signing Certificate
    3. Paste the Certificate to the clipboard and then save it to a .cer file.
    4. Repeat for the Encrypting Certificate.
    5. Copy the files to the MFDC server.
    6. On the MFDC server, double each of click the .cer file.
    7. Import the certificates to the Computer > Trusted Root Certification Authorities store.
    8. Go to the details of the Signing Certificate and copy the certificate Thumbprint to the clipboard.



  • Configure MFDC Server to use the AAF SAML IDP.
    1. Browse to your MFDC Server admin console at https://<mfdc server>/admin
    2. Login as a Server Administrator
    3. Click Users > Authentication Method.
    4. For the Authentication method, select Single Sign-On.
    5. For the Single Sign-On Method select SAML 2.0.
    6. Generate a GUID from this URL and paste it into the Application ID field.
    7. In the Issuer field, enter https://<your mfdc server>
    8. In the Entry Point field, enter https://<your aaf server>/osp/a/TOP/auth/saml2/sso. If you are using a multitenant AAF system replace TOP with your tenant name.
    9. In the Logout URL field, enter https://<your aaf server>/osp/a/TOP/auth/saml2/slo. If you are using a multitenant AAF system replace TOP with your tenant name.
    10. In the Singing Certificate Thumbprint paste the thumbprint from the clipboard.
    11. For the Signing Certificate Common Name enter webauth sign
    12. Click Save.
  • Wait a couple of minutes while the MFDC Server service restarts. Then browse to https://<your mfdc server>. You should be presented with the AAF authentication dialog and should be able to authenticate via multi-factor authentication as long as the user is in the directory that both AAF and MFDC Server are configured to use.


Desktop Containers
Comment List