Enabling ADFS Two Factor Authentication (2FA) - Metasys - LIT-1201528 - General System Information - Metasys System - 12.0

Security Administrator System Technical Bulletin

Product
Building Automation Systems > Building Automation Systems > Metasys System
Document type
Technical Bulletin
Document number
LIT-1201528
Version
12.0
Revision date
2022-08-05

Metasys ADFS integration supports two factor authentication. Duo Pro MFA plugin is one method. The following steps are for configuring Duo Pro.

Procedure

  1. To confirm you have Duo Authentication installed, on the left pane of the ADFS window, open the Service drop down arrow and select Authentication Methods. Duo Authentication should appear under the Multi-Factor Authentication Methods heading.
  2. On the left pane of the ADFS window, select Application Groups.
  3. In the Application Groups window, select the current release of Metasys ADFS. A Metasys ADFS Properties window appears.
  4. In the Applications box, select the current release of Metasys ADFS -Web API and click Edit. A Metasys ADFS – Web API Properties window appears.
  5. Click on the Access Control Policy tab and select Permit everyone and require MFA. In the Policy dialog box, Permit users and require multi-factor authentication appears. Click OK. This brings you back to the Metasys ADFS Properties window. Click OK.
  6. Go to the Metasys UI browser and click LOG IN WITH MY ORGANIZATIONAL ACCOUNT (ADFS). This is the first time you log in after you have set up MFA. Enter your username and password and click Sign in.
  7. A Protect Your Johnson Controls Account pop-up appears. Select Start setup.
  8. Select Mobile Phone (recommended) from the options in the What type of device are you adding window. Click Continue.
  9. Enter your mobile phone number and click Continue. Select from the type of phone options and click Continue.
  10. A window appears and asks you to install the Duo Mobile app on your phone. Open the app and scan the QR code.
  11. After you successfully take a picture of the QR code, it pairs your phone with your account in the cloud for Duo Pro. Click Continue.
  12. In the My Settings & Devices window, select the When I log in drop down menu and choose Automatically send this device a Duo Push. Click Continue to Log on.
  13. On the security verification box that appears, select Send Me a Push. Click Approve on your phone. This automatically logs you in to the Metasys UI.