RSA Product Set: SecurID Access
RSA Product/Service Type: Authentication Agent for Active Directory Federation Services (AD FS) 
RSA Version/Condition: 3.X

The RSA MFA Agent 3.x is installed and configured on AD FS for Windows. However, when accessing the AD FS test page and clicking "Sign In," users are able to log in using only their password. The agent is not prompting for multi-factor authentication as expected, indicating that the MFA challenge is not being triggered during the authentication flow.

In the AD FS test configuration, the Relying Party Identifier was incorrectly set to use https instead of http. As per the official RSA MFA Agent 3.0 for Microsoft AD FS Administrator's Guide, the test configuration for the identifier should explicitly use http (e.g., http://<youradfs>.<yourdomain>.com/adfs/services/trust).

Once the identifier was corrected from https to http, the MFA prompt was successfully triggered on the test page.

To resolve the issue, update the Relying Party Identifier to use http by following these steps:

1. Open AD FS Management on the server.

2. Navigate to Application Groups in the left-hand pane.

3. Locate and double-click the application group used for the MFA test (e.g., Test MFA).

4. Under Applications, select the Web application and click Edit.

5. In the Identifiers tab, locate the Relying party identifier.

6. Remove the existing https://<youradfs>... entry.

7. Add a new identifier using http, e.g., http://<youradfs>.<yourdomain>.com/adfs/services/trust.

8. Click Add, then OK, and then Apply to save the changes.

9. Close and reopen the test sign-in page and retry. MFA should now be triggered as expected.