Unregistered Multi-factor Authentication (umfa) is about being possible to require Unregistered SMTP OTP or Unregistered SMS OTP as the second factor authentication method for unregistered users returned from a SAML or an OpenID Connect method.
When Unregistered SMTP or SMS is used as the second factor method, then instead of end user having to enter their email address or mobile phone number, they are passed as method attributes from the first factor OIDC/SAML method.
Configuration
Create the first factor method
SAML
OpenID Connect
Configure the identity provider to return end user’s email address for the Unregistered SMTP and mobile phone number for the Unregistered SMS.
Create an attribute mapping which maps the attribute names to be exactly as specified below, which is what Unregistered SMTP and SMS method expect the attribute names to be and to contain correct information for the multi-factor authentication to work.
phone_number
for the mobile phone number.email
for the email address.
Create the second factor method
Unregistered SMTP OTP
Unregistered SMS OTP
While not required, it’s useful to verify at this point that both work individually without the umfa configuration.
To enable the second factor method to be used in multi-factor authentication, set following configuration string
mfa true
for the second factor method:mfa true
.PUT /method/unregistered.smtp
configuration:mfa true
To chain Set the second factor method after as the first factor method, set the second factor method as the
nextFactor
next factor method for the first factor method.PUT /method/oidc.1/$link/nextFactor/method/unregistered.smtp
...