Page Comparison

...

While normally with Unregistered SMTP or SMS end users need to enter their email address or mobile phone number, in multi-factor authentication that information is passed as method attributes from the OpenID Connect or SAML method.

Prerequisite

1. SAML method or OpenID Connect method to be used as the first factor method.

2. Unregistered SMTP or Unregistered SMS method to be used as the second factor method.

...

1. Configure the SAML or OIDC identity provider linked to the first factor method to return end user’s email address and/or mobile phone number.

   1. email address is required for the Unregistered SMTP

   2. mobile phone number is required for the Unregistered SMS

2. Create an attribute mapping to map the attribute names to be exactly as specified below, which is what the Unregistered SMTP and SMS methods expect for the unregistered multi-factor authentication to work. If the identity provider returns the attributes directly with the expected name, then attribute mapping is not necessary.

   1. Code Block
      # Create new Attribute Mapping with name "attributemapping" and link it to two methods PUT /inboundPolicy/attributemapping PUT /inboundPolicy/attributemapping/$link/method/unregistered.smtp PUT /inboundPolicy/attributemapping/$link/method/unregistered.sms

   2. Attribute name must be phone_number for the mobile phone number.

      1. Code Block
         # Rename method attribute "mobile" as "phone_number" POST /inboundPolicy/attributemapping type:inboundPolicyItem attributename:phone_number attributevalue:mobile

   3. Attribute name must be email for the email address.

      1. Code Block
         # Rename method attribute "mail" as "email" POST /inboundPolicy/attributemapping type:inboundPolicyItem attributename:email attributevalue:mail

3. Set configuration string mfa true for the second factor method.

   Possible to set with Management API or UI.

   PUT

   1. Management API:

      1. Code Block
         # Note that you need to set also the existing configuration parameters, otherwise # they get overwritten. In below request "configuration:..." is to mark that. PUT /method/unregistered.smtp

         
         

         configuration:mfa true configuration:...

4. Link the second factor method as the next factor method for the first factor method.

   1. Possible to set only with Management API.:

      1. Code Block
         PUT /method/oidc.1/$link/nextFactor/method/unregistered.smtp

   2. Not possible to set with Management UI.

5. Link the second factor method to the application site and set it as an allowed method for the application.

   1. Management API:

      1. PUT /site/demosite/$link/method/unregistered.smtp

      2. PUT /method/unregistered.smtp/$link/application/demosite/demoapp

6. First factor method being an allowed method for the application or not has the following effect.

   1. If the first factor method is allowed, then user is required to authenticate with a second factor method if there’s at least one second factor method available. If no second factor methods are available, then access is allowed with only first factor method authentication.

      1. A second factor method is available if it is allowed for the application and a method attribute with the expected name for the second factor method exists and has non-empty value.

   2. If the first factor method is not allowed, then user is required to authenticate with a second factor method without exceptions. If no second factor methods are available, then access is denied.

...