...
Configure the SAML/OIDC identity provider linked to the first factor method to return an attribute/claim which can be used for finding the directory user.
Link the first factor method to the Directory Service used for registered users.
Code Block PUT /method/oidc.1/$link/directory/Ubilogin%20Directory
Must be the same Directory Service as used with the second factor method.
Create a Directory User Mapping for the first factor method for mapping unregistered users to registered users.
Code Block PUT /inboundMappingPolicy/ubiloginDirectoryUserMapping PUT /inboundMappingPolicy/ubiloginDirectoryUserMapping/$link/method/oidc.1 PUT /inboundDirectoryMapping/ubiloginDirectoryUserMapping/mapping condition=method:phone_number=* mappingURL=ldap:///cn=Ubilogin,dc=test??sub?(&(objectclass=ubiloginUser)(mobile=%7Bsubject%7Bmethod:username%7Dphone_number%7D))
In the example above mappingURL uses filter
(mobile={subjectmethod:usernamephone_number})to search directory user by mobile attribute using the sub claim value of id_token (for OIDC methods) or attributephone_number.If the mapping value is provided as value of NameID element in SAML Assertion ( for SAML methods). If the mapping value is provided in another claim or attribute, such as
phone_number, a SAML method then filter(mobile={methodsubject:phone_numberusername})could be used instead.
Link the second factor method as the next factor method for the first factor method.
Code Block PUT /method/oidc.1/$link/nextFactor/method/totp.1
Not possible to set with Management UI.
Link the second factor method to the application site and set it as an allowed method for the application.
Code Block PUT /site/demosite/$link/method/totp.1 PUT /application/demosite/demoapp/$link/method/totp.1 enabled=true
...