...
Configure the SAML/OIDC identity provider linked to the first factor method to return an attribute/claim which can be used for finding the directory user.
Link the first factor method to the Directory Service used for registered users.
Code Block PUT /method/oidc.1/$link/directory/Ubilogin%20Directory
Must be the same Directory Service as used with the second factor method.
Create a Directory User Mapping for the first factor method for mapping unregistered users to registered users.
Code Block PUT /inboundMappingPolicy/ubiloginDirectoryUserMapping PUT /inboundMappingPolicy/ubiloginDirectoryUserMapping/$link/method/oidc.1 POSTPUT /inboundMappingPolicyinboundDirectoryMapping/ubiloginDirectoryUserMapping/mapping type=inboundDirectoryMapping mappingURL=ldap:///cn=Ubilogin,dc=test??sub?(&(objectclass=ubiloginUser)(mobile=%7Bsubject:username%7D))
In the example above mappingURL uses filter
(mobile={subject:username})to search directory user by mobile attribute using the sub claim of id_token (for OIDC methods) or value of NameID element in SAML Assertion (for SAML methods).If the mapping value is provided in another claim or attribute, such as
phone_number, then filter(mobile={attributemethod:phone_number})could be used instead.
Link the second factor method as the next factor method for the first factor method.
Code Block PUT /method/oidc.1/$link/nextFactor/method/totp.1
Not possible to set with Management UI.
Link the second factor method to the application site and set it as an allowed method for the application.
Code Block PUT /site/demosite/$link/method/totp.1 PUT /application/demosite/demoapp/$link/method/totp.1 enabled=true
...