...
Configure the SAML/OIDC identity provider linked to the first factor method to return an attribute/claim which can be used for finding the directory user.
Link the first factor method to the Directory Service used for registered users.
Code Block PUT /method/oidc.1/$link/directory/Ubilogin%20Directory
Must be the same Directory Service as used with the second factor method.
Create a Directory User Mapping for the first factor method for mapping unregistered users to registered users.
Code Block PUT /inboundMappingPolicy/ubiloginDirectoryUserMapping PUT /inboundMappingPolicy/ubiloginDirectoryUserMapping/$link/method/oidc.1 PUT /inboundDirectoryMapping/ubiloginDirectoryUserMapping/mapping condition=method:phone_number=* mappingURL=ldap:///cn=Ubilogin,dc=test??sub?(&(objectclass=ubiloginUser)(mobile=%7Bmethod:phone_number%7D))
In the example above mappingURL uses filter
(mobile={method:phone_number})to search directory user by mobile attribute using the value of attributephone_number.If the mapping value is provided as value of NameID element in SAML Assertion for a SAML method then filter
(mobile={subject:username})could be used instead.
Set configuration string
mfa truefor the second factor method.Code Block # Note that you need to set also the existing configuration parameters, otherwise # they get overwritten. In below request "configuration:..." is to mark that. PUT /method/totp.1 configuration=mfa%20true&configuration=...Link the second factor method as the next factor method for the first factor method.
Code Block PUT /method/oidc.1/$link/nextFactor/method/totp.1
Not possible to set with Management UI.
Link the second factor method to the application site and set it as an allowed method for the application.
Code Block PUT /site/demosite/$link/method/totp.1 PUT /application/demosite/demoapp/$link/method/totp.1 enabled=true
...