Versions Compared

Old Version 3

changes.mady.by.user Arto Vainiolehto

Saved on

compared with

New Version Current

changes.mady.by.user ubisebastian

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Unregistered Multi-factor Authentication (umfa) is about being means that it is possible to require Unregistered SMTP or Unregistered SMS as the second factor authentication method for unregistered users returned from a SAML method or an OpenID Connect method.

When While normally with Unregistered SMTP or SMS is used as the second factor method, then instead of end user having end users need to enter their email address or mobile phone number, they are in multi-factor authentication that information is passed as method attributes from the first factor OIDC/SAML method.

Configuration

...

Create the first factor method

  1. SAML

  2. OpenID Connect

...

the OpenID Connect or SAML method.

Prerequisite

  1. SAML method or OpenID Connect method to be used as the first factor method.

  2. Unregistered SMTP or Unregistered SMS method to be used as the second factor method.

  3. Management API - SSO enabled to be able to link second factor method to first factor method.

Possible configurations

In these examples a first factor method is available if:

  • it is allowed for the application;

  • it is linked with a second factor method.

A second factor method is available if:

  • it is allowed for the application;

  • a method attribute with the expected name for the second factor method exists and has non-empty value.

First factor

Second factor

User authentication

Available
(Allowed and linked to second factor)

Available
(Allowed, valid attribute returned)

First and second factor methods authentication is required

Available
(Allowed and linked to second factor)

Unavailable
(Allowed, but no valid attribute is returned)

First factor method authentication is required

Unavailable
(Not allowed, but linked to second factor)

Available
(Allowed, valid attribute returned)

Second factor method authentication is required

Unavailable
(Not allowed, but linked to second factor)

Unavailable
(Allowed, but no valid attribute is returned)

Access denied

Configuration

  1. Configure the SAML or OIDC identity provider linked to the first factor method to return end user’s email address and/or mobile phone number.

    1. email address is required for the Unregistered SMTP

    and

    2. mobile phone number is required for the Unregistered SMS

    .

  2. Create an attribute mapping which maps to map the attribute names to be exactly as specified below, which is what the Unregistered SMTP and SMS method expect the attribute names to be and to contain correct information methods expect for the unregistered multi-factor authentication to work. If the identity provider returns the attributes directly with the expected name, then attribute mapping is not necessary.

    Code Block
    # Create new Attribute Mapping with name "attributemapping" and link it to methods
PUT /inboundPolicy/attributemapping
PUT /inboundPolicy/attributemapping/$link/method/unregistered.smtp
PUT /inboundPolicy/attributemapping/$link/method/unregistered.sms

    1. Attribute name must be phone_number for the mobile phone number.

      Code Block
      # Rename method attribute "mobile" as "phone_number"
POST /inboundPolicy/attributemapping
type=inboundPolicyItem&attributename=phone_number&attributevalue=%7Bmobile%7D

    2. Attribute name must be email for the email address.

    Create

    1. Code Block
      # Rename method attribute "mail" as "email"
POST /inboundPolicy/attributemapping
type=inboundPolicyItem&attributename=email&attributevalue=%7Bmail%7D

  3. Set configuration string mfa true for the second factor method.

    1. Unregistered SMTP

    2. Unregistered SMS

  4. While not required, it’s useful to verify at this point that both work individually without the umfa configuration.

  5. To enable the second factor method to be used in multi-factor authentication, set configuration string mfa true for the second factor method.

    1. PUT /method/unregistered.smtp
      configuration:mfa true

  6. Set the second factor method as the next factor method for the first factor method.

    PUT /method/oidc.1/$link/nextFactor/method/unregistered.smtp
    Code Block
    # Note that you need to set also the existing configuration parameters, otherwise 
# they get overwritten. In below request "configuration:..." is to mark that.
PUT /method/unregistered.smtp
configuration=mfa%20true&configuration=...

  7. Link the second factor method as the next factor method for the first factor method.

    Code Block
    PUT /method/oidc.1/$link/nextFactor/method/unregistered.smtp

    1. Not possible to set with Management UI.

  8. Link the second factor method to the application site and set it as an allowed method for the application.

    Code Block
    PUT /site/demosite/$link/method/unregistered.smtp

PUT /application/demosite/demoapp/$link/method/unregistered.smtp
enabled=true