Unregistered Multi-factor Authentication (umfa) is about being means that it is possible to require Unregistered SMTP or Unregistered SMS as the second factor authentication method for unregistered users returned from a SAML method or an OpenID Connect method.
When While normally with Unregistered SMTP or SMS is used as the second factor method, then instead of end user having end users need to enter their email address or mobile phone number, they are in multi-factor authentication that information is passed as method attributes from the first factor OIDC/SAML method.
Configuration
...
Create the first factor method
SAML
OpenID Connect
...
the OpenID Connect or SAML method.
Prerequisite
SAML method or OpenID Connect method to be used as the first factor method.
Unregistered SMTP or Unregistered SMS method to be used as the second factor method.
Management API - SSO enabled to be able to link second factor method to first factor method.
Possible configurations
In these examples a first factor method is available if:
it is allowed for the application;
it is linked with a second factor method.
A second factor method is available if:
it is allowed for the application;
a method attribute with the expected name for the second factor method exists and has non-empty value.
First factor | Second factor | User authentication |
---|---|---|
Available | Available | First and second factor methods authentication is required |
Available | Unavailable | First factor method authentication is required |
Unavailable | Available | Second factor method authentication is required |
Unavailable | Unavailable | Access denied |
Configuration
Configure the SAML or OIDC identity provider linked to the first factor method to return end user’s email address and/or mobile phone number.
email address is required for the Unregistered SMTP
mobile phone number is required for the Unregistered SMS
Create an attribute mapping which maps to map the attribute names to be exactly as specified below, which is what the Unregistered SMTP and SMS method expect the attribute names to be and to contain correct information methods expect for the unregistered multi-factor authentication to work. If the identity provider returns the attributes directly with the expected name, then attribute mapping is not necessary.
Code Block # Create new Attribute Mapping with name "attributemapping" and link it to methods PUT /inboundPolicy/attributemapping PUT /inboundPolicy/attributemapping/$link/method/unregistered.smtp PUT /inboundPolicy/attributemapping/$link/method/unregistered.sms
Attribute name must be
phone_number
for the mobile phone number.Code Block # Rename method attribute "mobile" as "phone_number" POST /inboundPolicy/attributemapping type=inboundPolicyItem&attributename=phone_number&attributevalue=%7Bmobile%7D
Attribute name must be
email
for the email address.
Code Block # Rename method attribute "mail" as "email" POST /inboundPolicy/attributemapping type=inboundPolicyItem&attributename=email&attributevalue=%7Bmail%7D
Set configuration string
mfa true
for the second factor method.Unregistered SMTP
Unregistered SMS
While not required, it’s useful to verify at this point that both work individually without the umfa configuration.
To enable the second factor method to be used in multi-factor authentication, set configuration string
mfa true
for the second factor method.PUT /method/unregistered.smtp
configuration:mfa true
Set the second factor method as the next factor method for the first factor method.
PUT /method/oidc.1/$link/nextFactor/method/unregistered.smtp
Code Block # Note that you need to set also the existing configuration parameters, otherwise # they get overwritten. In below request "configuration:..." is to mark that. PUT /method/unregistered.smtp configuration=mfa%20true&configuration=...
Link the second factor method as the next factor method for the first factor method.
Code Block PUT /method/oidc.1/$link/nextFactor/method/unregistered.smtp
Not possible to set with Management UI.
Link the second factor method to the application site and set it as an allowed method for the application.
Code Block PUT /site/demosite/$link/method/unregistered.smtp PUT /application/demosite/demoapp/$link/method/unregistered.smtp enabled=true