It is possible to require second factor authentication from registered users authenticated with an OpenID Connect or SAML2 Authentication Method, which provide unregistered users, having a Directory User Mapping to elevate them to registered users.
The second factor method here can be any of
Note that prior to SSO 9.1.0 it was possible to use only password as the first factor method.
Prerequisite
SAML method or OpenID Connect method to be used as the first factor method.
OTP Printout, TOTP, SMS OTP or OpenID Connect CIBA method to be used as the second factor method.
Management API - SSO enabled to be able to link second factor method to first factor method.
Possible configurations
In these examples it is assumed that
second factor method is linked to the first factor method, and
first factor method is activated for the user (for Ubilogin Directory users only)
First factor allowed for application | Second factor allowed for application | Second factor activated for user | User authentication |
---|---|---|---|
X | X | X | Second factor authentication is required |
X | X | - | First factor authentication is required |
- | X | X | Second factor authentication is required |
- | X | - | Access denied |
X | - | X / - | First factor authentication is required |
- | - | X / - | Access denied |
Configuration
For the steps below, it’s expected to have OpenID Connect method oidc.1
and TOTP method totp.1
already configured in the system.
Configure the SAML/OIDC identity provider linked to the first factor method to return an attribute/claim which can be used for finding the directory user.
Link the first factor method to the Directory Service used for registered users.
PUT /method/oidc.1/$link/directory/Ubilogin%20Directory
Must be the same Directory Service as used with the second factor method.
Create a Directory User Mapping for the first factor method for mapping unregistered users to registered users.
PUT /inboundMappingPolicy/ubiloginDirectoryUserMapping PUT /inboundMappingPolicy/ubiloginDirectoryUserMapping/$link/method/oidc.1 PUT /inboundDirectoryMapping/ubiloginDirectoryUserMapping/mapping mappingURL=ldap:///cn=Ubilogin,dc=test??sub?(&(objectclass=ubiloginUser)(mobile=%7Bsubject:username%7D))
In the example above mappingURL uses filter
(mobile={subject:username})
to search directory user by mobile attribute using the sub claim of id_token (for OIDC methods) or value of NameID element in SAML Assertion (for SAML methods).If the mapping value is provided in another claim or attribute, such as
phone_number
, then filter(mobile={method:phone_number})
could be used instead.
Link the second factor method as the next factor method for the first factor method.
PUT /method/oidc.1/$link/nextFactor/method/totp.1
Not possible to set with Management UI.
Link the second factor method to the application site and set it as an allowed method for the application.
PUT /site/demosite/$link/method/totp.1 PUT /application/demosite/demoapp/$link/method/totp.1 enabled=true