Unregistered Multi-factor Authentication - SSO

Unregistered Multi-factor Authentication means that it is possible to require Unregistered SMTP or Unregistered SMS as the second factor authentication method for unregistered users returned from a SAML method or an OpenID Connect method.

While normally with Unregistered SMTP or SMS end users need to enter their email address or mobile phone number, in multi-factor authentication that information is passed as method attributes from the OpenID Connect or SAML method.

Prerequisite

SAML method or OpenID Connect method to be used as the first factor method.
Unregistered SMTP or Unregistered SMS method to be used as the second factor method.
Management API - SSO enabled to be able to link second factor method to first factor method.

Possible configurations

In these examples a first factor method is available if:

it is allowed for the application;
it is linked with a second factor method.

A second factor method is available if:

it is allowed for the application;
a method attribute with the expected name for the second factor method exists and has non-empty value.

First factor	Second factor	User authentication

First factor	Second factor	User authentication
Available (Allowed and linked to second factor)	Available (Allowed, valid attribute returned)	First and second factor methods authentication is required
Available (Allowed and linked to second factor)	Unavailable (Allowed, but no valid attribute is returned)	First factor method authentication is required
Unavailable (Not allowed, but linked to second factor)	Available (Allowed, valid attribute returned)	Second factor method authentication is required
Unavailable (Not allowed, but linked to second factor)	Unavailable (Allowed, but no valid attribute is returned)	Access denied

Configuration

Configure the SAML or OIDC identity provider linked to the first factor method to return end user’s email address and/or mobile phone number.
1. email address is required for the Unregistered SMTP
2. mobile phone number is required for the Unregistered SMS
Create an attribute mapping to map the attribute names to be exactly as specified below, which is what the Unregistered SMTP and SMS methods expect for the unregistered multi-factor authentication to work. If the identity provider returns the attributes directly with the expected name, then attribute mapping is not necessary.
# Create new Attribute Mapping with name "attributemapping" and link it to methods PUT /inboundPolicy/attributemapping PUT /inboundPolicy/attributemapping/$link/method/unregistered.smtp PUT /inboundPolicy/attributemapping/$link/method/unregistered.sms
1. Attribute name must be phone_number for the mobile phone number.
  # Rename method attribute "mobile" as "phone_number" POST /inboundPolicy/attributemapping type=inboundPolicyItem&attributename=phone_number&attributevalue=%7Bmobile%7D
2. Attribute name must be email for the email address.
  # Rename method attribute "mail" as "email" POST /inboundPolicy/attributemapping type=inboundPolicyItem&attributename=email&attributevalue=%7Bmail%7D
Set configuration string mfa true for the second factor method.
Link the second factor method as the next factor method for the first factor method.
1. Not possible to set with Management UI.
Link the second factor method to the application site and set it as an allowed method for the application.