Multi-factor Authentication with Directory User Mapping - SSO

It is possible to require second factor authentication from registered users authenticated with an OpenID Connect or SAML2 Authentication Method, which provide unregistered users, having a Directory User Mapping to elevate them to registered users.

The second factor method here can be any of

Note that prior to SSO 9.1.0 it was possible to use only password as the first factor method.

Prerequisite

SAML method or OpenID Connect method to be used as the first factor method.
OTP Printout, TOTP, SMS OTP or OpenID Connect CIBA method to be used as the second factor method.
Management API - SSO enabled to be able to link second factor method to first factor method.

Possible configurations

In these examples it is assumed that

second factor method is linked to the first factor method, and
first factor method is activated for the user (for Ubilogin Directory users only)

First factor allowed for application	Second factor allowed for application	Second factor activated for user	User authentication

First factor allowed for application	Second factor allowed for application	Second factor activated for user	User authentication
X	X	X	Second factor authentication is required
X	X	-	First factor authentication is required
-	X	X	Second factor authentication is required
-	X	-	Access denied
X	-	X / -	First factor authentication is required
-	-	X / -	Access denied

Configuration

For the steps below, it’s expected to have OpenID Connect method oidc.1 and TOTP method totp.1 already configured in the system.

Configure the SAML/OIDC identity provider linked to the first factor method to return an attribute/claim which can be used for finding the directory user.
Link the first factor method to the Directory Service used for registered users.
PUT /method/oidc.1/$link/directory/Ubilogin%20Directory
1. Must be the same Directory Service as used with the second factor method.
Create a Directory User Mapping for the first factor method for mapping unregistered users to registered users.
PUT /inboundMappingPolicy/ubiloginDirectoryUserMapping PUT /inboundMappingPolicy/ubiloginDirectoryUserMapping/$link/method/oidc.1 PUT /inboundDirectoryMapping/ubiloginDirectoryUserMapping/mapping condition=method:phone_number=* mappingURL=ldap:///cn=Ubilogin,dc=test??sub?(&(objectclass=ubiloginUser)(mobile=%7Bmethod:phone_number%7D))
1. In the example above mappingURL uses filter (mobile={method:phone_number}) to search directory user by mobile attribute using the value of attribute phone_number.
2. If the mapping value is provided as value of NameID element in SAML Assertion for a SAML method then filter (mobile={subject:username}) could be used instead.
Link the second factor method as the next factor method for the first factor method.
PUT /method/oidc.1/$link/nextFactor/method/totp.1
1. Not possible to set with Management UI.
Link the second factor method to the application site and set it as an allowed method for the application.