Multi-factor Authentication with Directory User Mapping - SSO
It is possible to require second factor authentication from registered users authenticated with an OpenID Connect or SAML2 Authentication Method, which provide unregistered users, having a Directory User Mapping to elevate them to registered users.
The second factor method here can be any of
Note that prior to SSO 9.1.0 it was possible to use only password as the first factor method.
Prerequisite
SAML method or OpenID Connect method to be used as the first factor method.
OTP Printout, TOTP, SMS OTP or OpenID Connect CIBA method to be used as the second factor method.
Management API - SSO enabled to be able to link second factor method to first factor method.
Possible configurations
In these examples it is assumed that
second factor method is linked to the first factor method, and
first factor method is activated for the user (for Ubilogin Directory users only)
First factor allowed for application | Second factor allowed for application | Second factor activated for user | User authentication |
|---|---|---|---|
X | X | X | Second factor authentication is required |
X | X | - | First factor authentication is required |
- | X | X | Second factor authentication is required |
- | X | - | Access denied |
X | - | X / - | First factor authentication is required |
- | - | X / - | Access denied |
Configuration
For the steps below, it’s expected to have OpenID Connect method oidc.1 and TOTP method totp.1 already configured in the system.
Configure the SAML/OIDC identity provider linked to the first factor method to return an attribute/claim which can be used for finding the directory user.
Link the first factor method to the Directory Service used for registered users.
PUT /method/oidc.1/$link/directory/Ubilogin%20DirectoryMust be the same Directory Service as used with the second factor method.
Create a Directory User Mapping for the first factor method for mapping unregistered users to registered users.
PUT /inboundMappingPolicy/ubiloginDirectoryUserMapping PUT /inboundMappingPolicy/ubiloginDirectoryUserMapping/$link/method/oidc.1 PUT /inboundDirectoryMapping/ubiloginDirectoryUserMapping/mapping condition=method:phone_number=* mappingURL=ldap:///cn=Ubilogin,dc=test??sub?(&(objectclass=ubiloginUser)(mobile=%7Bmethod:phone_number%7D))In the example above mappingURL uses filter
(mobile={method:phone_number})to search directory user by mobile attribute using the value of attributephone_number.If the mapping value is provided as value of NameID element in SAML Assertion for a SAML method then filter
(mobile={subject:username})could be used instead.
Link the second factor method as the next factor method for the first factor method.
PUT /method/oidc.1/$link/nextFactor/method/totp.1Not possible to set with Management UI.
Link the second factor method to the application site and set it as an allowed method for the application.