Use MFA Based on user profile OpenAM 13.5.2

Tagged: , ,

This topic has 5 replies, 2 voices, and was last updated 1 year, 3 months ago by abarry.

  • Author
    Posts
  • #25719
     abarry
    Participant

    Hello,

    I have a realm (/users) and I would like to implement MFA (using HOTP module) for this realm. The MFA should be mandatory for some users and I have some users those I don’t want to use MFA. I don’t want to use another realm or to choose manually the authentication chain to use for each user (In the case where I have hundred users). All the users in this realm have the same configuration the only difference will be the fact that I want to use MFA for some of them.

    Does someone have some advice about what I can do this ?

    Thank you for your response.
    Regards,

    #25722
     Andy Cory
    Participant

    Hi

    Before working out how OpenAM can know for which users to require MFA, how are you going to decide? What differentiates the users that you want to add the HOTP step? If there’s some business criterion for deciding, maybe that can be translated into a technical solution. If it’s really the case that all your users have the same configuration and there’s no differentiator, then I’ll stick my neck out and say it can’t be done!

    If there is a differentiator – say, membership of a group, then you could add an Adaptive Risk Module into the chain and look at the “Profile Risk Attribute check” setting.

    -Andy

    #25723
     Andy Cory
    Participant

    Also, an off-topic remark, ideally you shouldn’t call your realm /users. OpenAM is very likely to get quite confused since /users is one of the REST endpoints. If you have a DNS alias to your realm, meaning you (or the XUI) don’t have to specify both the /users realm and /users endpoint in the URL then you may get away with it, but it’s quite a risk that behaviour won’t be as you expect.

    -Andy

    #25726
     abarry
    Participant

    Thank you for your remark about the realm name (it was just an example – not the good one…).

    The differentiator can be for example a value in a specified field. For example use MFA for all users where the attribut “City” in the user profile is equals to “Paris”.

    Thank you for your response.
    Regards

    #25729
     Andy Cory
    Participant

    In that case I think the “Profile Risk Attribute check” in the Adaptive Risk Module should do exactly what you want.

    -Andy

    #25730
     abarry
    Participant

    Ok thank you for your reactivity. I will explore this solution to understand how it works.
    Thank your again
    regards,

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?