Deprecation of Strong Authentication on Admin Step-Up

Deprecation Announcement

We wanted to let you know that we will be deprecating the following functionality Feb 5, 2024:

Strong Authentication access to administrative functions

  • For security reasons, elevated users like admins currently go through an experience called ‘Step-Up’ to validate who they are when navigating to admin areas of the product. Because all elevated users as of December 2023 are now required to configure and use a Time-Based One-Time Password (TOTP) or IdP to log into Identity Security Cloud, the admin Step-Up experience is now redundant and being deprecated. This TOTP registration for elevated users is automatic and requires no action within Identity Security Cloud.

Documentation

Information regarding configuring TOTP can be found at the following link:
Configuring Strong and Multifactor Authentication and Integrations - SailPoint Identity Services 2

While we will officially deprecate these functions on Feb 5, 2024, we are able to remove this functionality sooner if you have already taken all necessary steps to configure TOTP for elevated users. Please fill out this form, and we will remove it for your tenants.

Microsoft Forms

Action Required

None at this time.

Deprecation Timeline -

Monday, January 22nd:

  • Deprecate strong auth for all sandbox environments

Monday, February 5th: (two weeks after sandbox)

  • Deprecate strong auth for release batch 1

Tuesday, February 6th:

  • Deprecate strong auth for release batch 2

Thursday, February 8th:

  • Deprecate strong auth for release batch 3
  • Batch 3 is the largest batch
  • At this point strong auth would be deprecated for everyone.

Frequently Asked Questions:

Q: What do I need to do?

A: Org Admins do not need to do anything to prepare for this change unless they both use an IDP and are not enforcing MFA through their IDP. As of December 2023, SailPoint now automatically requires all elevated users that encounter Admin Step-Up to set up a TOTP device. As such, no action is required within Identity Security Cloud to ensure that only validated users have access to the admin sections of app.

If you do allow elevated users to log into Identity Security Cloud via an IDP but do not enforce MFA via your IDP, you should enforce MFA via your IDP.

Q: What happens if I don’t configure MFA before this is deprecated?

A: All elevated users have been asked to configure a TOTP device since December 2023. Any elevated users that have not yet setup a TOTP device by February 5 will simply be required to setup a TOTP device before they can login to Identity Security Cloud. This is automatic, no action is required on your part to enforce this.

Q: What if I’m ready now and don’t want to wait until Feb. 5, 2024?

A: Fill out this Form and we will remove it from your tenant(s)

1 Like

So, I have was prompted to configure this, and have my code set up for my accounts (both in dev and prod), but I’m literally never prompted for a TOTP code. Anyone else?

Mark

You registered for TOTP, but you will only ever be prompted for the code if you bypass SSO to login, such as when using the login prompt=true bypass, or when using a break-glass account. Otherwise if you log in via SSO, that will count as your MFA. Does that make sense?

Tyler

Ooooh, perfect. Thank you for the explanation! That makes complete sense!