UPDATE: We’ve heard feedback that some of you need some more time
to investigate this. As such, we are delaying the rollout of this deprecation by another month, until the end of September. We have continued with the deploy to sandbox orgs so that customers can test different solutions.
If you require additional time, please reach out to your CSMs and we can work with you on a case-by-case basis, but you may run into regressions and/or be delayed in accessing new features until this has been deprecated.
We wanted to let you know that we will be deprecating the following functionality:
Strong Authentication access to administrative functions
• Admin users will now be able to navigate to admin areas of the product without an additional step-up authentication step. Customers can still enforce multi-factor authentication on sign in, per identity profile, either through integration with a 3rd party MFA solution or through our built-in Time-based One-Time Password (TOTP) MFA option.
• Customer admins will no longer be able to configure usage agreements that their users are required to accept before they can access the product. This was a seldom used feature.
If you have any questions, please reach out to your Customer Success Manager.
Thank you!
Tyler
Deprecation Timeline - UPDATED
August 21st, 2023 (Monday)
100% of Sandbox Orgs
October 2-5, 2023 (Monday-Thursday)
Roll to 100% of Production Orgs (Barring those requiring additional time)
There needs to be a way to still require MFA for admins only, as it’s not necessary for standard users.
Currently the only way for that is either to control that on your service provider side (e.g different MFA requirements during SSO) or to have all admins sourced from a different identity profile, which is not ideal if you source all your human users from a single HR source and adds unnecessary complexity. We reserve a separate identity profile purely for breakglass access, anything else is not allowed to bypass SSO.
I agree 100% with Marten about the need for MFA for Admins. Admins still can use prompt=true when SSO is required so MFA on the SSO side is not going to help here. I also am not clear what problem this should solve. So at least make it an option.
Can you describe more what you are seeing? The depreciation of Strong Auth should not effect this endpoint. These tokens are refreshed frequently and not intended to be used for other purposes than the web application.
The better way to handle authentication for making API calls is using Personal Access Tokens. Postman specifically has great support for resolving the oAuth credentials, just plugin the values from the personal access token and you’ll be able to get an access token that lasts 24 hours with the ability to refresh it for up to 30 days(?) instead of limited to 15 minutes expiration from the UI’s token.
Hi @Tyler_Harman, regarding the following paragraph in your announcement:
The first section in the linked page reads “Configuring Strong Authentication Methods” which refers to a panel now gone from all identity profiles in Sandbox tenants (not sure if the panel is temporarily hidden until it’s restored with extra options to enforce strong auth for certain roles).
Shall the documentation team add a note advising that the feature is soon to be deprecated for admins and include a link to this thread for more details on the announcement?
I would like to echo what @M_rtenH says… we’re about to have a lot of people unnecessarily having to MFA every time they have a new session into the app, when we really only need admins to do that.
I had a call with someone from SailPoint support regarding a different issue today and he mentioned that we can expect an announcement regarding this later today.
SailPoint said during the August 1 update that they have heard feedback that some tenants need some more time to investigate this and that as such, SailPoint delayed the rollout of this deprecation by another month, until the end of September.
As far as I know rollbacks are possible per tenant, so I wonder why these rollbacks occur to all tenants and not just to those who require the rollback.
I guess it would be even better to allow each tenant to configure in the system settings whether they want this or not.
There will be communication to follow shortly. Admin step-up has been temporarily reinstated through end of year. As part of this extension, and to better protect and secure our customer base, we also plan to make changes to how MFA works for elevated users. There will be more communications regarding these changes later this week.
Stay tuned, I know this is a bit of a surprise but this was done purposefully. I believe @derek_putnam will be sharing something in the announcements section shortly.
I’m assuming a similar post is being made on Compass along side the notice referenced that the timeframe was being extended? Really trying to wrap my head around why this is sequestered currently to the dev community vs. the Compass community which is where many of the customers that were impacted are looking (i.e. based on the discussions I’ve had with clients so far today)
Thanks for the update on this! If I can be brutally honest for a second, a proactive notification for user facing changes like this would have been appreciated. Instead, you’ve got the technical folks like us asking in discussion threads and group chats what’s going on since there was no official announcement until the next day after the rollout happened.
