Hello, I don’t see any information about configuring MS Authenticator. Are there instructions for it? I only see details for Duo, Okta & RSA, Safenet & Symantec
Hi @Tyler_Harman,
I like other users would like the ability to require MFA only for admins, as most other standard users don’t have enough access to make MFA necessary. When strong authentication is deprecated, you’ve given customers essentially an “all or nothing” choice when it comes to how they want to use MFA. Strong auth might have had its limitations, but the way it was deployed was effective in that it was only triggered when sensitive operations might be invoked.
My thought was that I could assign an AD group automatically if someone has the ORG_ADMIN role in Idn. That way, on the Okta side, I could have a rule to require MFA if someone is in that group.
However, there doesn’t appear to be a way to define role membership based on someone IdN access because that source is not available in the drop-down, despite it showing both as an account and an entitlement on my identity
{
"id": "2c918089801984fc01801a8f981338ad",
"name": "366088",
"accountId": "366088",
"source": {
"id": "2c91808a6f15533b016fabe321da7532",
"name": "IdentityNow",
"type": "IdentityNowConnector"
},
"disabled": false,
"locked": false,
"privileged": false,
"manuallyCorrelated": false,
"entitlementAttributes": {
"assignedGroups": "ORG_ADMIN"
},
"created": "2022-04-11T21:37:39.859Z"
}
{
"id": "2c91808a6f15533b016fabe322107535",
"name": "Administrator",
"displayName": "Administrator",
"type": "ENTITLEMENT",
"description": "Full administrative access to IdentityNow",
"source": {
"id": "2c91808a6f15533b016fabe321da7532",
"name": "IdentityNow"
},
"privileged": false,
"attribute": "assignedGroups",
"value": "ORG_ADMIN",
"standalone": true,
"requestable": false
}
Mark
Unfortunately IDN permissions are not able to be provisioned down to a source. You can configure MFA based on the identity profile, but that would require a different process. You could potentially achieve this by:
- Assign ORG_ADMIN to the user
- Then update an attribute that moves the user into the MFA enabled identity profile.
I hope this helps.
Tyler
That’s difficult to do when all of our personnel data is contained in a single authoritative source, meaning we’d have to have completely separate credentials/identities if we wanted to do that, which basically prevents us from being able to use SSO
@mcheek - I’d agree there. I am looking at creating a custom file source just for the admins, but that typically means separate identities for the Admins from their actual Identity, which isn’t ideal either.
Hi @mcheek,
We implemented something similar in our environment by creating a loopback source (Web Services source) to aggregate IdentityNow accounts (and associated privileges) as for an Active Directory for example.
By doing this, we are able to define role membership based on IdentityNow rights from this lookpback source.
This allow us to manage IdentityNow rights through the Request Center and activate automatically MFA for each new IdentityNow rights granted.
Let me know if you need more information.
Bastien
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.