UPDATE 12/14 - We fixed the issues affecting some customers and released this back into sandbox yesterday. We haven’t noticed any other problems so we will begin a slow rollout to production today. We will monitor today and tomorrow and continue the rollout to the rest of production 12/18-19 if all looks stable. Thank you!

UPDATE 12/11 2pm CT
Some customers have reported 403 and 500 errors. We have rolled the change back while we investigate a fix and we will NOT be rolling to production tomorrow.

Starting next week (11 Dec), all Identity Security Cloud users with elevated permissions will be required to configure a Time Based One-Time Password (TOTP) device. This change will impact all tenants.

Sandbox - Monday Dec 11
Prod - Dec 12-14

Elevated users that sign into Identity Security Cloud via an IdP will be asked to configure an external authenticator immediately after signing in if they have not done so already. However, once a device is registered, they will not be prompted to verify the external authenticator on logins through the IdP.

Elevated users signing into Identity Security Cloud directly that have not already configured a TOTP device will need to go through an account unlock flow before they can set up an external authenticator. This flow ensures that only legitimate users can configure a TOTP device.

Users that have already configured a TOTP device will see no change.

Documentation regarding configuring ToTP (MFA): ![]Configuring Multifactor Authentication - SailPoint Identity Services

Managing Multifactor Authentication - SailPoint IdentityNow User Help

Frequently Asked Questions:

When is this change taking effect?

This change will roll out to sandbox environments on Monday Dec. 11, and production tenants between December 12 and 14.

Will this change impact my end users?

This change will only impact users that have access to the admin section of Identity Security Cloud. End users will see no change in their current experience.

Who is considered an “elevated user”?

A: Anyone that has access to the Admin section of Identity Security Cloud. (org/cert/report/role/source admin/sub-admin, helpdesk)

How will I know if this impacts elevated users in my organization?

If your elevated users have already registered a TOTP device, this will not affect them. This change will only affect elevated users that have not set up a TOTP device already.

Will all my elevated users need to go through the account unlock flow?

Only elevated users that both 1) sign into Identity Security Cloud directly (not using an IdP) and 2) have not already configured a TOTP device will have to go through the account unlock flow. If an elevated user signs into Identity Security Cloud via an IdP but has not yet registered a TOTP device, they will simply be prompted to register a device after signing in via the IdP and will not need to go through the account unlock flow. If an elevated user signs in directly but has already registered a TOTP device, they will see no change.

Does this change my identity profiles at all?

This update does not change your identity profiles or how they are configured.

What exactly will be the impact for my elevated users?

Elevated users that sign in via an IDP but have not yet registered a TOTP device will be required to register a device. The entire process can be completed in less than two minutes. Elevated Users that sign into Identity Security Cloud directly (not via an IdP) and have not yet already registered a TOTP device will be asked to complete an account unlock flow before they can register a TOTP device. Going through the account unlock flow ensures that only legitimate users can register a TOTP device. Those users will unlock their accounts via whatever means you have approved for the identity profile they are associated with. Typically unlocking an account can be done in less than 60 seconds. After unlocking the account, the user can then complete TOTP registration.

Do my users need to use a mobile device for TOTP? This is not possible in some cases.

A mobile device is not required. Depending on the 3rd party authentication app, some have apps that support Windows, MacOS, and Linux, such as LastPass and Authy.

Does SAML meet this requirement we have our SAML configured to work with MS Authenticator and have access rules applied? Currently we do not support any of the options for TOTP laid out in the SailPoint documentation.

Also, that documentation contains nothing about TOTP configuration except a small note about if you are using it. There is nothing about how to set it up or document it unless you’re using one of the three providers SailPoint support.

Is there documentation on how the TOTP within SailPoint is configured?

@mpotti That will continue to work the same. This is referring to having MS Authenticator (or another external authenticator) configured for anyone with elevated privileges attempting to log in directly to SailPoint, bypassing SAML. Then they will be required to use the authenticator app. Does that make sense?

@nathanieljjohnson there was a link embedded in the documentation, but here it is for ease. Managing Multifactor Authentication - SailPoint IdentityNow User Help
I’ll add this to the main announcement. Thanks for the callout!

So, there is no way to proactively set this up for users? We just have to wait for it to go live on Monday?

Thank you this helps a lot.

You can absolutely have users set this up before hand. The notice is just that it will be forced starting next week. I hope that helps, and I’ll also make note of this in the post. Thanks, again!

I see no option nor documentation anywhere on setting up TOTP, unless you’re talking about setting it up because we’re also customers of DUO or some other integration partner. Which my organization is not.

The documentation here: Configuring Multifactor Authentication - SailPoint Identity Services Just states that if you are using TOTP. It does not say how to configure the native TOTP.

Hi Tyler,

To confirm, if we use SAML, then users with elevated privileges will not be prompted to set up TOTP?

Hey Jason!

If users with elevated privileges have not registered a ToTP device, they will be prompted to set up ToTP. After that, they will not be prompted to use ToTP when logging in via SAML. Only if they attempt to bypass SSO and login in locally, or with a break glass account.

Hi Tyler,

Quick question, is this change in preparation to allow forcing step up authentication only for Admins?

If they have registered for other strong auth modes will it then go to that registration and ignore the previous one?

Spyros

We are still removing admin step up, but this is to ensure admins are authenticated before they log in, either through their IdP when logging in through SAML, or through ToTP when logging in locally.

I believe your reply to Spyros answers my question. Thank you!

Nathaniel

The other strong auth modes they may have registered for will still apply to password reset, but I believe they will still need to set up ToTP for login.

ok. i think Jason and I have the same question…your answer is YES - Elevated users will get prompted to set up TOTP. :-/

Yes indeed! Thanks so much!

How does this work if you have a strong authentication configured on the phone for Admin access? The other users are using SSO via Azure to log in. The MFA is configured via Microsoft authenticator to log in.

Kirti

This sounds like you have everything set up perfectly and you shouldn’t need to do anything further