We had a weird issue where we had to manually enroll versus using the scan option depending the authenticator.
Is this a requirement only for the IdentityNow admins with breakglass accounts or also for cert admins/org/role/source admin someone who has been granted access above the user level.
Once changes are applied to the identity profile, all users will be affected.
The admins are currently using phone number as a strong authentication to generate OTP to be able to log in on Admin profile.
To be clear on the steps we tried:
Identity Profile updated to Multifactor Authenticator, identity refresh task completed
User is an Admin user
User with elevated access is logged in using Microsoft Authenticator to Azure
SSO to Sailpoint Dashboard
Login to Sailpoint (Did not give the QR code, still asked for the Stong Authentication - OTP on work phone)\
Hi Tyler,
Would like to confirm regarding elevated permission, is will be only applied to IDN Admin profile or all users with elevated permissions? Thank you in advance.
John
This will automatically be applied to all users with elevated privileges (org/cert/report/source admin, helpdesk, support, etc.) This will not change anything on the identity profile
Kirti
I apologize for the confusion. If you click the MFA checkbox now, it will apply to all users. Starting Monday, it will automatically be applied only for users with elevated privileges and the flow will pop up only for them.
We are deprecating the strong auth on admin step up at the end of this year, so those strong auth options won’t apply to this flow. The users will need to register a ToTP device for login that will only be necessary if they bypass SSO
Thomas
Thanks for raising this. I will check with the team to see if they can reproduce and find a fix. Thank you!
@Tyler_Harman Hi Tyler,
We have configured SailPoint as service provider and also have ’ Bypassing the Identity Provider’ checked. We don’t have MFA enabled at any identity profile. We have strong authentication methods in Identity Profile. Please let me know how should I proceed? Also Where we can see QR code only when we enable MFA for that specific identity as I cant see that option.
Thank you!
I updated the post with some frequently asked questions. Hopefully this helps. If you notice anything else we should add, please let me know.
Quick question, is there a way to run a search to determine if someone is an org admin/cert admin/source admin and has not setup their MFA yet? I don’t think Sailpoint exposes an attribute that we could trigger via a search/workflow.
@Tyler_Harman Hi Tyler, We have Okta verify integrated, Does this qualify for SailPoint TOTP? could you please provide list
Why is this being rushed? Less than 2 weeks notice is crazy.
Also why is ToTP being required if an Integration like Duo is already setup?
As of this morning logging in and seeing no changes. Has this not rolled out yet?
Since we are deprecating strong auth for admin step up the beginning of January, without MFA on login, someone could access administrative functions with only an email and password. Setting this up the one time for elevated users protects you in the case admins bypass SSO, which happens frequently.
Even if you utilize MFA through your SSO, you will still need to register a TOTP device for ISC that will only be needed when accessing ISC locally.
As far as TOTP providers, you can set this up with ANY MFA provider, as long as they can scan a QR code to register. As for what you need to do, you do NOT need to click the checkbox for MFA. We’re releasing the ability to require this only for users with elevated privileges, where before you only have the ability to configure by identity profile. This will happen automatically from our side.
This went live on our test tenant and all admin users encountered the TOTP prompt however on completing it all were presented with the account locked flow.
Closing out of the session and reasserting SAML allowed access as normal, but I thought the lock flow should only be presented on non-SAML accounts?
Hi Nathaniel,
As per Tyler’s reply above, it looks like it applieas to all accounts SAML and non-SAML. See:
1 Like
The TOTP prompt yes, but not the account lockout flow. That should only happen in the event that no strong auth was in place prior. In this case my admins had strong auth prior, completed TOTP registration and then were presented with the account locked. Granted closing the session and coming back in cleared us past the account lock so it wasn’t really locked it appears - potentially just an issue with the TOTP registration process.
Anyone having this problem?
I try to log in and I’m presented with this screen:
I follow Step 1 and I’m presented with this screen:
I have gone through every option on that screen, starting with “Answer security questions” and ending with “Send an email” and I get the following screen EVERY. TIME.
I’m unable to unlock my account or reset my password in any capacity. This has happened to the other two admins at the company with me. 
I’m trying to do this since my non-prod tenant now has this setting, and I’m unable to set it up with Okta verify. I keep getting “Failed to scan QR code” in the Okta app
ETA: I was able to get Okta verify set up using the key instead of the QR code.
Nathaniel
You and one other tenant encountered this but we couldn’t find anything in the logs and we weren’t able to reproduce this on our end. We’ll keep looking to see why this happened.
Tyler
Mark
We heard this from another customer who had to set up Okta Verify manually. It then worked, but the QR code wouldn’t scan. @tombui any light you can shed on how you were able to get it set up manually?