MFA for the User Portal

You can specify what authentication mechanisms your users must provide to access Idaptive Identity Service, as well as if and when multi-factor authentication is required. For example, you can specify that users logging in from a certain country provide additional authentication.

Refer to https://academy.idaptive.com/series/mfa/mfa-for-portal-login if you prefer a video tutorial.

To define MFA for User Portal access

  1. Log in to the Admin Portal.
  2. Create an authentication profile.
  3. This is where you specify the authentication mechanisms.

    1. Click Settings > Authentication.
    2. Click Add Profile on the Authentication Profiles page.
    3. Enter a name for the profile and select the authentication mechanism(s) you require and want to make available to users.
    4. For example, you can name the profile, "Trial Profile" and specify that the first challenge be the user’s account password and the second challenge is an email confirmation code.

    5. Click OK.
  4. Create an authentication rule.
  5. This is where you specify the conditions in which the authentication profile is applied.

    1. Click Core Services > Policies and select the policy you want to edit or click Add Policy Set to create a new one.
    2. Click Authentication Policies > Idaptive Services.
    3. Select Yes in the Enable authentication policy controls drop-down.
    4. Click Add Rule.
    5. The Authentication Rule window displays.

    6. Click Add Filter.
    7. Define the filter and condition using the drop-down boxes.
    8. For example, you can create a rule that requires users logging in from China to provide the authentication challenges specified in step 2. The sample rule would look like the following:

      Supported filters are:

      Filter Description

      IP Address

      The authentication factor is the computer’s IP address when the user logs in. This option requires that you have configured the IP address range in Settings, Network, Corporate IP Range.

       

      The authentication factor is the cookie that is embedded in the current browser by Idaptive Identity Services after the user has successfully logged in.

      Day of Week

      The authentication factor is the specific days of the week (Sunday through Saturday) when the user logs in.

      Date

      The authentication factor is a date before or after which the user logs in that triggers the specified authentication requirement.

      Date Range

      The authentication factor is a specific date range.

      Time Range

      The authentication factor is a specific time range in hours and minutes.

      Device OS

      The authentication factor is the device operating system.

      Browser

      The authentication factor is the browser used for opening the Idaptive Identity Services portal.

      Country

      The authentication factor is the country based on the IP address of the user computer.

      Risk Level

      Risk Level: The authentication factor is the risk level of the user logging on to user portal. For example, a user attempting to log in to Idaptive Identity Services from an unfamiliar location can be prompted to enter a password and text message (SMS) confirmation code because the external firewall condition correlates with a medium risk level. This Risk Level filter, requires additional licenses. If you do not see this filter, contact Idaptive support. The supported risk level are:

      • Non Detected -- No abnormal activities are detected.
      • Low -- Some aspects of the requested identity activity are abnormal. Remediation action or simple warning notification can be raised depending on the policy setup.
      • Medium -- Many aspects of the requested identity activity are abnormal. Remediation action or simple warning notification can be raised depending on the policy setup.
      • High -- Strong indicators that the requested identity activity is anomaly and the user's identity has been compromised. Immediate remediation action, such as MFA, should be enforced.
      • Unknown -- Not enough user behavior activities (frequency of system use by the user and length of time user has been in the system) have been collected.

      Managed Devices

      The authentication factor is the designation of the device as “managed” or not. A mobile device is considered “managed” if it is managed by Idaptive Identity Services (MDM enrolled), or if it has a Idaptive-trusted certificate authority (CA has been uploaded to your tenant using Admin Portal > Settings > Authentication > Certificate Authorities).

      For the Day/Date/Time related conditions, you can choose between the user’s local time and Universal Time Coordinated (UTC) time.

    9. Click the Add button associated with the filter and condition you have specified.
    10. Select the profile you want applied (in the Authentication Profile dr op-down) if all conditions are met.

      For example, you can select the "Trial Profile" profile you created in step 2.

    11. Click OK.
  6. Select a default profile to be applied if a user does not match any of the configured conditions in the Default Profile (used if no conditions matched) drop-down.
  7. If you have no authentication rules configured and you select Not Allowed in the Default Profile dropdown, users will not be able to log in to the service.
  8. Click Save.