Multi-factor Authentication using an Identity Provider
Multi-factor authentication (MFA) using an identity provider can be configured for messages in Privilege Management. Identity providers supported by Privilege Management include those using OpenID Connect (OIDC) protocol.
In Privilege Management, messages can be designed with a combination of authentication and authorization settings.
- Authentication: MFA with an identity provider, user credential, and smart card
- Authorization: Challenge / response authorization
Groupings support and/or logic.
- Groupings by authentication: Setting more than one way the end user can authenticate which can include the typical authentication methods (user credential, designated user, and smart card) and MFA with an identity provider.
In the Message Designer, pair Step 1a - User Authentication with Step 1b - Multifactor Authentication. This can be and/or configuration.
- Groupings by authentication and authorization: Authentication methods paired with authorization always use or logic. Authorization applies an additional challenge / response layer to the end user accessing an application. The challenge / response provides an alternative to MFA authentication if that method is unavailable (for example, the browser is unavailable or the end user phone is not available).
Here are some grouping scenarios:
- MFA and Designated User or challenge / response: The end user must successfully respond to all authentication prompts to access an application. Challenge / response is optional.
- MFA or Designated User or challenge / response: The end user must successfully enter either MFA or Designated User credentials. Challenge / response is optional.
- MFA and User authentication or challenge / response: The end user must successfully respond to all authentication prompts to access an application. Challenge / response is optional. When this authentication is combined, the Step 1c - Authentication Grouping is automatically set to and logic.
- MFA or None as the Authentication Type or challenge / response: The end user must access the application through the identity provider or challenge / response method.
The workflow depends on the combination of settings configured on the Message Design page. In the following screen capture, the authentication and authorization methods are joined with or logic.
The end user must click the link which opens the default browser to the identity provider logon page. The end user must successfully authenticate with the identity provider then return to the Confirm Operation dialog box to enter the user credential. Challenge / response codes are optional.
You can configure the identity provider in the following places:
- Privilege Management Settings node
- Messages node
Identity provider configuration is a global setting and applies to all messages.
To add the identity provider:
- Expand the OS X node.
- Right-click Messages > Set Idp Authentication.
- Enter the identity provider details:
- Authority URI: The address of your identity provider.
- Client ID: Must match the same value configured for your identity provider's BeyondTrust application.
- Redirect URI: Must match the same value configured for your identity provider's BeyondTrust application. The format is http://127.0.0.1:port_number, where port_number is an open port on your network. The port_number is only needed if required by your identity provider. For macOS messages, enter the static redirect URI for messages to work correctly: com.beyondtrust.pmfm://idp