Multifactor Authentication using an Identity Provider
Multifactor authentication (MFA) using an identity provider can be configured for messages in Privilege Management. Identity providers supported by Privilege Management include those using OpenID Connect (OIDC) and RADIUS protocols, and BeyondTrust should be setup as a Native or Desktop app within your Identity Provider configuration.
The RADIUS protocol is supported on Windows OS only.
In Privilege Management, messages can be designed with a combination of authentication and authorization settings.
- Authentication: MFA with an identity provider, user credential, and smart card
- Authorization: Challenge / response authorization
Groupings support and/or logic:
- Groupings by authentication: Setting more than one way the end user can authenticate, which can include the typical authentication methods (user credential, designated user, and smart card) and MFA with an identity provider.
In the Message Designer, pair Step 1a - User Authentication with Step 1b - Multifactor Authentication. This can be and/or configuration.
- Groupings by authentication and authorization: Authentication methods paired with authorization always use or logic. Authorization applies an additional challenge / response layer to the end user accessing an application. The challenge / response provides an alternative to MFA authentication if that method is unavailable (for example, the browser is unavailable or the end user phone is not available).
Here are some grouping scenarios:
- MFA and Designated User or challenge / response: The end user must successfully respond to all authentication prompts to access an application. Challenge / response is optional.
- MFA or Designated User or challenge / response: The end user must successfully enter either MFA or Designated User credentials. Challenge / response is optional.
- MFA and User authentication or challenge / response: The end user must successfully respond to all authentication prompts to access an application. Challenge / response is optional. When this authentication is combined, the Step 1c - Authentication Grouping is automatically set to and logic.
- MFA or None as the Authentication Type or challenge / response: The end user must access the application through the identity provider or challenge / response method.
The workflow depends on the combination of settings configured on the Message Design page. In the following screen capture, the authentication methods are joined with and logic.
The end user must click the link which opens the default browser to the identity provider logon page. The end user must successfully authenticate with the identity provider, then return to the Confirm Elevation dialog box to enter the user credential.
Alternatively, the end user enters the response code to gain access.
You can configure the identity provider in the following places:
- Privilege Management Settings node
- Messages node
Identity provider configuration is a global setting and applies to all Windows messages.
To add the identity provider:
- Expand the Windows node.
- Right-click Messages > Set Idp Authentication.
- Click the relevant tab for the authentication protocol required by your Identity Provider (OIDC or RADIUS).
- Enter the identity provider details:
- OIDC Settings
- Authority URI: The address of your identity provider.
- Client ID: Must match the same value configured for your identity provider's BeyondTrust application.
- Redirect URI: Must match the same value configured for your identity provider's BeyondTrust application. The format is http://127.0.0.1:port_number, where port_number is an open port on your network. The port_number is only needed if required by your identity provider.
- RADIUS Settings
- Authentication Mechanism: The authentication type that is required by your RADIUS server. Supported authentication mechanisms are MS-CHAPV2 or PAP.
- Host: The hostname of your RADIUS server.
- Port: The port number for connecting to your RADIUS server.
- Shared Secret: The secret key required by your RADIUS server.
You can also configure the identity provider on the Message Design page.
For more information, please see Message Design.