Support for Multi-Factor Authentication Attribute Management
The SailPoint connector for RACF can update Multi-Factor Authentication (MFA) attributes.
Prerequisites
-
Apply PTFs (FSD0167 and FSD0168) on the agent.
-
In the MFA Out of Band Policy section of the source UI, configure
MFA.OOBPOLICY -
In the Special Account Attributes section of the source UI, configure
MFA.MAP.<factor-name>.<IBM-factor-name>
Supported Features
-
Account aggregation
-
Get User: Get MFA data
-
Create User: Set MFA attributes while creating user
-
Update User: Update MFA attributes while updating user
-
Add or remove factors assigned to the user
-
Add or remove policies assigned to the user
Account Attributes
To manage MFA attributes, add the attributes in the following table to the account schema. Adding the account attributes in the following table (as applicable) to the provisioning request also enables you to provision MFA attributes for RACF users.
|
Account Attribute |
Description |
Attribute Type |
|---|---|---|
|
MFA.ENABLE |
Indicates if MFA is enabled for the user Value: Y/N Caution
|
Single-value |
|
MFA.PWFALLBACK |
Indicates if a user can use a traditional password for authentication when MFA authentication fails. Value: Y/N |
Single-value |
|
MFA.FACTORS |
Factors assigned to the user |
Multi-value, Entitlement |
|
MFA.POLICIES |
Policies assigned to the user |
Multi-value, Entitlement |
|
MFA.<factor-name>.ACTIVE |
For each factor, indicates if it is active for the RACF user Value: Y/N |
Single-value |
|
MFA.<factor-name>.TAG.<tag-attribute> |
Each factor has its own tag attributes. Each attribute that must be included in the aggregation must be individually added to the account schema. Value: the value of the tag |
Single-value |