Support for Multi-Factor Authentication Attribute Management

The SailPoint connector for RACF can update Multi-Factor Authentication (MFA) attributes.

Important
SailPoint recommends that you do not update MFA attributes with non-MFA attributes in a single request.

Supported Features

Account aggregation
Get User: Get MFA data
Create User: Set MFA attributes while creating user
Update User: Update MFA attributes while updating user
Add or remove factors assigned to the user
Add or remove policies assigned to the user

Account Attributes

To manage MFA attributes, add the attributes in the following table to the account schema. Adding the account attributes in the following table (as applicable) to the provisioning request also enables you to provision MFA attributes for RACF users.

Account Attribute	Description	Attribute Type
MFA.ENABLE	Indicates if MFA is enabled for the user Value: Y/N Caution Provisioning `MFA.Enable=N` with additional attribute settings is not supported.	Single-value
MFA.PWFALLBACK	Indicates if a user can use a traditional password for authentication when MFA authentication fails. Value: Y/N	Single-value
MFA.FACTORS	Factors assigned to the user	Multi-value, Entitlement
MFA.POLICIES	Policies assigned to the user	Multi-value, Entitlement
MFA.<factor-name>.ACTIVE	For each factor, indicates if it is active for the RACF user Value: Y/N	Single-value
MFA.<factor-name>.TAG.<tag-attribute>	Each factor has its own tag attributes. Each attribute that must be included in the aggregation must be individually added to the account schema. Value: the value of the tag	Single-value

Additional Configuration Attributes

To enable the MFA attribute management feature for RACF, add the following additional configuration attributes to the application XML through the Debug pages.

MFA.OOBPOLICY

A multi-value attribute which includes the list of policies that must be added to the user when the corresponding factor associated with user is added. The RACF connector needs to send the OOBPOLICY with the policies in it as a regular multi-value attribute.

Configure the MFA.OOBPOLICY in the application XML as follows:

Copy

<entry key="MFA.OOBPOLICY">
<value>
<Map>
<entry key="PassTicket">
<value>
<List>
<String>PolicyA</String>
<String>PolicyB</String>
</List>
</value>
</entry>
<entry key="RSA_SecureID">
<value>
<List>
<String>PolicyP</String>
<String>PolicyQ</String>
</List>
</value>
</entry>
</Map>
</value>
</entry>

MFA.MAP.<factor-name>.<IBM-factor-name>

This enables an easy conversion between the original IBM factor names in the AZFxxxxx format to readable free text names describing the factor, such as RSA_SecureID. The corresponding values for these attributes should always be set to false.

The MAP attributes are defined as special account attributes in the application XML as follows:

Copy

<entry key="splAccountAttributes">
<value>
<Map>
<entry key="MFA.MAP.PassTicket.AZFPTKT1" value="false"/>
<entry key="MFA.MAP.RSA_SecureID.AZFSIDP1" value="false"/>
</Map>
</value>
</entry>

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here:

Support for Multi-Factor Authentication Attribute Management

Supported Features

Account Attributes

Additional Configuration Attributes

Documentation Feedback