Multi-Factor Authentication

Note: To use Duo, you must follow the Duo Auth API instruction to enable the AuthAPI in the Duo Admin Panel. To locate the Duo API documentation, go to https://duo.com, search for Auth API documentation and then follow the steps for adding Duo two-factor authentication.

The basic process flow for using MFA to log in to IdentityIQ includes the following steps:

1. The user enters a valid username and password at the IdentityIQ login screen.

2. The IdentityIQ MFA workflow begins and displays the MFA provider's login page or process for login. If a user is assigned to multiple providers, the user must select a provider from the provider list before proceeding to the provider's login page.

3. The user completes the authentication process for their MFA provider.

4. The user is logged in to IdentityIQ and the Home page displays.

The basic process flow for configuring MFA for IdentityIQ includes the following steps:

1. Use a predefined MFA workflow or choose to create a custom workflow.

2. Install the workflow.

• Import the workflow.

• Configure the workflow as a business process.

• Enable the populations to use with MFA.

3. Save your MFA configuration.

For more information, see How to Install a Multi-Factor Authentication Workflow – DUO Example

Each MFA provider has its own flow and process. MFA Providers contain the populations and providers are configured from an existing list of DynamicScopes / Populations. Workflows of type MultiFactorAuthentication can enable Multi-Factor Authentication for a particular provider.

Predefined workflows are provided. These workflows use existing preconfigured applications to perform Multi-Factor Authentication

You can choose to create a custom workflow. See Custom Multi-Factor Authentication Workflows.

The following workflows are provided, however they are not installed by default. These workflows use existing preconfigured applications to perform Multi-Factor Authentication. The provided workflows are located:

• WEB-INF/config/workflow_MultiFactor_DUO.xml

• WEB-INF/config/workflow_MultiFactor_RSA.xml

Note: The following instruction are specific to using DUO as your MFA application. You can use these instructions to install RSA by changing the DUO-specific items to RSA. As noted in the instructions, you do not need to add API authentication credentials for RSA.

1. Review any prerequisites. See MFA Prerequisites.

2. To import the workflow, you can use the Import From File function in the Global Settings menu or use the IdentityIQ console. To use the IdentityIQ console, open the console and use the following command:

import workflow_MultiFactor_DUO.xml

3. Configure the workflow as a business process:

1. Login to IdentityIQ using an administrator account and navigate to Setup > Business Processes.

2. Click the workflow named MFA DUO

3. Click Process Variables

4. Select a preconfigured application, of type Duo, for the field Duo Application Name. The workflow reads new properties added to the application used to authenticate with the Duo cloud Authentication service.

5. Click Save.

4. Use the following steps to add Duo authentication API credentials:

Note: These steps are not necessary for the MFA RSA workflow because RSA uses existing API credential information already configured in the RSA Application.

1. Navigate to Applications > Application Definition.

2. Select the Application of type Duo you configured in the previous step.

3. Click Configuration.

4. Complete the Admin API Credentials section using the credentials you obtained from the Duo Admin Panel.
   

   The first time you set up a Duo application, you must enter the Admin API information received from Duo. If you are modifying a previously configured Duo application, the Admin API credentials should already be configured.

5. Click Save.

5. Next, enable a population of users that must use Multi-Factor Authentication to authenticate using the following steps:

1. Click the gear icon.

2. Navigate to Global Settings >Quicklink Populations.

3. Verify you have an existing population of users you want to authenticate using Multi-Factor Authentication.

6. The population you enabled can allow a user in the population to request access for other users. If you do not want a user have that capability, you can create a new QuickLink population. You must select No one in the section who can members request for? when you create the new QuickLink population. This configuration separates Request Access type Quicklink Populations from Multi-Factor Authentication Populations.

7. Next, associate the population to the Multi-Factor Authentication workflow using the following steps:

1. Click the gear icon and navigate to Global Settings > Login Configuration > MFA tab.

2. Check the box for the MFA Workflow you want to enable.

3. Add any populations to the multi-select list you want to enable for this MFA workflow.

4. Click Save.

Implementers can create custom Multi-Factor authentication workflows. Any workflow of type MultiFactorAuthentication displays in the MFA Configuration page. If you choose to create a custom workflow, review the following information:

• Adding an error message to the workflow case using:
  

  wfcase.addMessage(new Message(Type.Error, "An error has occurred that prevents Multi-Factor Authentication"))
  

  This adds an error to the workflow case and signals to the Multi-Factor framework the user should not be logged in.

• A workflow that was not marked complete will signal Multi-Factor authentication has failed. During normal workflow execution, if a workflow has not produced an error, the workflow is automatically marked complete.