How to enable MFA during first time device self registration using VIP Auth hub?
search cancel

How to enable MFA during first time device self registration using VIP Auth hub?

book

Article ID: 386629

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

SiteMinder is configured with chain Authentication Scheme where first Authentication Factor is SiteMinder HTML-Form and second Factor is VIP auth Hub.
Please note that auth hub settings has 
    {
        "name": "inlineEnrollmentFactorsRequired",
        "value": "PASSWORD:1,SMSOTP:2,EMAILOTP:2",
        "origin": "tenant"
    },
    
When user starts testing the flow for the very first time, a test user only needs just username and password to gain access to the Application.  It will let anyone to enroll a new device without second Factor Authentication.
Since inlineEnrollment is enabled, how can second Factor Authentication SMSOTP or EMAILOTP be enforced before a new device is registered?

Environment

VIP Auth Hub: 3.3.1.1005

Cause

Configuration issue.

Resolution

Go to SiteMinder Authentication scheme and search SiteMinder and VIP Auth Hub authentication scheme type with Multi Factor Authentication Chain template.

In the "ID Token Hint Generation Setup", please check "Enable Propagation of Extended user Attribute in ID Token Hint".

ID token hint can be found from browser developer tool and be decoded for email and phone number.

The prerequisite of above is that the Authhub user directory in SiteMinder admin ui should already have user attribute mapping defined as Email=mail or phone_number=mobile.

And those LDAP value does exist in the Authhub user directory for specific user.

Next, Configure "User Credential Inline Enrollment" in VIP Auth Hub as below. SMS OTP and Email OTP is primary authentication.

For verification, after SiteMinder form login, it is redirected to VIP Auth Hub and will ask SMS OTP or Email OTP as below.

After providing correct OTP, it will ask to register mobile app OTP.

Then it can access SiteMinder protected page and new device is enrolled. In the next attempted access, it will ask mobile App OTP instead of asking SMS OTP or Email OTP.