This is not the latest version of Identity Director documentation.View available documentation.
Multifactor Authentication
This feature is available starting with Identity Director 2021.2.
In the Management Portal, at Setup > Multifactor Authentication, you can enable multifactor authentication in your environment.
Enable multifactor authentication
Once you activate this option, all users will be redirected to the enrollment screen the next time they attempt to log into their account, either in the Management Portal or the Web Portal. On the enrollment screen, users can either scan the QR code with the authenticator application on their mobile phone, or manually enter the code into the application. This only needs to be done once and, starting from that point, the authenticator will start generating codes that must be used during each login attempt.
Once you enable multifactor authentication in your environment, all users have to enroll in order to log in. To unenroll a user, click on the Unenroll button at the button of the Multifactor Authentication page and select them from the list of people. Once you confirm and complete this action, the user will have to restart the enrollment process.
If you click on the Reset button, all the enrollments will be removed for all users.
In order for multifactor authentication to work correctly in your environment, you need to make sure the following conditions are met:
-
In IIS, the Load User Profile option is set to True for the application pools that host the following web applications: Management Portal, Web Portal, and Mobile Gateway.
-
Open the IIS Management Console.
-
Navigate to Application Pools > IT Store Management.
-
Open the Advanced Settings for IT Store Management.
-
In the Process Model section, make sure that the Load User Profile is set to True.
-
If the Load User Profile is set to False, set it to True and click Recycle.
-
If you have to change the configuration, make sure to exit the Management Portal first.
-
-
For the Management Portal, Web Portal, and Mobile Gateway, you have configured the same encryption key.
-
In your environment, Identity Broker Authentication is disabled. Multifactor authentication does not work on the components for which Identity Broker is active.
Example: You have configured Identity Broker for the Management Portal and for the Web Portal
-
Authentication for the Management Portal and for the Web Portal is done through Identity Broker.
-
In this case, there is no component sending users to the enrollment process for multifactor authentication.
If they attempt to log into the Identity Director client, users need to provide a code generated by the authenticator. However, as they did not previously go through the enrollment process, they are unable to obtain the code and log in.
If you want to use Identity Broker for both the Management Portal and the Web Portal, but use multifactor authentication for the Identity Director client, you need to first allow users to enroll their authentication applications.
To do so, enable only multifactor authentication on a web component on which the enrollment process can be completed (Management Portal or Web Portal). -
How to check the Load User Profile status for the Management Portal
Enforce enrollment
Enable this option if you want multifactor authentication to be enforced for all your users.
If the box is not checked, the setting is off and the user will be able to skip the enrollment screen and log on without an authenticator application.
If the setting is on, users must go through the enrollment process and register with an authenticator application, if they had not previously done so.