Menu
▾
▴
Re: [Unity-idm-discuss] Enforcing MFA for users in a specific group
|
From: Krzysztof B. <kb...@un...> - 2023-07-06 09:58:13
|
Hi Sander, W dniu 5.07.2023 o 13:15, Sander Apweiler pisze: > Hi Krzysztof, hi Roman, > we have a group in our instance who asked if it is possible to enforce > MFA for all their members. I know unity can enforce MFA on a specific > endpoint/realm, but I don't know a possibility to enforce it to users > from a specific group. Can you confirm this or explain how it would > work? Unfortunately it is not supported. Of course you can enable "MFA user opt in" for all group users, but that can't be automated (and so will require additional action when a new user is added). An improved solution would be to make management of the MFA opt in also possible using a regular attribute. Then one would be able to setup attribute statement on the root group to set this MFA opt in to true for all members of a given group (or basing on any other condition). But this will require additional MFA policies too, and we need a chain of decisions what happens in case of conflicts (e.g. user of that group has no 2F credential or unset her MFA opt-in). Most likely a more sophisticated policies in authN flows would be needed as well. Best, Krzysztof |
