unity-idm-discuss

[Unity-idm-discuss] Enforcing MFA for users in a specific group

[Sander A. <sa....@fz...>]

Hi Krzysztof, hi Roman,
we have a group in our instance who asked if it is possible to enforce
MFA for all their members. I know unity can enforce MFA on a specific
endpoint/realm, but I don't know a possibility to enforce it to users
from a specific group. Can you confirm this or explain how it would
work?

Best regards,
Sander

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Enforcing MFA for users in a specific group

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 5.07.2023 o 13:15, Sander Apweiler pisze:
> Hi Krzysztof, hi Roman,
> we have a group in our instance who asked if it is possible to enforce
> MFA for all their members. I know unity can enforce MFA on a specific
> endpoint/realm, but I don't know a possibility to enforce it to users
> from a specific group. Can you confirm this or explain how it would
> work?

Unfortunately it is not supported.  Of course you can enable "MFA user 
opt in" for all group users, but that can't be automated (and so will 
require additional action when a new user is added).

An improved solution would be to make management of the MFA opt in also 
possible using a regular attribute. Then one would be able to setup 
attribute statement on the root group to set this MFA opt in to true for 
all members of a given group (or basing on any other condition). But 
this will require additional MFA policies too, and we need a chain of 
decisions what happens in case of conflicts (e.g. user of that group has 
no 2F credential or unset her MFA opt-in). Most likely a more 
sophisticated policies in authN flows would be needed as well.

Best,
Krzysztof

Re: [Unity-idm-discuss] Enforcing MFA for users in a specific group

[Sander A. <sa....@fz...>]

Hi Krzysztof,
I already assumed, that it is not possible. Thanks for the information.

Best regards,
Sander

On Thu, 2023-07-06 at 11:57 +0200, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 5.07.2023 o 13:15, Sander Apweiler pisze:
> > Hi Krzysztof, hi Roman,
> > we have a group in our instance who asked if it is possible to
> > enforce
> > MFA for all their members. I know unity can enforce MFA on a
> > specific
> > endpoint/realm, but I don't know a possibility to enforce it to
> > users
> > from a specific group. Can you confirm this or explain how it would
> > work?
> 
> Unfortunately it is not supported.  Of course you can enable "MFA
> user 
> opt in" for all group users, but that can't be automated (and so will
> require additional action when a new user is added).
> 
> An improved solution would be to make management of the MFA opt in
> also 
> possible using a regular attribute. Then one would be able to setup 
> attribute statement on the root group to set this MFA opt in to true
> for 
> all members of a given group (or basing on any other condition). But 
> this will require additional MFA policies too, and we need a chain of
> decisions what happens in case of conflicts (e.g. user of that group
> has 
> no 2F credential or unset her MFA opt-in). Most likely a more 
> sophisticated policies in authN flows would be needed as well.
> 
> Best,
> Krzysztof
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------