TFA causing break in saml Registration/login acoount link flow

grohitg238 — Wed, 16 Mar 2022 11:05:36 GMT

Hello experts,

We have TFA configured for every login from different device/country. now we are implementing sso with external idp using SAML. where we are facing issue with account linking for saml user.

case is, if user is already have site identity at CDC, when user tries to use saml sign in option from different device there will be identity conflict & cdc triggers account link flow.

now because of TFA required for the account which is trying to link saml user is not supported, this is also mentioned in cdc documentation.

1. To make the linking happen, we have to disable the TFA which is not serving purpose of configuring it at first.

2. If we chose option by not linking two identities, CDC is asking for TFA two time within one device for same user.

Is there any alternative in option 1 apart from option 2?

Thanks.

Rohit

Re: TFA causing break in saml Registration/login acoount link flow

igal_mi — Thu, 17 Mar 2022 08:43:44 GMT

Hi Rohit,

My suggestion is:

Create a separate apikey (within the same site group) to handle SAML logins.
In RBA, Exclude this apikey from the TFA rule.
point SAML logins to a page that runs under this apikey.

With this setup in place:

User logs in via SAML
They are prompted with account linking.
They perform account linking successfully (No TFA required as it's excluded from this apikey)
They SSO to the main application (original apikey)
As part of the SSO, the platform will prompt for TFA
They pass TFA process and successfully log it to the application.

Hope this makes sense.

Igal

Question Re: TFA causing break in saml Registration/login acoount link flow in CRM and CX Q&A

TFA causing break in saml Registration/login acoount link flow

Re: TFA causing break in saml Registration/login acoount link flow