Solved: TFA causing break in saml Registration/login acoou...

grohitg238 · ‎2022 Mar 16

Hello experts,

We have TFA configured for every login from different device/country. now we are implementing sso with external idp using SAML. where we are facing issue with account linking for saml user.

case is, if user is already have site identity at CDC, when user tries to use saml sign in option from different device there will be identity conflict & cdc triggers account link flow.

now because of TFA required for the account which is trying to link saml user is not supported, this is also mentioned in cdc documentation.

1. To make the linking happen, we have to disable the TFA which is not serving purpose of configuring it at first.

2. If we chose option by not linking two identities, CDC is asking for TFA two time within one device for same user.

Is there any alternative in option 1 apart from option 2?

Thanks.

Rohit

igal_mi · ‎2022 Mar 17

Hi Rohit,

My suggestion is:

Create a separate apikey (within the same site group) to handle SAML logins.
In RBA, Exclude this apikey from the TFA rule.
point SAML logins to a page that runs under this apikey.

With this setup in place:

User logs in via SAML
They are prompted with account linking.
They perform account linking successfully (No TFA required as it's excluded from this apikey)
They SSO to the main application (original apikey)
As part of the SSO, the platform will prompt for TFA
They pass TFA process and successfully log it to the application.

Hope this makes sense.

Igal

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My Account

My Account

TFA causing break in saml Registration/login acoount link flow

Know the answer?

Need more details?

Accepted Solutions (1)

Accepted Solutions (1)

Answers (0)