Hi All,

I have configured the federation with one of the cloud-based applications and it works successfully.
With this, after login into ISAM, I want to configure MFA with TOTP so that every user will be asked for TOTP after ISAM login when accessing the federated application.

any suggestions on how to configure it?




------------------------------
Prashant Narkhede
------------------------------

Hi Prashant. I recommend you this Jon Harry's post https://community.ibm.com/community/user/security/blogs/jon-harry/2020/02/06/mobile-multi-factor-authentication-ibm-verify-mfa, includes the "Verify Access MMFA Cookbook" that will guide you on Multifactor Authentication Mechanisms and it's configurations. Hope this help you.
Regards.

------------------------------
David Vicenteño
------------------------------

Original Message:
Sent: Tue December 08, 2020 07:07 AM
From: Prashant Narkhede
Subject: ISAM - How to configure MFA using TOTP after ISAM login?

Hi All,

I have configured the federation with one of the cloud-based applications and it works successfully.
With this, after login into ISAM, I want to configure MFA with TOTP so that every user will be asked for TOTP after ISAM login when accessing the federated application.

any suggestions on how to configure it?




------------------------------
Prashant Narkhede
------------------------------

Hi David,

I am already referring to it but the confusion I have is to which resource policy should be applied in order to protect the federated application via MFA.

If I apply the TOTP policy to / then how users will scan the QR code and register using IBM Verify App.

Can you please suggest where the policy should be applied?

------------------------------
Prashant Narkhede
------------------------------

Original Message:
Sent: Tue December 08, 2020 10:14 AM
From: David Vicenteño
Subject: ISAM - How to configure MFA using TOTP after ISAM login?

Hi Prashant. I recommend you this Jon Harry's post https://community.ibm.com/community/user/security/blogs/jon-harry/2020/02/06/mobile-multi-factor-authentication-ibm-verify-mfa, includes the "Verify Access MMFA Cookbook" that will guide you on Multifactor Authentication Mechanisms and it's configurations. Hope this help you.
Regards.

------------------------------
David Vicenteño

Original Message:
Sent: Tue December 08, 2020 07:07 AM
From: Prashant Narkhede
Subject: ISAM - How to configure MFA using TOTP after ISAM login?

Hi All,

I have configured the federation with one of the cloud-based applications and it works successfully.
With this, after login into ISAM, I want to configure MFA with TOTP so that every user will be asked for TOTP after ISAM login when accessing the federated application.

any suggestions on how to configure it?




------------------------------
Prashant Narkhede
------------------------------

I think you need to apply an "access policy" to your federation. When you configure your federation you can enable access policy option and choose an access policy which execute every time user request the configured federation, Ej.

In this link you can find information about access policies and their development.
https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.0/com.ibm.isva.doc/config/concept/access_policies.htm
In the access policy you can enforce user to give an OTP.
Hope this help you.
Regards.

------------------------------
David Vicenteño
------------------------------

Original Message:
Sent: Tue December 08, 2020 12:34 PM
From: Prashant Narkhede
Subject: ISAM - How to configure MFA using TOTP after ISAM login?

Hi David,

I am already referring to it but the confusion I have is to which resource policy should be applied in order to protect the federated application via MFA.

If I apply the TOTP policy to / then how users will scan the QR code and register using IBM Verify App.

Can you please suggest where the policy should be applied?

------------------------------
Prashant Narkhede

Original Message:
Sent: Tue December 08, 2020 10:14 AM
From: David Vicenteño
Subject: ISAM - How to configure MFA using TOTP after ISAM login?

Hi Prashant. I recommend you this Jon Harry's post https://community.ibm.com/community/user/security/blogs/jon-harry/2020/02/06/mobile-multi-factor-authentication-ibm-verify-mfa, includes the "Verify Access MMFA Cookbook" that will guide you on Multifactor Authentication Mechanisms and it's configurations. Hope this help you.
Regards.

------------------------------
David Vicenteño

Original Message:
Sent: Tue December 08, 2020 07:07 AM
From: Prashant Narkhede
Subject: ISAM - How to configure MFA using TOTP after ISAM login?

Hi All,

I have configured the federation with one of the cloud-based applications and it works successfully.
With this, after login into ISAM, I want to configure MFA with TOTP so that every user will be asked for TOTP after ISAM login when accessing the federated application.

any suggestions on how to configure it?




------------------------------
Prashant Narkhede
------------------------------

Prashant, it sounds like you are using ISAM as a federation IDP, where the users first log into ISAM, and then click on some link to let them enjoy federated SSO to some cloud-hosted application which acts as the federation SP (if SAML is being used). Is this correct? The rest of what I write here assumes this is the case.

If yes, you could provide a link to allow the users to register their device for use with TOTP. If AAC is configured, there will be a URL for the TOTP device registration page which looks something like this (and MMFA does not need to be configured for this):
https://<isam-webseal-hostname>/mga/sps/mga/user/mgmt/html/otp/otp.html
As long as this URL is not covered by how you attach the AAC policy which forces TOTP authentication, then users should be able to perform a TOTP client device registration, without having first performed a TOTP authentication.

Separately, you should be able to identify a URL which the user hits when they invoke a federated login to the Cloud-hosted application, define an AAC Resource for that URL, and then attach an AAC policy to that AAC Resource (where that AAC policy will force the TOTP authentication).

(If you have MMFA configured on your ISAM/ISVA system, and the users are using the "IBM Verify" client app on their Android or iOS device, they could instead do an MMFA device registration, invoked via a different URL, which would also give them the ability to use TOTP.)

------------------------------
Carl Hovi
IBM
------------------------------

Original Message:
Sent: Tue December 08, 2020 01:16 PM
From: David Vicenteño
Subject: ISAM - How to configure MFA using TOTP after ISAM login?

I think you need to apply an "access policy" to your federation. When you configure your federation you can enable access policy option and choose an access policy which execute every time user request the configured federation, Ej.

In this link you can find information about access policies and their development.
https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.0/com.ibm.isva.doc/config/concept/access_policies.htm
In the access policy you can enforce user to give an OTP.
Hope this help you.
Regards.

------------------------------
David Vicenteño

Original Message:
Sent: Tue December 08, 2020 12:34 PM
From: Prashant Narkhede
Subject: ISAM - How to configure MFA using TOTP after ISAM login?

Hi David,

I am already referring to it but the confusion I have is to which resource policy should be applied in order to protect the federated application via MFA.

If I apply the TOTP policy to / then how users will scan the QR code and register using IBM Verify App.

Can you please suggest where the policy should be applied?

------------------------------
Prashant Narkhede

Original Message:
Sent: Tue December 08, 2020 10:14 AM
From: David Vicenteño
Subject: ISAM - How to configure MFA using TOTP after ISAM login?

Hi Prashant. I recommend you this Jon Harry's post https://community.ibm.com/community/user/security/blogs/jon-harry/2020/02/06/mobile-multi-factor-authentication-ibm-verify-mfa, includes the "Verify Access MMFA Cookbook" that will guide you on Multifactor Authentication Mechanisms and it's configurations. Hope this help you.
Regards.

------------------------------
David Vicenteño

Original Message:
Sent: Tue December 08, 2020 07:07 AM
From: Prashant Narkhede
Subject: ISAM - How to configure MFA using TOTP after ISAM login?

Hi All,

I have configured the federation with one of the cloud-based applications and it works successfully.
With this, after login into ISAM, I want to configure MFA with TOTP so that every user will be asked for TOTP after ISAM login when accessing the federated application.

any suggestions on how to configure it?




------------------------------
Prashant Narkhede
------------------------------

Hi David and Carl,

Thank you for your inputs.

I have created an access policy from the Federation and applied it to the federation and it worked for me.
In order to get it worked, I had to attach isam_idp_isam_anyauth policy to isam/sps/authsvc which was isam_idp_isam_nobody(effective) by default. This is done because of the forbidden error.

Is this a correct way to do it? Or I have missed any other configurations?

Now, the other challenge is that only one mobile device having IBM Verify App should able to register for TOTP.
Can you please share your suggestion/thoughts to implement it?





------------------------------
Prashant Narkhede
------------------------------

Original Message:
Sent: Tue December 08, 2020 04:13 PM
From: Carl Hovi
Subject: ISAM - How to configure MFA using TOTP after ISAM login?

Prashant, it sounds like you are using ISAM as a federation IDP, where the users first log into ISAM, and then click on some link to let them enjoy federated SSO to some cloud-hosted application which acts as the federation SP (if SAML is being used). Is this correct? The rest of what I write here assumes this is the case.

If yes, you could provide a link to allow the users to register their device for use with TOTP. If AAC is configured, there will be a URL for the TOTP device registration page which looks something like this (and MMFA does not need to be configured for this):
https://<isam-webseal-hostname>/mga/sps/mga/user/mgmt/html/otp/otp.html
As long as this URL is not covered by how you attach the AAC policy which forces TOTP authentication, then users should be able to perform a TOTP client device registration, without having first performed a TOTP authentication.

Separately, you should be able to identify a URL which the user hits when they invoke a federated login to the Cloud-hosted application, define an AAC Resource for that URL, and then attach an AAC policy to that AAC Resource (where that AAC policy will force the TOTP authentication).

(If you have MMFA configured on your ISAM/ISVA system, and the users are using the "IBM Verify" client app on their Android or iOS device, they could instead do an MMFA device registration, invoked via a different URL, which would also give them the ability to use TOTP.)

------------------------------
Carl Hovi
IBM

Original Message:
Sent: Tue December 08, 2020 01:16 PM
From: David Vicenteño
Subject: ISAM - How to configure MFA using TOTP after ISAM login?

I think you need to apply an "access policy" to your federation. When you configure your federation you can enable access policy option and choose an access policy which execute every time user request the configured federation, Ej.

In this link you can find information about access policies and their development.
https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.0/com.ibm.isva.doc/config/concept/access_policies.htm
In the access policy you can enforce user to give an OTP.
Hope this help you.
Regards.

------------------------------
David Vicenteño

Original Message:
Sent: Tue December 08, 2020 12:34 PM
From: Prashant Narkhede
Subject: ISAM - How to configure MFA using TOTP after ISAM login?

Hi David,

I am already referring to it but the confusion I have is to which resource policy should be applied in order to protect the federated application via MFA.

If I apply the TOTP policy to / then how users will scan the QR code and register using IBM Verify App.

Can you please suggest where the policy should be applied?

------------------------------
Prashant Narkhede

Original Message:
Sent: Tue December 08, 2020 10:14 AM
From: David Vicenteño
Subject: ISAM - How to configure MFA using TOTP after ISAM login?

Hi Prashant. I recommend you this Jon Harry's post https://community.ibm.com/community/user/security/blogs/jon-harry/2020/02/06/mobile-multi-factor-authentication-ibm-verify-mfa, includes the "Verify Access MMFA Cookbook" that will guide you on Multifactor Authentication Mechanisms and it's configurations. Hope this help you.
Regards.

------------------------------
David Vicenteño

Original Message:
Sent: Tue December 08, 2020 07:07 AM
From: Prashant Narkhede
Subject: ISAM - How to configure MFA using TOTP after ISAM login?

Hi All,

I have configured the federation with one of the cloud-based applications and it works successfully.
With this, after login into ISAM, I want to configure MFA with TOTP so that every user will be asked for TOTP after ISAM login when accessing the federated application.

any suggestions on how to configure it?




------------------------------
Prashant Narkhede
------------------------------

Your choice of "anyauth" is fine. You could make this be a more restrictive rule in the future if such a need came up, perhaps based on group memberships. But allowing any authenticated user to register a TOTP device is probably a reasonable choice.

Your second question asked if there is a way to restrict TOTP device registrations to only one per user. There are a couple of points to consider about this. Some users will prefer to have more than one: they might have an iPhone and an iPad (I do this myself). In addition, there is no direct communication between a TOTP authenticator device and the TOTP server (ISAM/ISVA) after the registration is complete. And some Android devices may allow a way to clone the entire device, which would carry that TOTP authenticator device setup over to the second Android device. There is no way for a TOTP server system such as ISAM/ISVA to know if this has taken place. You can even complete a TOTP device registration on an iPhone or Android device that is in Airplane mode with wifi turned off (a device that has no Internet connectivity at all).

These are some of the reasons that ISAM/ISVA does not attempt to provide a method "out of the box" to allow only one TOTP device registration per user. You might be able to put some extra protection on the TOTP registration page - for example an AAC policy which could check if the user already had a registered TOTP device. But because of the reasons above it would not prevent all cases of multiple device registration, and some of the users might not like it.

I wanted to point out that other TOTP clients can be used with ISAM/ISVA (I have tested the Google Authenticator app with ISAM AAC myself). This does not change the answers above; I just wanted you to be aware that TOTP clients other than the IBM Verify mobile app could be used with ISAM/ISVA.

------------------------------
Carl Hovi
IBM
------------------------------

Original Message:
Sent: Thu December 10, 2020 05:40 AM
From: Prashant Narkhede
Subject: ISAM - How to configure MFA using TOTP after ISAM login?

Hi David and Carl,

Thank you for your inputs.

I have created an access policy from the Federation and applied it to the federation and it worked for me.
In order to get it worked, I had to attach isam_idp_isam_anyauth policy to isam/sps/authsvc which was isam_idp_isam_nobody(effective) by default. This is done because of the forbidden error.

Is this a correct way to do it? Or I have missed any other configurations?

Now, the other challenge is that only one mobile device having IBM Verify App should able to register for TOTP.
Can you please share your suggestion/thoughts to implement it?





------------------------------
Prashant Narkhede

Original Message:
Sent: Tue December 08, 2020 04:13 PM
From: Carl Hovi
Subject: ISAM - How to configure MFA using TOTP after ISAM login?

Prashant, it sounds like you are using ISAM as a federation IDP, where the users first log into ISAM, and then click on some link to let them enjoy federated SSO to some cloud-hosted application which acts as the federation SP (if SAML is being used). Is this correct? The rest of what I write here assumes this is the case.

If yes, you could provide a link to allow the users to register their device for use with TOTP. If AAC is configured, there will be a URL for the TOTP device registration page which looks something like this (and MMFA does not need to be configured for this):
https://<isam-webseal-hostname>/mga/sps/mga/user/mgmt/html/otp/otp.html
As long as this URL is not covered by how you attach the AAC policy which forces TOTP authentication, then users should be able to perform a TOTP client device registration, without having first performed a TOTP authentication.

Separately, you should be able to identify a URL which the user hits when they invoke a federated login to the Cloud-hosted application, define an AAC Resource for that URL, and then attach an AAC policy to that AAC Resource (where that AAC policy will force the TOTP authentication).

(If you have MMFA configured on your ISAM/ISVA system, and the users are using the "IBM Verify" client app on their Android or iOS device, they could instead do an MMFA device registration, invoked via a different URL, which would also give them the ability to use TOTP.)

------------------------------
Carl Hovi
IBM

Original Message:
Sent: Tue December 08, 2020 01:16 PM
From: David Vicenteño
Subject: ISAM - How to configure MFA using TOTP after ISAM login?

I think you need to apply an "access policy" to your federation. When you configure your federation you can enable access policy option and choose an access policy which execute every time user request the configured federation, Ej.

In this link you can find information about access policies and their development.
https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.0/com.ibm.isva.doc/config/concept/access_policies.htm
In the access policy you can enforce user to give an OTP.
Hope this help you.
Regards.

------------------------------
David Vicenteño

Original Message:
Sent: Tue December 08, 2020 12:34 PM
From: Prashant Narkhede
Subject: ISAM - How to configure MFA using TOTP after ISAM login?

Hi David,

I am already referring to it but the confusion I have is to which resource policy should be applied in order to protect the federated application via MFA.

If I apply the TOTP policy to / then how users will scan the QR code and register using IBM Verify App.

Can you please suggest where the policy should be applied?

------------------------------
Prashant Narkhede

Original Message:
Sent: Tue December 08, 2020 10:14 AM
From: David Vicenteño
Subject: ISAM - How to configure MFA using TOTP after ISAM login?

Hi Prashant. I recommend you this Jon Harry's post https://community.ibm.com/community/user/security/blogs/jon-harry/2020/02/06/mobile-multi-factor-authentication-ibm-verify-mfa, includes the "Verify Access MMFA Cookbook" that will guide you on Multifactor Authentication Mechanisms and it's configurations. Hope this help you.
Regards.

------------------------------
David Vicenteño

Original Message:
Sent: Tue December 08, 2020 07:07 AM
From: Prashant Narkhede
Subject: ISAM - How to configure MFA using TOTP after ISAM login?

Hi All,

I have configured the federation with one of the cloud-based applications and it works successfully.
With this, after login into ISAM, I want to configure MFA with TOTP so that every user will be asked for TOTP after ISAM login when accessing the federated application.

any suggestions on how to configure it?




------------------------------
Prashant Narkhede
------------------------------