Table of Contents Overview General User Experience How MFA Interacts with Other Services Basics on...
Overview
The Cirrus One-Time Code product is designed for customers who need a lightweight option for step-up MFA. An example use case is a proxy customer who is using the Cirrus Proxy for applicant logins to Slate, financial aid, and housing applications prior to full admission. This product relies on an email assertion from your identity provider(s) to know where to send a validation code. Scenarios where the IdP-asserted email may not be accurate (e.g., old alumni records that may be long out of date) are not a good candidate. The Cirrus Bridge does not currently support this product.
Requirements:
- You are running a Cirrus Proxy.
- Your identity provider(s) must be able to assert an email address as OID (urn:oid:0.9.2342.19200300.100.1.3) to use this solution.
- Email must be an acceptable method of MFA for your campus.
This product is an add-on to augment identity provider behavior. You can require MFA for any SAML identity provider(s) implemented for the Proxy. When signing in from a MFA-enabled IdP, Cirrus emails a code to the email asserted by that IdP and has the user verify it.
Base Configuration
Gather Configuration Information
First you will need to collect the following information:
- List of identity provider(s) that you would like to enable with One-Time Code MFA
- Custom from email address for your institution
- (optional) Custom help url if you would like to guide users to help tailored for your institution
Configure the Email Handler
To implement a custom from address for your institution, you will need to configure an email handler. Follow the instructions at Configure the Email Handler.
Schedule the Go Live
One-Time Code MFA is live once our team configures it. To schedule the go live, send the configuration information to your Technical Implementation Lead and they will coordinate a go live time with you.
Test
You will need to test with an email account that is part of your domain and an external email address. Additionally, you will want to test on campus and off-campus to ensure your email server settings are correct.
Step 1 - Login to an Application Through a MFA-Enabled IdP
First you will navigate to one of your applications through an IdP that is configured to use One-Time Code MFA. You will reach a screen to enter the MFA code.
Step 2 - Retrieve the Code from Email
Check your email and retrieve the MFA code from your email.
Step 3 - Enter the MFA code
Return to the screen from Step 1 and enter the code to complete sign-in.
Step 4 - Continue on the Application
Verify that your login to the application was successful.
Logs for Troubleshooting
Logs for One-Time Code MFA are available via the LogAPI with a logType of emailMFA. Details can be found at One-Time Code MFA Log Elements.
Blog comments