Configuring MFA across User Segments using Fusion Cloud User Categories

Introduction

In today’s global, hybrid work environments, organizations often need to apply different sign-in and MFA (Multi factor authentication) policies to distinct user groups. For example, all full-time employees should authenticate via federated SSO with an external identity provider; contingent workers should sign in using identity domain credentials with SMS-based MFA; and mobile field employees should use username/password plus a mobile authenticator passcode. This blog explains how to implement these security configurations using the User Categories feature in the Fusion Security Console.

Requirement

The requirement is as described in the introduction. The same is depicted visually in the below table.
Note that the requirement is to make the MFA enrollment mandatory and specific for the contingent workers and field workers.

Steps

1. Fusion Security Console

Login as Application Administrator and navigate to Tools-> Security Console-> User Categories
Notice that Default User Category exists and all users belong to this category by default
Create new User Category for contingent workers; Configure ‘Two-Factor Authentication’ settings and select ‘SMS’ as the second factor
Create new User Category for field workers; Configure ‘Two-Factor Authentication’ settings and select ‘Oracle Mobile Authenticator Passcode’ as the second factor

Since the MFA enrollment is mandatory for these users, select ‘Requires MFA’ under ‘Enforce MFA During Sign-in’ for both the user categories.

Add users to the newly created user categories, using one of the methods described in the documentation. Note that one user can only belong to a single user category

Tip:
For assigning multiple existing users to a user category, use the OCI Identity SCIM API to automate the assignment. Refer – Add Users to a User Category – SCIM API

2. OCI Identity Domain console

For every user category created on Fusion Security Console, corresponding Sign-on rules are auto created within the ‘User Category Based Sign-on Policy’. These will be bound and used for login and MFA flow when users specific to a user category login to Fusion Cloud Applications.

(Optional Verification step)
Login to OCI console as an identity administrator user and navigate to the Identity -> Domains -> identity domain of the Fusion Cloud Application instance -> Domain Policies
Check the Sign-on policies and view the ‘User Category Based Sign-on Policy’
Within this policy navigate to Sign-on Rules
Verify that 2 new rules are added corresponding to the new user categories that were created

Open the sign-on rule and ensure that it captures the additional factors and enrolment configurations reflecting the user category in Fusion Security Console.

3. Verification

Test login using the uers from the new categories. On first time login the user will be forced to enroll the MFA factor configured in the user category. Subsequent logins will prompt for the additional factors for authentication completion.

Note that MFA reset action may be required in some cases for users who are moved from one user category to others for the new MFA configuration to take effect.
To reset MFA factors for any user account, login to Identity Domain on OCI Console as Identity administrator and navigate to user Management. Select the required user and choose ‘Reset Factors’ from the Actions menu.

Tip:
In order to reset MFA factors for multiple users the above action can also be automated using OCI Identity REST API. Refer – Resetting Authentication Factors for Multiple Users using the Bulk Endpoint

References

User Categories Overview – Doc
Add users to a User Category – Doc
Add Users to a User Category – REST API
MFA – Oracle Fusion Cloud Common Technologies and User Experience 25D What’s New
MFA – Oracle Fusion Cloud Common Technologies and User Experience 26A What’s New