Multi-Factor Authentication in Identity Domains

This post will describe how to correctly set up Multi-Factor Authentication (MFA) using identity domains. After seeing a few customers misconfigured their environment I decided to write a short post on the matter.

 

As you may be aware new tenancies automatically get the latest version of Identity Cloud Service (IDCS). This service is now called Identity Domains and the user interface has been moved to Oracle Cloud Infrastructure (OCI) control plane. For those existing tenancies that are still using IDCS, be patient your tenancy we will be migrated as soon as possible.

 

I have recently come across an issue with a few of my customers where they believed the MFA was turned on however, it was not. If you are currently using IDCS and have MFA configured and working, you will have no issues after them migration. Everything should worked as before. However, if you are a new tenancy trying to configure MFA for the first time, you may run into an issue with MFA without realizing the missing steps. There are two steps you need to be aware of when configuring MFA:

 

Many customers forget the second step. Configuring the authentication methods like Email and SMS are not enough, you must also configure a Sign-on policy. Let's dive in with some screen shots of the configuration.

 

Note: Screens may differ slightly with future releases..

 

Configure authentication methods:

 

 

To access this page go to the hamburger menu and Identity & Security -> Domains -> |Select a Domain| -> Security -> MFA

Here you can configure the authentication methods among other settings.

This is where some customer stop. All we did in this step was to configure the possible authentication methods. This does NOT enable MFA.

 

Enable MFA

 

For this task we must create at least on Sign-On policy and specifically enable MFA.

 

 

To access this page go to the hamburger menu and Identity & Security -> Domains -> |Select a Domain| -> Security -> Sign-on policies

Here you will see at least one policy (Default Sign-On Policy).

 

Note: It is recommended that you create a new Sign-on policy for MFA.

 

Click on the 'Default Sign-On Policy' and you can see that I have a rule called 'kc_test_mfa'. On the right side, click on the three ellipses and select 'Edit sign-on rule'. Scroll to the bottom.

 

 

Here you can see a 'Prompt for an additional factor' check box. When selected you will notice other options appear as shown above. Select the appropriate options for your use case. Then 'Save changes' and MFA is now enabled!