Add MFA based on user group¶
You can enable a more secure login flow for users that belong to specific groups by applying the Group-Based conditional authentication template for Adaptive MFA. This template enables two-factor authentication with TOTP for users who belong to the user groups you specify.
Scenario¶
Consider a scenario with two user groups, manager
and employee
. For users assigned to these groups, the login flow in applications should be stepped up with TOTP as follows:
- Username and password
- TOTP
Prerequisites¶
-
You need to register an application with Asgardeo. You can register your own application or use one of the sample applications provided.
-
Create two user groups named
manager
andemployee
and assign user accounts to them. For instructions, see the following:
Configure the login flow¶
To enable conditional authentication:
-
On the Asgardeo Console, click Applications.
-
Select the relevant application and go to its Login Flow tab.
-
Add group-based adaptive MFA as follows:
To add group-based adaptive MFA using the classic editor:
-
Click Start with default configuration to define the login flow starting with the
username and password
login. -
Turn on Conditional Authentication by switching the toggle on.
-
Select the Adaptive MFA > Group-Based template.
To add group-based adaptive MFA using the visual editor:
-
Switch to the Visual Editor tab, and expand Predefined Flows > Conditional Login Flows > Adaptive MFA.
-
Click + ADD next to Group-Based to add the group-based adaptive MFA script.
-
Click Confirm to replace any existing script with the selected predefined script.
Important
As a security measure, Asgardeo does not allow the usage of two consecutive periods (
..
) in authentication scripts. -
-
Verify that the login flow is now updated with the following two authentication steps:
- Step 1: Username and Password
- Step 2: TOTP
-
Update the following parameter in the script.
Parameter Description groupsToStepUp
Comma separated list of user groups. Two-factor authentication should apply to users from these groups.
For this example scenario, entermanager
andemployee
. -
Click Update to confirm.
How it works¶
Shown below is the script of the group-based conditional authentication template.
var groupsToStepUp = ['manager', 'employee'];
var onLoginRequest = function (context) {
executeStep(1, {
onSuccess: function (context) {
// Extracting authenticated subject from the first step.
var user = context.currentKnownSubject;
// Checking if the user is assigned to one of the given groups.
var isMember = isMemberOfAnyOfGroups(user, groupsToStepUp);
if (isMember) {
Log.info(getMaskedValue(user.username) + ' is a member of one of the groups: ' + groupsToStepUp.toString());
executeStep(2);
}
}
});
};
Let's look at how this script works.
- When step 1 of the authentication flow is complete, the onLoginRequest function retrieves the user from the context.
- The user and the configured list of groups are passed to the following function:
isMemberOfAnyOfGroups
. - This function (which is available in Asgardeo by default) verifies whether the given user belongs to any of the listed groups.
- If the user belongs to any of the configured groups, authentication step 2 (TOTP) is prompted.
Note
Find out more about the scripting language in the Conditional Authentication API Reference.
Try it out¶
Follow the steps given below.
- Access the application URL.
- Try to log in with a user who does not belong to any of the configured groups (manager or employee). You will successfully sign in to the application.
- Log out of the application.
-
Log in with a user who belongs to the
manager
oremployee
group or both. TOTP authentication is prompted.