Add MFA based on user group
# Add MFA based on user group
You can enable a more secure login flow for users that belong to specific groups by applying the Group-Based conditional authentication template for Adaptive MFA. This template enables two-factor authentication with TOTP for users who belong to the user groups you specify.
# Scenario
Consider a scenario with two user groups, manager
and employee
. For users assigned to these groups, the login flow in applications should be stepped up with TOTP as follows:
- Username and password
- TOTP
# Prerequisites
You need to register an application with Asgardeo. You can register your own application or use one of the sample applications provided.
Create two user groups named
manager
andemployee
and assign user accounts to them. For instructions, see the following:
# Configure the login flow
To enable conditional authentication:
On the Asgardeo Console, click Applications.
Select the relevant application and go to it's Login Flow tab.
Add group-based adaptive MFA using your preferred editor:
Using the Classic Editor
To add group-based adaptive MFA using the classic editor:
Click Start with default configuration to define the login flow starting with the
username and password
login.Turn on Conditional Authentication by switching the toggle on.
Select the Adaptive MFA > Group-Based template.
Using the Visual Editor
To add group-based adaptive MFA using the visual editor:
Switch to the Visual Editor tab, and expand Predefined Flows > Conditional Login Flows > Adaptive MFA.
Click + ADD next to Group-Based to add the group-based adaptive MFA script.
Click Confirm to replace any existing script with the selected predefined script.
Important
As a security measure, Asgardeo does not allow the usage of two consecutive periods (
..
) in authentication scripts.Verify that the login flow is now updated with the following two authentication steps:
- Step 1: Username and Password
- Step 2: TOTP
Update the following parameter in the script.
Parameter Description groupsToStepUp
Comma separated list of user groups. Two-factor authentication should apply to users from these groups.
For this example scenario, entermanager
andemployee
.Click Update to confirm.
# How it works
Shown below is the script of the group-based conditional authentication template.
var groupsToStepUp = ['manager', 'employee'];
var onLoginRequest = function (context) {
executeStep(1, {
onSuccess: function (context) {
// Extracting authenticated subject from the first step.
var user = context.currentKnownSubject;
// Checking if the user is assigned to one of the given groups.
var isMember = isMemberOfAnyOfGroups(user, groupsToStepUp);
if (isMember) {
Log.info(user.username + ' is a member of one of the groups: ' + groupsToStepUp.toString());
executeStep(2);
}
}
});
};
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Let's look at how this script works.
- When step 1 of the authentication flow is complete, the onLoginRequest function retrieves the user from the context.
- The user and the configured list of groups are passed to the following function:
isMemberOfAnyOfGroups
. - This function (which is available in Asgardeo by default) verifies whether the given user belongs to any of the listed groups.
- If the user belongs to any of the configured groups, authentication step 2 (TOTP) is prompted.
Find out more about the scripting language in the Conditional Authentication API Reference.
# Try it out
Follow the steps given below.
- Access the application URL.
- Try to log in with a user who does not belong to any of the configured groups (manager or employee). You will successfully sign in to the application.
- Log out of the application.
- Log in with a user who belongs to the
manager
oremployee
group or both. TOTP authentication is prompted.