Question
Unisys
AU
Last activity: 20 Feb 2024 19:44 EST
Multifactor Authentication (MFA) during Login
Hi there,
We are using PEGA's OOTB MFA during login - which basically sends OTP on mobile number/email Ids configured on operator's profile. We have created a new authentication service and disabled */prweb servlet as MFA can't be applied to this. So all the requests to */prweb gets redirected to a MFA URL configured as part of Authentication service.
We have implemented this and working fine. However, we would like to know is there a way for us to suppress this for a bunch of users (for example - automation test users)? As of now we didn't find any solution for this so wondering if anyone has implemented this or know the different options to solve this.
There are a couple of options:
Option 1 - Keep both URLs */prweb and */PRAuth/<Authentication service alias> Open. However, we won't be able to control which user is using which way to login as both the channels as open. Unfortunately, we can't restrict users (who are able to get OTP/non-automation users) using "Use external authentication" option on their operator profile as MFA URL */PRAuth/<Authentication service alias> is still using the basic credentials to validate (using username and password).
Option 2 - Find extension points if available and bypass the MFA for automation users (who don't get OTPs). Interestingly PEGA handles this for PEGA supplied operator [email protected] - meaning it by passes MFA for this particular user.
Hi there,
We are using PEGA's OOTB MFA during login - which basically sends OTP on mobile number/email Ids configured on operator's profile. We have created a new authentication service and disabled */prweb servlet as MFA can't be applied to this. So all the requests to */prweb gets redirected to a MFA URL configured as part of Authentication service.
We have implemented this and working fine. However, we would like to know is there a way for us to suppress this for a bunch of users (for example - automation test users)? As of now we didn't find any solution for this so wondering if anyone has implemented this or know the different options to solve this.
There are a couple of options:
Option 1 - Keep both URLs */prweb and */PRAuth/<Authentication service alias> Open. However, we won't be able to control which user is using which way to login as both the channels as open. Unfortunately, we can't restrict users (who are able to get OTP/non-automation users) using "Use external authentication" option on their operator profile as MFA URL */PRAuth/<Authentication service alias> is still using the basic credentials to validate (using username and password).
Option 2 - Find extension points if available and bypass the MFA for automation users (who don't get OTPs). Interestingly PEGA handles this for PEGA supplied operator [email protected] - meaning it by passes MFA for this particular user.
I tried tracing unauthenticated requestor to see how PEGA skips MFA for [email protected] - however didn't find any clues, what I can see from tracer is PEGA calls pzHandleMFA for a normal user for MFA and doesn't call this activity for [email protected].
There is a property identified which is part of Operator class Data-admin-Operator-Id pyIsPEGASuppliedOperator ; if this is set to True looks like this may skip MFA; however, this doesn't work always.
So, does anyone know how to suppress MFA for certain sets of users? Or how pega is suppressing MFA for [email protected]? Any loggers which can be enabled to find what's going on during login and how pega is suppressing MFA for [email protected]?
Appreciate your help!
Thank you.
***Edited by Moderator Marije to add Case tags***
***Edited by Moderator Marissa to add Support Case Details***
Accepted Solution
Updated: 20 Feb 2024 19:44 EST
Pegasystems Inc.
GB
@SadanM16854326 I can see that the support ticket was also closed with the details you provided above:
After Upgrading to 8.8.3 you made below changes which made it work
1- enabled OOTB platform authentication with the same policies applied as of Client authentication service.
2- So now if log out and login back in the same window using same or a different user, system asks for an OTP.
Please could you mark your reply with Accept Solution if your scenario is now working?
Note that the main MFA documentation can be found here:
Saltech Consulting
HU
Hey, did you figure out why the pyIsPEGASuppliedOperator does not work in all cases?
Unisys
AU
@gergokoppany - thank you for your message. Unfortunately, we didn't get answer for this. There is limited support on option 2 from PEGA.
However, we end up doing MFA during login through an external provider, we didn't use PEGA's OOTB capability.
Accepted Solution
Updated: 20 Feb 2024 19:44 EST
Pegasystems Inc.
GB
@SadanM16854326 I can see that the support ticket was also closed with the details you provided above:
After Upgrading to 8.8.3 you made below changes which made it work
1- enabled OOTB platform authentication with the same policies applied as of Client authentication service.
2- So now if log out and login back in the same window using same or a different user, system asks for an OTP.
Please could you mark your reply with Accept Solution if your scenario is now working?
Note that the main MFA documentation can be found here: