Question

Unisys
AU
Last activity: 20 Feb 2024 19:44 EST
Multifactor Authentication (MFA) during Login
Hi there,
We are using PEGA's OOTB MFA during login - which basically sends OTP on mobile number/email Ids configured on operator's profile. We have created a new authentication service and disabled */prweb servlet as MFA can't be applied to this. So all the requests to */prweb gets redirected to a MFA URL configured as part of Authentication service.
We have implemented this and working fine. However, we would like to know is there a way for us to suppress this for a bunch of users (for example - automation test users)? As of now we didn't find any solution for this so wondering if anyone has implemented this or know the different options to solve this.
There are a couple of options:
Option 1 - Keep both URLs */prweb and */PRAuth/<Authentication service alias> Open. However, we won't be able to control which user is using which way to login as both the channels as open. Unfortunately, we can't restrict users (who are able to get OTP/non-automation users) using "Use external authentication" option on their operator profile as MFA URL */PRAuth/<Authentication service alias> is still using the basic credentials to validate (using username and password).
Option 2 - Find extension points if available and bypass the MFA for automation users (who don't get OTPs). Interestingly PEGA handles this for PEGA supplied operator [email protected] - meaning it by passes MFA for this particular user.
Hi there,
We are using PEGA's OOTB MFA during login - which basically sends OTP on mobile number/email Ids configured on operator's profile. We have created a new authentication service and disabled */prweb servlet as MFA can't be applied to this. So all the requests to */prweb gets redirected to a MFA URL configured as part of Authentication service.
We have implemented this and working fine. However, we would like to know is there a way for us to suppress this for a bunch of users (for example - automation test users)? As of now we didn't find any solution for this so wondering if anyone has implemented this or know the different options to solve this.
There are a couple of options:
Option 1 - Keep both URLs */prweb and */PRAuth/<Authentication service alias> Open. However, we won't be able to control which user is using which way to login as both the channels as open. Unfortunately, we can't restrict users (who are able to get OTP/non-automation users) using "Use external authentication" option on their operator profile as MFA URL */PRAuth/<Authentication service alias> is still using the basic credentials to validate (using username and password).
Option 2 - Find extension points if available and bypass the MFA for automation users (who don't get OTPs). Interestingly PEGA handles this for PEGA supplied operator [email protected] - meaning it by passes MFA for this particular user.
I tried tracing unauthenticated requestor to see how PEGA skips MFA for [email protected] - however didn't find any clues, what I can see from tracer is PEGA calls pzHandleMFA for a normal user for MFA and doesn't call this activity for [email protected].
There is a property identified which is part of Operator class Data-admin-Operator-Id pyIsPEGASuppliedOperator ; if this is set to True looks like this may skip MFA; however, this doesn't work always.
So, does anyone know how to suppress MFA for certain sets of users? Or how pega is suppressing MFA for [email protected]? Any loggers which can be enabled to find what's going on during login and how pega is suppressing MFA for [email protected]?
Appreciate your help!
Thank you.
***Edited by Moderator Marije to add Case tags***
***Edited by Moderator Marissa to add Support Case Details***