Multi-Factor Authentication (MFA) redirection enables users to perform MFA on behalf of any chosen user. This means the user that is logging in can be configured to perform MFA as the redirect user, and receive an identity token for the original login user after they successfully login.
Once configured, the MFA redirection is handled automatically.
Note: When you log in to an enrolled system and your account is set up to use MFA redirection, the service prompts you for your password, not the password for the MFA redirect user. This feature is available on systems that have the Centrify Client installed and enrolled
To explain how redirection works, we've defined the following two users:
Original login user: The user who is actively trying to log in.
Redirect user: The user who has MFA setup. MFA will redirect to this user to answer any MFA challenges.
MFA is performed as the redirect user, on behalf of the original login user. This means any MFA mechanism that is used (i.e. email, text, Mobile Authenticator, etc.) all are completed by the redirect user.
Note: When MFA redirect is setup, cloud clients are provided with the redirect user's information and MFA challenges. This means the original login user enters the system as the redirect user.
The general MFA redirection flow is:
In a typical use case:
The original login user has no attributes configured, and therefore they cannot satisfy any MFA.
When the original login user is challenged for additional authentication, the MFA redirection feature can be configured so the redirect user's MFA challenges (who has the required mechanisms configured) are used for the original login user to answer.
The redirect user will have all their account challenge attributes set:
This enables the original login user to satisfy the MFA requirement through answering the redirect user's MFA challenge(s).
The MFA redirect process acts as if the redirect user was directly logging in. The redirect user just facilitates the act of MFA, which causes any actions available during the login process (password reset, forgot password, account unlock, etc.) to apply to the redirect user's account, even though the original login user is the one using the login.
However, once the login is complete, the login identity will be granted to the original login user, and any actions (password reset, forgot password, account unlock, etc.) will apply back to the original login user's account.
Phone MFA example:
Since the original login user is configured for MFA redirection, the original login user can request the redirect user's phone number MFA challenge, in order to satisfy the phone MFA challenge required to login.
The policy and authentication rules for the original login user still apply whether redirection is used or not. The specified MFA redirect user will be used to determine which MFA mechanisms are able to be satisfied, as well as perform MFA.
A real-world use case is when an admin (the original login user) uses their dash-A account to perform a privileged task rather than their normal enterprise account (the redirect user). The admin does not have a phone enrolled with their dash-A account but they do with their normal enterprise account. They do have the Mobile Authenticator associated with their enterprise account. MFA redirection enables the admin to carry one phone rather than two and use the Mobile Authenticator to satisfy the MFA.
Note: You must have the MFA Redirect Management permission in order to set redirect for a user. All system admins already have this right applied to their account.
To configure a user for MFA redirection:
Note: If you select a user that is the same as the user you're currently editing, you will generate an error.