MFA Redirection for Shared Secrets

This feature is currently available only to customers participating in a Private Preview. If you'd like to participate and be among the first to try this feature, ask our support or account team for details.

Shared accounts, such as service accounts or administrator accounts, use shared secrets from Secret Server. A shared secret can be checked out by different users and used to log in to endpoints that require MFA. Since a secret can not respond to an MFA challenge, MFA redirection is needed to enable the user who checked out the secret to respond instead.

When an endpoint is protected by a PCS policy that requires MFA for login, and a  user checks out a shared secret and uses it to log in to that endpoint, Delinea Platform uses MFA redirection to allow the user to provide their own MFA credentials and satisfy the login policy.

When you want to enable any user who is logged in to the platform tenant to use their own MFA challenge answers to log in remotely to an endpoint or access a privileged operation with a shared secret, you must set up MFA for shared secrets. This involves mapping an Active Directory identity to a vaulted secret. When a platform user checks out the secret and tries to log in to an endpoint or access a privileged operation with it, the user can complete the MFA challenge using their own MFA login attributes (such as a code generated by a personal security authenticator device).

Without this mapping and redirection, it would be impossible for shared secrets to be used with MFA. With the mapping and redirection, MFA authentication challenges and policy enforcement are redirected to the user who is using the secret.

Audit logs show which individual user checked out the shared secret and completed the MFA challenge. This increases transparency and accountability.

In order for this feature to work, the PCS agent, also known as the DirectControl agent, must be running at version 2025.1.3 or later. See Server Suite Release Notes.

To set up MFA redirection for shared secrets:

  1. Log in to the  tenant as an administrator.

  2. Open the Secret identity mapping page. (Use the Search box to find it.)

  3. Select Create mapping.

  4. In the Select Secret dialog, select the secret that is to be mapped.

    A secret can only be mapped to one identity. If a secret already appears in a row in the list, you can not use it again.

  5. In the Select Identity dialog, select the identity you want to map to the secret.

    This identity must be a shared account listed in the Subjects section of the login policy that requires MFA.

    An identity can only be mapped to one secret. If an identity already appears in a row in the list, you can not use it again.

The mapping between secret and identity is complete, and you can use the mapped secret wherever MFA is required for access.