Add MFA based on user roles¶
You can enable a more secure login flow for users that belong to specific roles associated with the application by applying the Role-Based conditional authentication template for Adaptive MFA. This template enables two-factor authentication with TOTP or passkeys for users who belong to the user role you specify.
Scenario¶
Consider a scenario with two roles, admin
and manager
associated with an application. For users assigned to these roles, the login flow in the application should be stepped up with TOTP or passkeys as follows:
- Username and password
- TOTP or Passkey
Prerequisites¶
-
You need to register an application with WSO2 Identity Server. You can register your own application or use one of the sample applications provided.
-
Create two roles named
admin
andmanager
in application audience selecting the created application or create roles in organization audience and associate to the created application. -
Assign user accounts to the created roles. For instructions, see the following:
Configure the login flow¶
To enable conditional authentication:
-
On the WSO2 Identity Server Console, click Applications.
-
Select the relevant application and go to its Login Flow tab.
-
Add role-based adaptive MFA as follows:
-
Go to Predefined Flows > Conditional Login Flows.
-
Click Adaptive MFA > Role-Based > Add to add the role-based adaptive MFA script.
-
Click Confirm to replace any existing script with the selected predefined script.
-
-
Verify that the login flow is now updated with the following two authentication steps:
- Step 1: Username and Password
- Step 2: TOTP and Passkey
-
Update the following parameter in the script.
Parameter Description rolesToStepUp
Comma-separated list of user roles. Two-factor authentication should apply to users from these roles.
For this example scenario, enteradmin
andmanager
. -
Click Update to confirm.
How it works¶
Shown below is the script of the role-based conditional authentication template.
// This script will step up authentication for any user belonging
// to one of the given roles
// If the user has any of the below roles, authentication will be stepped up
var rolesToStepUp = ['admin', 'manager'];
var onLoginRequest = function(context) {
executeStep(1, {
onSuccess: function(context) {
// Extracting authenticated subject from the first step
var user = context.currentKnownSubject;
// Checking if the user is assigned to one of the given roles
var hasRole = hasAnyOfTheRolesV2(context, rolesToStepUp);
if (hasRole) {
Log.info(user.username + ' Has one of Roles: ' + rolesToStepUp.toString());
executeStep(2);
}
}
});
};
Let's look at how this script works.
- When step 1 of the authentication flow is complete, the
onLoginRequest
function retrieves the user from the context. - The user and the configured list of roles are passed to the following function:
hasAnyOfTheRolesV2
. - This function (which is available in WSO2 Identity Server by default) verifies whether the given user belongs to any of the listed roles associated to the login application.
- If the user belongs to any of the configured roles, authentication step 2 (TOTP or Passkey) is prompted.
Note
Find out more about the scripting language in the Conditional Authentication API Reference.
Try it out¶
Follow the steps given below.
- Access the application URL.
- Try to log in with a user who does not belong to any of the configured roles (
manager
oradmin
). You will successfully sign in to the application. - Log out of the application.
-
Log in with a user who belongs to the
admin
ormanager
role.The user will be prompted to select the step-up method, and the sign-in flow will be stepped up according to the user's preference.