Add MFA based on user store¶
You can enable a more secure login flow for users that belong to specific user stores by applying the User Store-Based conditional authentication template for Adaptive MFA. This template enables two-factor authentication with TOTP for users who belong to the user store you specify.
Scenario¶
Consider a scenario with two user stores, EMPLOYEES
and CONTRACTORS
. For users assigned to these user stores, the login flow in applications should be stepped up with TOTP as follows:
- Username and password
- TOTP
Prerequisites¶
-
You need to register an application with WSO2 Identity Server. You can register your own application or use one of the sample applications provided.
-
Create two user stores named
EMPLOYEES
andCONTRACTORS
and add user accounts to them. For instructions, see the following:
Configure the login flow¶
To enable conditional authentication:
-
On the WSO2 Identity Server Console, click Applications.
-
Select the relevant application and go to its Login Flow tab.
-
Add user store based adaptive MFA as follows:
-
Go to Predefined Flows > Conditional Login Flows.
-
Click Adaptive MFA > User Store-Based > ADD to add the user store based adaptive MFA script.
-
Click Confirm on the prompt to replace any existing script with the current script.
-
-
Verify that the login flow is now updated with the following two authentication steps:
- Step 1: Username and Password
- Step 2: TOTP
-
Update the following parameter in the script.
Parameter Description userStoresToStepUp
Comma-separated list of user stores. Two-factor authentication should apply to users from the specified user stores. For this example scenario, enter
EMPLOYEES
andCONTRACTORS
. -
Click Update to confirm.
How it works¶
Shown below is the script of the user store-based conditional authentication template.
// This script will prompt 2FA to the app only for a selected set of user stores.
// If the user is in one of the following user stores, user will be prompted 2FA
var userStoresToStepUp = ['EMPLOYEES', 'CONTRACTORS'];
var onLoginRequest = function(context) {
executeStep(1, {
onSuccess: function (context) {
// Extracting user store domain of authenticated subject from the first step
var userStoreDomain = context.currentKnownSubject.userStoreDomain;
// Checking if the user is from whitelisted tenant domain
if (userStoresToStepUp.indexOf(userStoreDomain) >= 0) {
executeStep(2);
}
}
});
};
Let's look at how this script works.
- When step 1 of the authentication flow is complete, the
onLoginRequest
function retrieves the user from the context. - The
userStoreDomain
is extracted from the authentication information provided in step one. - Check if the extracted
userStoreDomain
is in the values specified for the variableuserStoresToStepUp
. - If the user belongs to any of the configured user stores, authentication step 2 (TOTP) is prompted.
Note
Find out more about the scripting language in the Conditional Authentication API Reference.
Try it out¶
Follow the steps given below.
- Access the application URL.
- Try to log in with a user who does not belong to any of the configured user stores (
EMPLOYEES
orCONTRACTORS
). You will successfully sign in to the application. - Log out of the application.
-
Log in with a user who belongs to the
EMPLOYEES
orCONTRACTORS
user store. TOTP authentication is prompted.