Key components and information for end-to-end external MFA integration

Edit online

When you enable or design a new external MFA integration, you must consider and define two key components in IBM® Verify.

MFA provider: The configuration that represents the Verify public projection of an external MFA provider integration. At run time, this component acts as an API client. Requests and responses are sent through a real-time webhook.
Real-time webhook: Provides the secure authenticated internet connection and the HTTPS client to a target external MFA provider. Designate the webhook as the API contract enforcement point. The webhook mediates the request and responses that are sent between the internal component of Verify and the target external MFA provider.

MFA Provider information

A Verify MFA provider represents the Verify conceptualization of an external MFA provider. It defines what MFA factor capabilities are exposed and how Verify users are identified and resolved in the target MFA provider. An MFA provider configuration is shown in the following example.

{
    "name": "The Provider Name",
    "description": "ISV - External Provider Integration",
    "enabled": true,
    "credentialPrefix": "emfa",
    "webhookId": "{{webhook.id}}",
    "uniqueNameAttribute": "{{unique.name.attribute}}",
    "capabilities": [
        "mobile_otp",
        "mobile_bio",
        "custom_totp"
    ]
}

The following table shows the key configuration attributes.

Configuration attribute	Description
`name`	The short friendly name of the MFA provider that is known in Verify.
`description`	A brief description of the provider.
`enabled`	Indicates whether the provider is enabled at run time. When 'true', the provider is considered available for MFA challenges.
`credentialPrefix`	A short prefix that is added to each factor capability at and is referenced by access policy evaluations. This value must be unique across all configured MFA providers within your Verify tenant. Within Verify, an external MFA factor is identified as `{credentialPrefix}:{capability}`. Note: This value must not contain a colon (`:`). .
`webhookId`	The Verify configuration UUID of the real-time webhook configuration instance backing and that is associated with the MFA provider.
`uniqueNameAttribute`	The name of a Verify standard or custom attribute that is configured in the Verify tenant. This attribute provides a mapping from the authenticated Verify user to the external MFA provider user. The value is used to look up a specific user and its MFA enrollments and capabilities in the target MFA provider.
capabilities	The list of one or more MFA factor capabilities that are to be exposed from Verify and supported by the external MFA provider. The values are strings and can contain any valid character string. The runtime behavior of a capability must be mappable to the enrollment lookup pattern and one other runtime challenge pattern.

See MFA provider configuration API referrence for details.

Webhook information

A real-time webhook configuration must be associated with an MFA Provider configuration. The real-time webhook provides the technical runtime integration between ISV and the target MFA provider service. Ideally, the webhook is also the point at which the external MFA contract is enforced and therefore acts as an API and protocol mediator between ISV and the target MFA provider. The key mechanisms by which webhooks support the ability to enforce API contract and mediation are "resources" and "transformations". For external MFA support and integration, the definition of "resources" must match the ISV external MFA API contract.

The following sample code is an example of a real-time webhook that can support the example MFA provider in the previous section.

{
    "name": "Some MFA Provider",
    "type": "realtime",
    "urls": ["https://some.address.com"],
    "authentication": {
        "type": "oauth",
        "oauth": {
            "client_id": "some_client_id",
            "client_secret": "some_client_secret",
            "token_endpoint": "https://some.address.com/token",
            "token_endpoint_auth_method": "client_secret_basic"
        }
    },
    "resources": {
        "enrollments": {
            "suffix": "/v1/enrollments",
            "method": "GET",
            "transform": {
                "outgoing": (CEL TRANSFORM),
                "incoming": (CEL TRANSFORM)
            }
        },
        "initiate": {
            "suffix": "/v1/mfa",
            "method": "POST",
            "expectedStatus": [201]
            "transform": {
                "outgoing": (CEL TRANSFORM),
                "incoming": (CEL TRANSFORM)
            }
        },
        "validate": {
            "suffix": "/v1/mfa",
            "method": "POST",
            "transform": {
                "outgoing": (CEL TRANSFORM),
                "incoming": (CEL TRANSFORM)
            }
        },
        "custom_totp_1": {
            "suffix": "/v1/mfa",
            "method": "POST",
            "transform": {
                "outgoing": (CEL TRANSFORM),
                "incoming": (CEL TRANSFORM)
            }
        },
        "result": {
            "suffix": "/v1/mfa/transactions",
            "method": "GET",
            "transform": {
                "outgoing": (CEL TRANSFORM),
                "incoming": (CEL TRANSFORM)
            }
        }
    },
    "purpose": ["external_mfa"]
}

The following table describes the configurable attributes that are associated with resources.

Attribute	Description
`suffix`	Optional. The suffix to add to the base URL being used in outbound request. Outbound requests from a webhook resource are directed to `base URL + suffix`. No slashes are added beyond what is defined in the configuration. The outgoing request URL can be modified by using an outgoing transform. For example, in the previous `enrollments` sample, the ISV Webhooks components start the API endpoint `https://some.address.com/v1/enrollments` of the target MFA provider.
`method`	Optional. The method that modifies the outgoing HTTP method from `POST` to whatever is specified. The HTTP method that is used to start the API endpoint. Valid values are `POST`, `PUT`, `GET`, `DELETE`, `PATCH`. Method can be modified with an out going transform.
`transform.outgoing`	Optional. Defines the data transformations that are applied to outbound requests before they are sent. Transformations have access to the following request elements as sent from the ISV internal MFA framework: `body`, `headers`, `http method`, `path`, `host`.
`transform.incoming`	Optional. Defines the data transformations that are applied to incoming responses before to returning to the ISV MFA framework. Transformations have access to the following request elements as sent from the ISV internal MFA framework: `body`, `headers`, `status_code`, `request` (the original request that produces the present response).
`exepctedStatus`	Optional. `ExpectedStatus` is the HTTP status that is expected from the API that is started by this webhook. If the attribute is not present, a status code in the range 200 - 299 is expected. Expected status is checked before the incoming transform is run. See HTTP Status.

See the Webhooks configuration API reference.

The External MFA provider is able to return the following responses based on its determined outcome of the external request.

Response	Definition
PENDING	The authentication is still pending completion.
SUCCESS	The authentication was successful.
FAILED	The authentication failed.
CANCELED	The authentication did not complete because an entity canceling the attempt.
TIMEOUT	The authentication did not complete due to a timeout being exceeded .

The following table summarizes considerations for designing webhook resources to support external MFA integrations. Resource design is driven by the needs of the MFA integration pattern that is being supported.

Webhook resource	Pattern	Description
`enrollments`	enrollment lookup	This resource is started by the ISV internal MFA client when it responds to a request to find a specific user's MFA enrollments and capabilities. This resource is typically needed when ISV presents the user a selection of MFA factor options as part of a runtime MFA challenge.
`{{mfa_capability_name}}_1`	`initiate` - sms, otp or `validate` - totp	This resource is started as the ISV MFA client preference when the name of the MFA factor matches the `{{mfa_capability_name}}` attribute. It is used to start an MFA challenge if the capability pattern is `initiate+validate`. It is used to validate an MFA token or value if the capability pattern is `validate only`.
`{{mfa_capability_name}}_2`	`initiate + validate` - sms, otp	This resource is started as the ISV MFA client preference when the name of the MFA factor matches the `{{mfa_capability_name}}` attribute. It is used to validate an MFA challenge.
`initiate`	`initiate + validate` - sms, otp) or `initiate + wait for completion` - mobile push	This resource is used to start an MFA challenge if no factor capability-specific resource is defined.
`validate`	`initiate` - sms, otp	This resource is used to validate an MFA challenge if no factor capability-specific resource is defined.
`result`	`initiate + wait for completion` - mobile push	This resource is used to poll for MFA challenge completion after the start of the challenge. Typically requires that an earlier start response to return a transaction identifier, some other state data, or a handle.