Configuring user groups for multifactor authentication with IBM Security Verify
After you configure multifactor authentication on the system, you must enable multifactor authentication for user groups and add users to those groups in IBM® Security Verify.
As part of multifactor authentication configuration, you must enable the function per user group. The system supports enabling multifactor authentication for local and remote user groups.
- Ensure at least one user with Security Administrator role does not have multifactor authentication enabled. If the security administrator gets locked out of the system because of errors in the multifactor authentication set up, the additional user can still access the system.
- Enable multifactor authentication on a user group without logged in users or leave an SSH session active to avoid locking out users on the system.
For remote users that authenticate with LDAP servers, install and configure IBM Security Verify Bridge for Directory Sync on your LDAP server, such as Windows Active Directory. IBM Security Verify Bridge for Directory Sync duplicates any users and groups that are defined on the source LDAP server into the Cloud Directory in IBM Security Verify. Any subsequent changes that are made to the source LDAP server are copied automatically to the Cloud Directory in IBM Security Verify. For local users, each user must be added manually to the Cloud Directory in IBM Security Verify.
Using the management GUI
- For existing user groups:
-
- In the management GUI, select .
- Select the user group from the left navigation and select .
- On the User Group Properties page, select On under Multifactor Authentication to enable second-factor authentication for all users with the user group. These users authenticate with the first factors that are stored on the local system and then are required to provide a second factor to access the system through a supported authentication service.
- Click OK.
- For new user groups for local users:
-
- In the management GUI, select .
- On the Create User Group page, enter the following information:
- Group Name
- Enter a name of the user group.
- Ownership Group
- If ownership groups are configured on your system, you can select an ownership group for the user group.
- Multifactor Authentication
- Select On to enable second-factor authentication for local users on the system. These users authenticate with the first factors that are stored on the local system and then are required to provide a second factor to access the system through a supported authentication service.
- Role
- Select a role that for the user group.
- Click Create.
- Select .
- On the Create User page, enter the following information:
- Name
- Enter a user name for the user. This user name must match the user name that is added to the Cloud Directory on IBM Security Verify.
- Authentication mode
- Select Local.
- User Group
- Select the name of the user group that the local user belongs to.
- Password
- Enter a password that is used as the first factor for management GUI access.
- SSH key
- For CLI users, include a public SSH key that is used as the first factor for CLI access.
- Click Create. Repeat these steps for all local users.
- For new user groups for remote users:
-
- Select .
- On the Create User Group page, enter the following information:
- Group Name
- Enter the name of the group that is on the remote LDAP server. The name of the group on the system must match.
- Ownership Group
- If ownership groups are configured on your system, you can select an ownership group for the user group.
- Remote Authentication
- Select LDAP.
- Multifactor authentication
- Select On to enable second-factor authentication for remote users on the system. These users authenticate with the first factors that are stored on the remote LDAP server and then are required to provide a second factor to access the system through a supported authentication service.
- Click Create.
- Remote users are defined on the remote authentication service. Only remote users who require access to the command-line interface using a Secure Shell (SSH) key, need to be created. To create remote users, who require access to the command-line interface, select .
- On the Create User page, enter the following information:
- Name
- Enter a name for the user.
- Authentication mode
- Select Remote.
- SSH key
- For remote users who require to access the system, select the public SSH key which stored locally on the system.
- Click Create. Repeat these steps for all remote users.
Using the CLI
- For existing user groups
-
chusergrp -multifactor yes <id or name of group>
- For new user groups for local users
-
mkusergrp -name name -role role -multifactor yes
- For new user groups for remote users
-
mkusergrp -name name -role role -multifactor yes -remote