Configuring Mobile Multi-Factor Authentication

Edit online

Follow these steps to configure Mobile Muli-Factor Authentication.

Before you begin

Ensure that the following requirements are met:
  • The IBM® Verify Identity Access Platform and Advanced Access Control Module are activated.
  • The runtime component and a reverse proxy instance are configured.
  • Basic User support is enabled on the local LDAP.
  • Transparent path junction to /scim on localhost is configured.
    • BA with easuser enabled
    • isam_mobile_rest ACL attached to /scim (ACL won't exist until step 2)
  • Username Password Mechanism is configured.
  • Server connection to local LDAP is set up.
  • SCIM is configured with local LDAP server connection dc=iswga suffix.

Procedure

  1. Create an API Protection definition and client with:
    • Authorization code and ROPC enabled
    • Redirect URI: https://<webseal_hostname>:<port>/mga/sps/mmfa/user/mgmt/html/mmfa/qr_code.html?client_id=<client_ID>
    Note:

    The redirect URI is essential so that when a user clicks the Register Authenticator button in the USC UI, the user is correctly redirected to the QR Code page.

  2. Run the Reverse Proxy MMFA Config API.

    This step configures the /mga junction and creates the required ACLs.

    1. Open the Reverse Proxy page in the LMI Web > Manage > Reverse Proxy.
    2. Select the reverse proxy instance to configure and click Manage > AAC and Federation Configuration > MMFA Configuration.
    3. Enter the required values in the dialog fields and click Finish.
  3. Run the AAC MMFA Config API.

    This step configures the reverse proxy details into a location where the AAC code can access it.

    1. Open the MMFA Configuration page in the LMI AAC > Manage > MMFA Configuration.
    2. Click the Wizard button.
    3. Enter the required values in the dialog fields and click Save.
  4. For custom authentication tokens complete the following steps to store the token as a hashed value:
    • Set the advanced configuration property oauth20.hashedTokenStorageEnabled to true.
      1. Open the advanced configuration page in the LMI AAC Global Settings Advanced Configuration.
      2. Select the oauth20.hashedTokenStorageEnabled property and click Edit.
      3. Select the Enabled checkbox and click Save.
    • Update the PreTokenGeneration mapping rule to set the custom token as persistent.
      1. Open the mapping rules page in the LMI AAC Global Settings Mapping Rules.
      2. Open the PreTokenGeneration mapping rule that corresponds to the correct API Protection Definition.
      3. Set the var enable_custom_tokens variable to true: 
        var enable_custom_tokens = true;
      4. Add the new line of code in the specified location. This ensures that the access token is persisted correctly.
        
if (enable_custom_tokens) {
    if (populate_access_token && enable_custom_access_tokens) {
  
        // Add this new line of code
        stsuu.addContextAttribute(new Attribute("urn:ibm:ITFIM:oauth20:custom:token:access_token", "urn:ibm:ITFIM:oauth20:custom:token:persistent", "true"));
  
    }
}