Configuring multifactor authentication

For both IBM Z® Anomaly Analytics and IBM Z Operational Log and Data Analytics, Keycloak supports multifactor authentication through various methods. Configure multifactor authentication by using the Keycloak Admin Console.

About this task

You can configure multifactor authentication in the following ways:
  • Configure two-factor authentication to use an authenticator application, such as FreeOTP, Google Authenticator, or Microsoft Authenticator.
    With this method, the following sequence indicates the authentication flow:
    1. Username and password
    2. One-time password from the authenticator application
  • Configure two-factor authentication to use a one-time password (OTP) that is sent through email or text message.
    With this method, the following sequence indicates the authentication flow:
    1. Username and password
    2. One-time password from email or text message
  • Configure multifactor authentication to use both an authenticator application and a one-time password that is sent through email or text message.
    With this method, the following sequence indicates the authentication flow:
    1. Username and password
    2. One-time password from email or text message
    3. One-time password from the authenticator application
Important:
  • For both IBM Z Anomaly Analytics and IBM Z Operational Log and Data Analytics, one-time password authentication is unavailable by default. Therefore, to use one-time password authentication, you must configure it as described in this procedure.
  • For any authentication flow that involves sending passwords through email or text message, the user profile for each user ID must include a valid email address (where email address can be cell_phone_number@email-to-sms_gateway. If a user ID does not have a valid email address, it cannot log in successfully because it does not have a way to receive the one-time password.

Procedure

Use one or more of the following methods to configure multifactor authentication.
Two-factor authentication that uses an authenticator application
To use this method, complete the following configuration steps:
  1. Navigate to the Configure section, go to the IzoaKeycloak realm, and then click Authentication.

    In the resulting Authentication page, you can configure and manage different authentication flows.

  2. Navigate to the Flows tab, go to the Flow name column, and then click ZOA browser flow with user session limit.
  3. In the Flow details page for the ZOA browser flow with user session limit, select Required in the ZOA browser flow with user session limit Browser - Conditional OTP field.
  4. To update the OTP policy, return to the Authentication page, click the Policies tab, and then click the OTP Policy tab.
    Restriction: Only FreeOTP supports customization of the fields on the OTP Policy tab. If you plan to use Google Authenticator or Microsoft Authenticator, all values on this form must remain unchanged from the installation defaults.
Two-factor authentication that uses a one-time password that is sent through email or text message
To use this method, complete the following configuration steps:
  1. Navigate to the Configure section, go to the IzoaKeycloak realm, and then click Realm Settings.
  2. In the resulting page, click the Email tab, and then provide your email server information.
  3. In the Manage section, click Clients.
  4. On the resulting Clients page, click zoa-client.
  5. On the resulting Client details page, click the Advanced tab, and then scroll down to the Authentication flow overrides section.
  6. Change the value for Browser Flow to ZOA Browser Email 2FA, and then click Save.
Multifactor authentication that uses both an authenticator application and a one-time password that is sent through email or text message
To use this method, complete the following configuration steps:
  1. Perform the steps as described in the Two-factor authentication that uses a one-time password that is sent through email or text message section.
  2. In the Configure section, click Authentication.
  3. Navigate to the Flows tab, go to the Flow name column, and then click ZOA Browser Email 2FA.
  4. In the resulting window, click Add step, and then search for OTP Form.
  5. Click OTP Form, and then click Add.
  6. For the OTP Form step, select Required.
  7. Drag the OTP Form step immediately above the User session count limiter step. Make sure that the indentation of both steps is the same, and that the indentation of the User session count limiter step is not changed.