Activate and deactivate users for OIDC

You use the ALTUSER or ALU command to activate users for OIDC.

About this task

Important: Do not assign the AZFOIDC1 authentication factor to a policy. The OIDC authentication flow does not include prompting for credentials on an IBM® MFA policy web page.

Procedure

  1. Enter the following command to activate a user for OIDC. Note that the fully-qualified domain name for each user is enclosed in single quotation marks. 
    ALU [Login ID] MFA(FACTOR(AZFOIDC1) TAGS(SSOID:name IDCLAIM:email)
ACTIVE)
    Where:
    • [Login ID] is the z/OS® user name.
    • ACTIVE activates the AZFOIDC1 authenticator for the user ID.
    • SSOID is the SSO user ID to which to map this account.
    • IDCLAIM. Optional. Set this to override the ID CLAIM you set in Table 1.
      Note: The error AZF8051E JWT claim error (claim value mismatch) in the IBM MFA server log indicates that IBM MFA is unable to verify the JWT claim for the user ID.
  2. If needed, enter the following command to defer activating a user for OIDC: 
     ALU [Login ID] MFA(FACTOR(AZFOIDC1))
    Then, at a later time, enter an ALTUSER or ALU command of the following form to activate the AZFOIDC1 authenticator for the user ID:
    ALU <USERID> MFA(FACTOR(AZFOIDC1) ACTIVE)
  3. Enter the following command to display IBM MFA information for a user profile: 
    LISTUSER [Login ID] MFA
    MULTIFACTOR AUTHENTICATION INFORMATION:      
---------------------------------------      
 FACTOR = AZFOIDC1                                                           
  STATUS = ACTIVE
  FACTOR TAGS =             
    SSOID:username 
    IDCLAIM:value
  4. Instruct the user to open the fully-qualified hostname where z-mfa-sso is running, at port 8443: 
    https://fully_qualified_mfa_sso_host_location:8443
    Note: You may want to have the user bookmark this URL.
    Acquire MFA Cache Token Credential via OIDC

Select an MFA host and enter your mainframe User ID, then Submit the form.
:
:
MFA Host
SAF User ID
  5. Instruct the user to select an MFA host, enter their SAF user ID, and click Submit.
    Note: If the user is not able to select the IBM MFA host, have them refresh the web page.
  6. Instruct the user to log in with their SSO username and password.
  7. If the authentication is successful, a cache token credential (CTC) is generated that the user can use to log in to a z/OS application.
  8. If needed, enter the following command to deactivate a user for OIDC: 
     ALU [Login ID] MFA(FACTOR(AZFOIDC1)
    NOACTIVE)