cancel
Showing results for 
Search instead for 
Did you mean: 

Is it possible to apply MFA based on Role?

Highlighted
Occasional Contributor

Is it possible to apply MFA based on Role?

Working on adding MFA but would like to avoid multiple URLs/Realms but that is the only way I see that is jumping out at me.  I know there are ways to add restrictions for other functions like Host Checker Policy based on Role so was hoping the option existed to apply additional authentication per role but nothing that I can see.  Running 8.3Rx code currently not certain if that is a 9.0Rx or beyond.

 

  Thanks,

     Evan

3 REPLIES 3
Occasional Contributor

Re: Is it possible to apply MFA based on Role?

The clarify your question is a bit confusing. However, the answer to your question is not specific to versions. Multi Factor Authentication(MFA) per role will not work. Authentication is typically assigned within Realms.

 

In a typical use case, if Company X acquires Company Y and they have unlike MFA systems, we typically would suggest having Company X to have a default/prime URL for both companies(Single URL). This will eliminate the issue of having multiple URL/Realms within many companies. Whenever a user tries to connect, the user will have an option in the portal to select the correct Realms that binds an MFA. The web portal will have the following menu:

Username:

Password:

Realm:     

 

Genard

Moderator
Moderator

Re: Is it possible to apply MFA based on Role?

@ggarcia is correct, Authorization (Role assignment) will be done after Authentication (tied to user realm). Hence, having role based MFA is not feasible.

Pulse Connect Secure Certified Expert
Moderator

Re: Is it possible to apply MFA based on Role?

both @ggarcia & @Ray are correct for ease of administration. however, there is a hack that you can do that will allow role-based MFA _if_ you are using a SAML provider that has custom bookmark links. i know Okta allows this to work; I do not know if the others have the same capability. what happens is that you create a bookmark on the SAML provider, get the embedded link, and put that as the custom start page; the redirect on the SAML bookmark points to the redirected page on the PCS (e.g. https://vpn.corp.com/dana-na/home/index.cgi)