Re: Is it possible to apply MFA based on Role?

ecardanha · ‎03-19-2019

Working on adding MFA but would like to avoid multiple URLs/Realms but that is the only way I see that is jumping out at me. I know there are ways to add restrictions for other functions like Host Checker Policy based on Role so was hoping the option existed to apply additional authentication per role but nothing that I can see. Running 8.3Rx code currently not certain if that is a 9.0Rx or beyond.

Thanks,

Evan

ggarcia · ‎03-20-2019

The clarify your question is a bit confusing. However, the answer to your question is not specific to versions. Multi Factor Authentication(MFA) per role will not work. Authentication is typically assigned within Realms.

In a typical use case, if Company X acquires Company Y and they have unlike MFA systems, we typically would suggest having Company X to have a default/prime URL for both companies(Single URL). This will eliminate the issue of having multiple URL/Realms within many companies. Whenever a user tries to connect, the user will have an option in the portal to select the correct Realms that binds an MFA. The web portal will have the following menu:

Username:

Password:

Realm:

Genard

[email protected] · ‎03-20-2019

@ggarcia is correct, Authorization (Role assignment) will be done after Authentication (tied to user realm). Hence, having role based MFA is not feasible.

Pulse Connect Secure Certified Expert

zanyterp · ‎03-21-2019

both @ggarcia & [email protected] are correct for ease of administration. however, there is a hack that you can do that will allow role-based MFA _if_ you are using a SAML provider that has custom bookmark links. i know Okta allows this to work; I do not know if the others have the same capability. what happens is that you create a bookmark on the SAML provider, get the embedded link, and put that as the custom start page; the redirect on the SAML bookmark points to the redirected page on the PCS (e.g. https://vpn.corp.com/dana-na/home/index.cgi)