KB-10131: How to prevent users from SSO into Portal and not break MFA for systems

Tips for finding Knowledge Articles

- Enter just a few key words related to your question or problem
- Add Key words to refine your search as necessary
- Do not use punctuation
- Search is not case sensitive
- Avoid non-descriptive filler words like "how", "the", "what", etc.
- If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
- Minimum supported Internet Explorer version is IE9

No related Articles

Home >

KB-10131: How to prevent users from SSO into Portal and not break MFA for systems

Product:

App Access Service , App Gateway Service , Privileged Access Service ,

Published:

11 April,18 at 10:42 PM

Rating:

Question:

How can we set up Centrify to prevent Single Sign On and require MFA to log into the portal and not break MFA for linux and windows systems?

Answer:

We will need to create two policies in the Admin Portal to handle this.

The computers/servers doing MFA must have IWA enabled. These systems need to SSO into the tenant to retrieve the mechanisms for the user. This will prevent you from being able to turn off the IWA service on the connector and unchecking the IWA box on the login policy.

Steps to achieve this:
1) Create a policy with IWA turned off for the Centrify Portal and have it applied to all users and devices. For example, we named the policy "Users MFA on Portal and Systems", or if you already have a policy select whichever policy is used to set the MFA profile when logging into the portal.

Navigate to Login Policies -> Centrify Portal and uncheck the following 2 check boxes:

User-added image

2) Create another policy for example, IWA Servers for MFA. This policy will be applied to only the role containing the systems for MFA and not to all users and devices. This policy will have the IWA options turned on.

User-added image