After configuring Apps to "Require Strong Authentication", users are still not challenged with their Multi Factor Authentication (MFA) challenges and are able to directly log in to the app, despite the authentication profile being configured to require 2 challenges. Cause:
The reason the user is not challenged with MFA, is because the user has already “Strongly Authenticated” (indicated by a *
next to the username in the upper right corner.)
Because the user is already considered “Strongly Authenticated” they are not challenged a second time. This can be caused by various conditions in the policy, and authentication profiles as well as network location, however the 2 most common scenarios are below;
- Policy is in place which requires Strong Authentication to the User portal. This can be confirmed by first finding the user in the User list, and then review the Policy Summary for the user. Here, we should see under "Login Authentication" section, near the "Login authentication" portion of the policy summary and find the Authentication profile in use in the "Value" column. Next, under Settings>>Authentication>>Authentication Profiles find the profile and confirm the profile has a second challenge which deems it as a "Strong Authentication" (2 challenges in Authentication Profile). Scenario 2
- IWA silent authentication is in use, and the policy applied to the user for "Login authentication" has the option select for "Accept IWA connections as strongly authenticated for application policies" checked under the "Allow IWA connections (bypasses login authentication rules and default profile)" section of the policy. This can be confirmed by first finding the user in the Users list, and then review the Policy Summary for the user. Here, we should see under "Login Authentication" section this setting is configured to "Yes."
There are no workarounds, as this is expected behavior.Solution:
Although the policy is working as expected, if it is required that a User first be challenged by MFA before an app can be launched, the Administrator will need to remove the requirement/ setting which provides the User “Strong Authentication” while logging in.
Depending on the scenario as indicated above under "Causes" section, please use the following to fix the issue;
- If the user has a policy in use for “Log in Authentication” which provides MFA challenges for log in ,then this will be considered a “Strongly Authenticated” log in. To also require a Multi Factored log in for App launches, one of the challenges will need to be removed from the “Log in Authentication.” This can be updated by editing the authentication profile associated with the policy that has this configuration to only require 1 challenge when logging in. It is a good idea to update the name of the Authentication Profile if needed to reflect the new configuration as well. The example above would be changed to the following; Scenario 2
- More commonly, the policy which is applied to the User has the option under “Log in Authentication” for “Accept IWA connections as strongly authenticated for application policies” and the User has authenticated using IWA silent authentication. Uncheck this option in the applied Policy for the User(s). The applied policy is found in the User Policy Summary under the corresponding setting in the column called "Policy Name"
Under both scenarios. once these options are removed, the user should be presented with an MFA challenge when launching apps which will now show a lock in the corner, indicating that additional authentication is needed. For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Customer Support Portal at https://www.centrify.com/support/customer-support-portal/