I. Second factor authentication connection
You can find the settings for second factor authentication in the editing page of an Authentication Connection.
II. Two factor identities condition
The following setting is used to activate the user, which identifies the incoming user based on two different identity bearing claims. There are three options as below:
- Use the first identity: The system will disregard the “Identity bearing claim” value of the second factor and just focus on identifying the user based on the first one.
- Two identities must be the same: The user will not be allowed to log in unless the identity of the user for the first factor is identical to that of the second factor.
- Use identities from both factors: The system both identities from the first and the second factors for the issued token.
III. Other settings
1. Use as second factor only:
This setting offers the Authentication Connection to be used as a second factor only, not as a Primary Connection option.
2. Ignored by second factor roles claim type:
If there are subsets of users that you will allow to log in without also having to authenticate using the second factor, you must specify whom these users are based on a rule. The rule states that any users who have a specific value for a specific claim type will be excluded from the second factor. This setting specifies which claim will be tested. The setting below (“Ignored by second factor roles”) states which roles will be ignored. Safewhere*Identify will search in both the received assertion and local store.
3. Ignored by second factor roles:
The following is the list of roles (claims type values) that a user must have at least one of in order to avoid having to authenticate via the second factor. You should use a colon as a separator for these roles:
- Default value (left blank): Skip login the second factor for specify claim type (which is chosen in the parameter above) with claim type’s value is left blank.
- A specify value: Skip login the second factor for specify claim type (which is chosen in the parameter above) with claim type’s value is inputted here.
- An asterisk (*): Skip login the second factor for specify claim type (which is chosen in the parameter above) regardless of its value.
4. Ignore roles check:
If you do not want to let anyone log in without also authenticating via the second factor (thus in effect ignoring the two parameters above), you should enable this check box.