Multi-Factor Authentication Setup On Cloud Portal IFS
Business Problem
You want to increase and enhance the authentication security to users accessing the Infor Cloud by implementing multi-factor authentication (MFA). MFA is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application.
Requirements
- Access to an Infor CloudSuite
- User privileges for Infor Federated Service (IFS) User Management with the following roles:
- Optional Infor U courses:
- Infor OS: Identity and Access Management Fundamentals Workshop
Tutorial
Difficulty: Medium
Estimated completion time: 30 Minutes
While the Infor Cloud uses MFA via the customer federated connection handled by the customer’s identity provider, it is also possible to configure MFA directly on your tenant for internal accounts. We’ll guide you through the steps to configure multi-factor authentication (MFA) for internal cloud identity accounts in Infor Cloud.
IFS User Management handles the Cloud Identity MFA configuration and setup. When Multi-Factor Authentication (MFA) is enabled and enforced, you will be prompted to register a device for MFA upon your first authentication with Infor Portal Identities. Depending on the configuration set by the Infor Portal administrator, you can authenticate using Time-based One-Time Password (TOTP), Duo, or both.
This video provides an overview of configuring Multi-Factor Authentication (MFA) in Infor OS using the Infor Federated Service identity management system.
Get acquainted with the Infor User Management General Settings page and the Multi-Factor Authentication Configuration.
You should now be able to configure Infor’s MFA on the tenant to work with your Infor Cloud identities.
Best Practices
- MFA requirements for user authentication via the federated connection are to be handled by the customers identity provider configuration.
Multi Factor Authentication (MFA) through a Federated Connection
- Authentication to Infor CloudSuite solutions is accomplished by establishing a federation trust between Infor CloudSuite and a customer’s Identity Provider (e.g. ADFS, Ping, Okta, Azure).
- Infor CloudSuite solutions do not require Multi-Factor Authentication (MFA), however customers may have this requirement. Infor does not support direct MFA configurations within the actual Infor CloudSuite through a federated connection. This means that the MFA is performed at the time of logging into the customer’s domain. Implementation of MFA requires the configuration to be within a customer’s Identity Provider so that MFA occurs on the customer side of the federation trust. MFA design and implementation is the customer’s responsibility.
- The process for establishing a federation trust between Infor CloudSuite and a customer’s Identity Provider remains the same whether MFA is implemented or not.
- MFA can be enabled and enforced for Infor Cloud identity accounts which can be leveraged for users that do not have access within the customer IdP system.
Multi Factor Authentication (MFA) using Cloud Identity authentication
Resources
MFA Configuration Page
Help document on the Multi-Factor Authentication Configuration page.
The MFA Configuration page has these settings:
To enable MFA for cloud identity user accounts you need to login into the portal and go to the following
Home -> User Management -> Settings > General Settings
| Setting | Description |
|---|---|
| Enable MFA | If selected, the MFA status of all users of the tenant becomes Enabled. At the time of login, the user is challenged for a Time-based One-time Password (TOTP) if the user has already registered a device for MFA. Emails to register MFA devices are automatically sent to all administrators. After MFA is enabled, users can register MFA devices from user settings. |
| Enforce MFA | If selected, at the login page, after logging in with first-factor authentication (user name and password), the user is checked for MFA registration. If not registered, the user is required to register for MFA at this point. If already registered, the user is challenged for TOTP. After MFA is enforced, upon initial re-login, the user is prompted to register a device for MFA. |
| Account Lock Settings | This setting specifies the number of allowed failed login attempts before the user’s account is soft locked. For example, if the administrator sets this value to 3, after three failed attempts, the user’s account is locked. Note: When the user’s account is locked, an email is sent to notify the user that the account is locked. The administrator can specify the amount of time before the user’s account is unlocked. This setting is Security Administration > Password Management. |
| Authentication Method | The methods of authentication supported by Multi-Factor Authentication (MFA) are: – TOTP – Duo Note: To use Duo as an authentication method, a Duo customer account is required. – FIDO2 – SMS Note: Currently supported for U.S. only.If Enable MFA is selected, the Authentication Method is automatically selected as TOTP. If Enable MFA is not selected, the Authentication Method is not selected and remains grayed out. |