Multi-Factor Authentication Setup On IFS
Business Problem
You want to increase authentication security to users accessing the Infor Cloud by implementing multi-factor authentication (MFA). MFA is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application.
Requirements
- Access to an Infor CloudSuite
- User privileges for Infor Federated Service (IFS) User Management with the following roles:
- Optional Campus courses:
- Infor OS: Identity and Access Management Fundamentals Workshop
Tutorial
The Infor Cloud uses MFA via the customer federated connection and is handled by the customers identity provider configuration. There is a way to configure MFA on your tenant for internal cloud identity accounts.
IFS User Management handles the Cloud Identity MFA configuration and setup. When Multi-Factor Authentication (MFA) is enabled and enforced, when you first authenticate with Infor Ming.le Identities, you are prompted to register a device for MFA. Depending on the configuration by the Infor Ming.le administrator, you can authenticate with Time-based One-Time Password (TOTP), Duo, or both.
Here are a few documents on the Multi-Factor Authentication Configuration page.
MFA Configuration
The MFA Configuration page has these settings:
To enable MFA for cloud identity user accounts you need to login into the portal and go to the following
Home -> User Management -> Settings > General Settings
| Setting | Description |
|---|---|
| Enable MFA | If selected, the MFA status of all users of the tenant becomes Enabled. At the time of login, the user is challenged for a Time-based One-time Password (TOTP) if the user has already registered a device for MFA. Emails to register MFA devices are automatically sent to all administrators. After MFA is enabled, users can register MFA devices from user settings. |
| Enforce MFA | If selected, at the login page, after logging in with first-factor authentication (user name and password), the user is checked for MFA registration. If not registered, the user is required to register for MFA at this point. If already registered, the user is challenged for TOTP. After MFA is enforced, upon initial re-login, the user is prompted to register a device for MFA. |
| Account Lock Settings | This setting specifies the number of allowed failed login attempts before the user’s account is soft locked. For example, if the administrator sets this value to 3, after three failed attempts, the user’s account is locked. Note: When the user’s account is locked, an email is sent to notify the user that the account is locked. The administrator can specify the amount of time before the user’s account is unlocked. This setting is Security Administration > Password Management. |
| Authentication Method | The methods of authentication supported by Multi-Factor Authentication (MFA) are: TOTP Duo Note: To use Duo as an authentication method, a Duo customer account is required. If Enable MFA is selected, the Authentication Method is automatically selected as TOTP. If Enable MFA is not selected, the Authentication Method is not selected and remains grayed out. |
This video provides an overview of the Infor OS: Multifactor Authentication configuration on the Infor Federated Service identity management:
Familiarize yourself with the Infor User Management General setting page and the Multi-Factor Authentication Configuration.
You should now be able to configure Infor’s MFA on the tenant to work with your Infor Cloud identities.
Best Practices
- IFS Cloud Identity MFA Configuration
- MFA requirements for users authentication via the federated connection are to handled by the customers identity provider configuration.
Multi Factor Authentication (MFA) through a Federated Connection
- Authentication to Infor CloudSuite solutions is accomplished by establishing a federation trust between Infor CloudSuite and a customer’s Identity Provider (e.g. ADFS, Ping, Okta, Azure).
- Infor CloudSuite solutions do not require Multi-Factor Authentication (MFA), however customers may have this requirement. Infor does not support direct MFA configurations within the actual Infor CloudSuite through a federated connection. This means that the MFA is performed at the time of logging into the customer’s domain. Implementation of MFA requires the configuration to be within a customer’s Identity Provider so that MFA occurs on the customer side of the federation trust. MFA design and implementation is the customer’s responsibility.
- The process for establishing a federation trust between Infor CloudSuite and a customer’s Identify Provider remains the same whether MFA is implemented or not.
- MFA can be enabled and enforced for Infor Cloud identity accounts which can be leveraged for guest users that do not have access within the customer IdP system.
Multi Factor Authentication (MFA) using Cloud Identity authentication
