How to Use MFA Redirection | Delinea (2024)

Table of Contents
How MFA Redirection Works MFA Examples How to Set Up MFA Redirection

Multi-Factor Authentication (MFA) redirection enables users to perform MFA on behalf of any chosen user. This means the user that is logging in can be configured to perform MFA as the redirect user, and receive an identity token for the original login user after they successfully login.

Once configured, the MFA redirection is handled automatically.

When you log in to an enrolled system and your account is set up to use MFA redirection, the service prompts you for your password, not the password for the MFA redirect user. This feature is available on systems that have the Centrify Client installed and enrolled

How MFA Redirection Works

To explain how redirection works, we've defined the following two users:

MFA is performed as the redirect user, on behalf of the original login user. This means any MFA mechanism that is used (i.e. email, text, Mobile Authenticator, etc.) all are completed by the redirect user.

When MFA redirect is setup, cloud clients are provided with the redirect user's information and MFA challenges. This means the original login user enters the system as the redirect user.

The general MFA redirection flow is:

  1. The original user attempts to login with their username.
  2. The details for the original login user are retrieved from Delinea PAS.
  3. The original login user receives MFA challenges for the redirect user's account.
  4. When authentication is successful, the account details for the redirect user's account are shown to the original login user, and an identity token/cookie is provided to the original login user.

In a typical use case:

  • The original login user has no attributes configured, and therefore they cannot satisfy any MFA.

    When the original login user is challenged for additional authentication, the MFA redirection feature can be configured so the redirect user's MFA challenges (who has the required mechanisms configured) are used for the original login user to answer.

  • The redirect user will have all their account challenge attributes set:

    • Phone number
    • Configured security questions
    • Yubikey
    • Mobile Authenticator
    • etc.

This enables the original login user to satisfy the MFA requirement through answering the redirect user's MFA challenge(s).

The MFA redirect process acts as if the redirect user was directly logging in. The redirect user just facilitates the act of MFA, which causes any actions available during the login process (password reset, forgot password, account unlock, etc.) to apply to the redirect user's account, even though the original login user is the one using the login.

However, once the login is complete, the login identity will be granted to the original login user, and any actions (password reset, forgot password, account unlock, etc.) will apply back to the original login user's account.

MFA Examples

Phone MFA example:

  • The original login user configures their account to have MFA redirected through the redirect user.
  • The MFA is set up to use a phone number for authentication.

Since the original login user is configured for MFA redirection, the original login user can request the redirect user's phone number MFA challenge, in order to satisfy the phone MFA challenge required to login.

The policy and authentication rules for the original login user still apply whether redirection is used or not. The specified MFA redirect user will be used to determine which MFA mechanisms are able to be satisfied, as well as perform MFA.

Real-world example:

A real-world use case is when an admin (the original login user) uses their dash-A account to perform a privileged task rather than their normal enterprise account (the redirect user). The admin does not have a phone enrolled with their dash-A account but they do with their normal enterprise account. They do have the Mobile Authenticator associated with their enterprise account. MFA redirection enables the admin to carry one phone rather than two and use the Mobile Authenticator to satisfy the MFA.

How to Set Up MFA Redirection

You must have the MFA Redirect Management permission in order to set redirect for a user. All system admins already have this right applied to their account.

To configure a user for MFA redirection:

  1. From the Admin Portal, navigate to Access > Users.
  2. Click on the user account you want to configure for MFA redirection.
  3. Ensure you're on the MFA Redirection tab and check the Redirect Multi-factor Authentication to a different user account box.
  4. On the user selector, click Select.
  5. Search for the user you want to use for the MFA redirection. Select the user you want to use and click OK.

    If you select a user that is the same as the user you're currently editing, you will generate an error.

  6. Click Save.
How to Use MFA Redirection | Delinea (2024)
Top Articles
5 Ways Seniors and Caregivers Can Save at the Grocery Store
Bitcoin falls 5% to $57,000 ahead of Fed decision, slumps 16% in April | Stock Market News
Le Blanc Los Cabos - Los Cabos – Le Blanc Spa Resort Adults-Only All Inclusive
Nehemiah 4:1–23
Tyson Employee Paperless
Nwi Police Blotter
Pitt Authorized User
Athletic Squad With Poles Crossword
Bubbles Hair Salon Woodbridge Va
No Credit Check Apartments In West Palm Beach Fl
Moe Gangat Age
Whitley County Ky Mugshots Busted
What Is Njvpdi
4302024447
Theycallmemissblue
UEQ - User Experience Questionnaire: UX Testing schnell und einfach
Nonne's Italian Restaurant And Sports Bar Port Orange Photos
How Much You Should Be Tipping For Beauty Services - American Beauty Institute
Northeastern Nupath
TBM 910 | Turboprop Aircraft - DAHER TBM 960, TBM 910
Testberichte zu E-Bikes & Fahrrädern von PROPHETE.
Sullivan County Image Mate
Обзор Joxi: Что это такое? Отзывы, аналоги, сайт и инструкции | APS
Cognitive Science Cornell
Costco Jobs San Diego
2015 Kia Soul Serpentine Belt Diagram
Ocala Craigslist Com
Yayo - RimWorld Wiki
Housing Intranet Unt
Package Store Open Near Me Open Now
James Ingram | Biography, Songs, Hits, & Cause of Death
Flaky Fish Meat Rdr2
2487872771
Gerber Federal Credit
Seymour Johnson AFB | MilitaryINSTALLATIONS
Timothy Kremchek Net Worth
42 Manufacturing jobs in Grayling
Synchrony Manage Account
USB C 3HDMI Dock UCN3278 (12 in 1)
The Largest Banks - ​​How to Transfer Money With Only Card Number and CVV (2024)
Blackwolf Run Pro Shop
Craigslist Binghamton Cars And Trucks By Owner
Tommy Bahama Restaurant Bar & Store The Woodlands Menu
Tacos Diego Hugoton Ks
855-539-4712
Bonecrusher Upgrade Rs3
Theatervoorstellingen in Nieuwegein, het complete aanbod.
Google Flights Missoula
Treatise On Jewelcrafting
Koniec veľkorysých plánov. Prestížna LEAF Academy mení adresu, masívny kampus nepostaví
Bunbrat
Ravenna Greataxe
Latest Posts
How to get more storage space on your Dropbox account
Tamara Gustavson
Article information

Author: Dean Jakubowski Ret

Last Updated:

Views: 5886

Rating: 5 / 5 (50 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Dean Jakubowski Ret

Birthday: 1996-05-10

Address: Apt. 425 4346 Santiago Islands, Shariside, AK 38830-1874

Phone: +96313309894162

Job: Legacy Sales Designer

Hobby: Baseball, Wood carving, Candle making, Jigsaw puzzles, Lacemaking, Parkour, Drawing

Introduction: My name is Dean Jakubowski Ret, I am a enthusiastic, friendly, homely, handsome, zealous, brainy, elegant person who loves writing and wants to share my knowledge and understanding with you.