Open in app

Sign in

Write

Sign in

Authenticate with a second factor based on user’s Organization

Stéphane Orluc
6 min readJun 6, 2024

--

A common use case which’s coming really frequently is the ability to trigger a second factor authentication based on user’s profile informations. In this blog note, I’ll explain how to use the user’s Organization to determine the user’s second factor in Ping Identity Platform.

The Use Case

A user is created in the Identity Platform and associated to an Organiztional object and based on this link he’ll be allowed to use different second factors. For instance, in a B2B use case, a user is associated to his Company represented by an Organization object in the Identity Platform. Or in a CIAM situation, a user may be associated to Organizations representing the type of market (personal, enterprise, etc…).

Note: in this blog note we’ll use the Organizational object but we could co the same with role or group objects.

The concept in Ping Identity Platform

Let’s briefly explore the various concepts we will implement here.

Extend the Data Model

In Ping Identity platform you can manage Users/Identities, Roles, Assignments, groups and Organisations. In this post, I’ll extend the Organizational object to store all the second factor allowed by users who belong to this Organization.

Create a user jouenry

The platform includes a journey designer. It is a no-code/low-code drag and drop designer you use to create as many user journeys as you want in no time. With this designer I’ll setup an authentication journey where we’ll check the User’s Oganization to activate only the allowed second factor.

Let’s configure it in the Identity Platform.

Update the Data Model

In the Identity Platform it’s possible to extend your data model as explained in this page. You can:

  • Add new managed object types.
  • Specify default values for object properties
  • Derive object property values from other object property values, known as virtual properties.
  • Define custom relationships between managed objects.

Follow these steps to add an attribute to the Organization Object Schema that will store the allowed second factors for the users linked to this organization.

Add custom_mfa attribute

To extend the data model here, we’ll use the native Identity Management console.

  1. With your browser, connect to your platform UI https://<YOUR TENANT>/platform (where <YOUR TENANT> is equal to your platform server) as an administrator, and browse to Natives Consoles > Identity Management Menu. It should open a new window.
  2. In this new window, browse to Configure > Managed Objects. On this page click on “Alpha_organization”.
  3. Click on “Add a Property”, NAME this property custom_mfa, with a LABEL MFA for this Organization and a TYPE Object, and click “Save”.
  4. Now click on the attribut name custom_mfa.
  5. On the attribute configuration page, click on “Properties” tab.
  6. On this page, add the following attributes:
    - NAME: fido, LABEL: Fido, TYPE: Boolean
    - NAME: push, LABEL: Push, TYPE: Boolean
    - NAME: sms, LABEL: SMS OTP, TYPE: Boolean
    - NAME: mail, LABEL: Mail OTP, TYPE: Boolean
  7. Then click “Save”

Now if you connect the Identity Platform UI, you browse to the Identities>Manage section and you edit an Organization, you’ll see a new tab named “MFA for this Organization” where it’s possile to select the second factor you want to activate for this Organization (see figure below).

MFA tab on Organization object

Now let’s create a journey to use this information.

Configure user journeys

Create the LoginMFAOrgBased user journey

Pre-create a library script to use in user journeys

First of all, we will create a JavaScript library that will be used in the journey to retrieve the list of second factors based on the organizations to which the user is linked.

  1. Connect to your Identity platform console https://<YOUR-TENANT>/platform/ (where <YOUR-TENANT>is equal to your platform server) an Administrator and follow these steps.
  2. Select your realm (default is alpha), browse to Scripts>Auth Scripts and click on “New Script” to create a new one and choose a Library type,
  3. Select the “Next Generation” Script Engine and click “Next”,
  4. On the script creation page, NAME your script orgUtilsLib and enter This library is used to perform utility operations on user Organization in the DESCRIPTION field.
  5. In the SCRIPT field enter the following code and click on “Save” and “Close”.

This Library script is a great new feature that has been introduced recently in the platform. It allows you to create Javascript libraries that will be available in all other scripts. I urge you to use it intensively.

Pre-create a script that will be used in the journey

Now, we will create the script that will be used in the journey to present to the user the list of second factors allowed for them based on their Organization.

  1. Connect to your Identity platform console https://<YOUR-TENANT>/platform/ (where <YOUR-TENANT> is equal to your platform server) an Administrator and follow these steps.
  2. Select your realm (default is alpha), browse to Scripts>Auth Scripts and click on “New Script” to create a new one and choose a “Journey Decision Node” type,
  3. Select the Next Generation Script Engine and click Next,
  4. On the script creation page, NAME your script chooseMFAFromOrg,
  5. In the SCRIPT field enter the following code and click on “Save” and “Close”.

Note: in this blog note, we predefined a list of posible second factors but it cas be modified if you need.

Now that we pre-created the scripts, let’s create the journey.

To save time, it’s possible to create a new one by duplicating another one, we’ll do it now.

Note: in this journey I assume you already created four journeys to handle second factors: 1/Mail OTP, 2/SMS OTP, 3/Mobile Push & 4/Fido.

  1. Connect to your Identity platform console https://<YOUR-TENANT>/platform/ (where <YOUR-TENANT>is equal to your platform server) an Administrator and follow these steps.
  2. Browse to Journeys and click on “…” in the line of the journey named Login. Click on “Duplicate” on the menu.
  3. NAME the journey LoginMFAOrgBased, add the DESCRIPTION Login journey with MFA based on Organization options and click on Save,
  4. Add 4 Inner Tree Evaluator nodes, configure them with theses parameters:
    NAME: Mail OTP, TREE NAME: select your journey named Mail OTP
    NAME: Sms OTP, TREE NAME: select your journey named SMS OTP
    NAME: Mobile Push, TREE NAME: select your journey named Mobile Push
    NAME: Fido, TREE NAME: select your journey named Fido
    For all these nodes, Link true outcome to Success exit (Green circle icon) and false outcome to Failure exit (red circle icon),
  5. Add a Scripted Decision node, name it chooseMFAFromOrg, select chooseMFAFromOrg script, add mail, sms, push and fido OUTCOMES, link mail to mail OTP node, link sms to sms OTP node, link push to Mobile Push node, link mail to mail OTP node,
  6. Add an Identify Existing User node, NAME it getUser, enter userName in IDENTIFIER field, and userName in IDENTITY ATTRIBUTE parameter. Link true to chooseMFAFromOrg node and false to Failure exit (red circle icon)
  7. Add a Query Filter Decision node, NAME it Users company exists?, enter /memberOfOrgIDs pr in QUERY FILTER field, and userName in IDENTITY ATTRIBUTE parameter. Link true to getUser node and false to Failure exit (red circle icon),
  8. Finally, edit the Inner Tree Evaluator node that is existing initially from the duplicated Login journey, check the parameters
    NAME: Progressive profiling, TREE NAME: ProgressiveProfile
    Link true outcome to Users company exists? node and false outcome to Failure exit (red circle icon),

The following figure presents the journey in Intelligent Authentication web designer.

LoginMFAOrgBased journey

Demonstration

The video below shows the result in action from the user perspective. This user is member of the Demo Organization, initially the organization allows Fido, Push, SMS OTP and Mail OTP, and then during the video we change the Organization configuration an allow only Fido and Mail OTP.

LoginMFAOrgBased in action

Note: we don’t show in this video the actual secod factor as it is not the objective of this blog note.

Conclusion

In this blog post, we’ve configured a user journey that rely on user’s organization configuration to determine the second factor to use. It was the opportunity to use inner trees but also the recent library script feature.

Contextualauthentication
MFA
Passwordless
Iam
Adaptive Authentication

--

--

Stéphane Orluc
Stéphane Orluc

Written by Stéphane Orluc

86 Followers
134 Following

Sales Engineer at Ping Identity (historic ForgeRock) www.linkedin.com/in/sorluc (posts are my own and do not necessarily reflect the views of my company)

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams