I. Second factor authentication connection
You can find the settings for second factor in the editing page of an authentication connection.
II. Two factor identities condition
The following setting is used to activate the user which identify the incoming user based on two different identity bearing claims. There are three options as below:
- Use the first identity: System will disregard the “Identity bearing claim” value of the second factor and just focus on identifying the user based on the first one.
- Two identities must be the same: The user will not be allowed to log in unless the identity of the user for the first factor is identical to that of the second factor.
- Use identities from both factors: Using both identities from the first and the second factors for the issued token
III. Other settings
1. Use as second factor only:
This setting offers the authentication connection to be used as second factor only not as primary connection option.
2. Ignored by second factor roles claim type:
If there are subsets of users that you will allow logging in without also having to authenticate using the second factor, you must specify whom these users are based on a rule. The rule states that any users who have a specific value for a specific claim type, will be excluded from the second factor. This setting specifies which claim will be tested. The setting below (“Ignored by second factor roles”) states which roles will be ignored. Safewhere*Identify will search in both the received assertion and local store.
3. Ignored by second factor roles:
The list of roles (claims type values) that a user must have at least one of in order to avoid having to authenticate via the second factor. You should use colon as separator for these roles.
- Default value (left blank): skip login the second factor for specify claim type (which is chosen in the parameter above) with claim type’s value is left blank.
- A specify value: skip login the second factor for specify claim type (which is chosen in the parameter above) with claim type’s value is inputted here.
- An asterisk (*): skip login the second factor for specify claim type (which is chosen in the parameter above) regardless of its value.
4. Ignore roles check:
If you do not want to let anyone log in without also authenticating via the second factor (thus in effect ignoring the two parameters above), you should set this checkbox to true.