Configuring MFA in OCI IAM Identity Domain
MFA configuration in OCI IAM is policy-driven, allowing administrators to define rules that determine when users are prompted for MFA. The steps below provide a straightforward approach for configuring MFA in a customer’s OCI IAM Identity Domain using the default settings provisioned during OCIM.
This approach enforces MFA for all users, ensuring that all members are prompted for MFA when signing in to OPERA Cloud services and R&A. Please note that OCI IAM supports multiple methods for configuring MFA within an Identity Domain; the instructions below describe one recommended approach.
- Log in to the OCI Cloud Console as a Cloud Administrator user.
- Open the navigation menu and click Identity & Security. Under Identity, click Domains.
- Click the name of the identity domain you want to work in. Note: You may need to change the compartment to locate the required domain.
- On the Domain Details page, navigate to the Authentication tab.
- Under Factors, click on Enable or Disable factors. Select each of the factors required to access the OPERA Cloud services. For an explanation of each factor, see Configuring Authentication Factors. Click Save Changes.
- (Optional step) You can click Edit for each MFA factor you selected to configure the factor settings. For instructions for each factor, see Configuring Authentication Factors.
- (Optional step) Use the Trusted Devices section to configure trusted device settings. Similar to "remember my computer," trusted devices do not require the user to provide secondary authentication each time they sign in.
- (Optional step) Under Sign-in rules, click Edit to set the maximum number of unsuccessful MFA attempts a user can make before being locked out.
- Follow the steps below to configure new sign-on rules that enable MFA in the default
sign-on policy. This default sign-on policy will be available out of the box in a
customer's OCI IAM Identity Domain.
- Navigate to the Domain Policies tab.
- Click on Default Sign-on policy.
- On the policy page, click on the Sign-on rules tab.
- Click on the ellipsis next to Default Sign-on rule, and click on Edit Sign-on rule. Carefully read the confirmation, and click Continue.
- Under Actions, select Allow access. Enable the Prompt for an additional factor button and select Specified factors only.
- Enable the factors required.
- Select Once per session or trusted device under Frequency.
- Select Required under Enrollment.
- Click Edit Sign-on rule.
- Click Save Changes.
- Test MFA with the user who is part of the newly created group (the group added in the sign-on rule).
- To learn more about registering for MFA using Mobile app passcode or Mobile app notification mode, watch this tutorial video Oracle Mobile Authenticator App Tutorial Video.