Configuring MFA in OCI IAM Identity Domain

MFA configuration is a policy driven configuration and OCI IAM allows you to create different rules for triggering MFA. These steps provide a simple approach for configuring MFA in a customer's OCI IAM Identity Domain with a default setting provisioned during OCIM. This approach is based on group membership where only members of a newly created group are triggered for MFA during OPERA Cloud services login and R&A login.

Note:

There are multiple methods to configure MFA in the Identity Domain. The instructions below illustrate one such approach.

1. Log in to OCI Cloud console as an OCI cloud administrator user.
2. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
3. Click the name of the identity domain in which you want to work. (You might need to change the compartment to find the domain that you want.)
4. On the Domain page, click User Management.
5. Under Groups, click Create Group.
6. Enter a name for the group, for example: MFAENABLED.
7. Search and Add users as members of the group for which MFA is to be triggered during OPERA Cloud services login.
8. Click Create.
9. On the Domain Details page, navigate to Authentication tab.
10. Under Factors, click Enable or Disable factors. Select each of the factors required to access the OPERA Cloud services. For an explanation of each factor, see Configuring Authentication Factors. Click Save Changes.
11. (Optional step) You can click Edit for each of the MFA factors you have selected to configure the factors. For instructions for each factor, see Configuring Authentication Factors.
12. (Optional step) Use the Trusted devices section to configure trusted device settings. Similar to "remember my computer," trusted devices do not require users to provide secondary authentication each time they sign in.
13. (Optional step) Under Sign-in rules, click Edit to set the maximum number of unsuccessful MFA attempts a user can make before being locked out.
14. Follow the below steps to configure new sign on rules to enable MFA in the default sign-on policy. This default sign-on policy will be available out of the box in a customer's OCI IAM Identity Domain.
    1. Navigate to the Domain Policies tab.
    2. Click the Default Sign-on policy.
    3. On the policy page, click the Sign-on rules tab.
    4. Click the Add sign-on rule, carefully read the confirmation, and click Continue.
    5. Enter the rule name. For example: Group based MFA.
    6. Under Groups, click the Actions menu and select Add. Search for and select the group created earlier in step 6 and then click Add.
    7. Under Actions, select Allow access. Enable the Prompt for an additional factor button and select Specified factors only.
    8. Enable the factors required.
    9. Select Once per session or trusted device under Frequency.
    10. Select Required under Enrollment.
    11. Click Add.
    12. On the Default Sign-On Policy page, click Actions under Sign-on rules. Select Edit Sign-on rules priority.
    13. Click the priority number of the newly created rule to ensure it is above the Default Sign-On Rule. For example ensure priority 1 is the newly created rule and priority 2 is the Default Sign-On Rule.
    14. Click Save Changes.
15. Test MFA with the user who is part of the newly created group (the group added in the sign-on rule).
16. To learn more about registering for MFA using Mobile app passcode or Mobile app notification mode, watch this tutorial video Oracle Mobile Authenticator App Tutorial Video.