How to Use MFA Redirection

Multi-Factor Authentication (MFA) redirection enables users to perform MFA on behalf of any chosen user. This means the user that is logging in can be configured to perform MFA as the redirect user, and receive an identity token for the original login user after they successfully login.

Once configured, the MFA redirection is handled automatically.

When you log in to an enrolled system and your account is set up to use MFA redirection, the service prompts you for your password, not the password for the MFA redirect user. This feature is available on systems that have the Centrify Client installed and enrolled

How MFA Redirection Works

To explain how redirection works, we've defined the following two users:

  • Original login user: The user who is actively trying to log in.

  • Redirect user: The user who has MFA setup. MFA will redirect to this user to answer any MFA challenges.

MFA is performed as the redirect user, on behalf of the original login user. This means any MFA mechanism that is used (i.e. email, text, Mobile Authenticator, etc.) all are completed by the redirect user.

When MFA redirect is setup, cloud clients are provided with the redirect user's information and MFA challenges. This means the original login user enters the system as the redirect user.

The general MFA redirection flow is:

  1. The original user attempts to login with their username.
  2. The details for the original login user are retrieved from Delinea PAS.
  3. The original login user receives MFA challenges for the redirect user's account.
  4. When authentication is successful, the account details for the redirect user's account are shown to the original login user, and an identity token/cookie is provided to the original login user.

In a typical use case:

  • The original login user has no attributes configured, and therefore they cannot satisfy any MFA.

    When the original login user is challenged for additional authentication, the MFA redirection feature can be configured so the redirect user's MFA challenges (who has the required mechanisms configured) are used for the original login user to answer.

  • The redirect user will have all their account challenge attributes set:

    • Phone number
    • Configured security questions
    • Yubikey
    • Mobile Authenticator
    • etc.

This enables the original login user to satisfy the MFA requirement through answering the redirect user's MFA challenge(s).

The MFA redirect process acts as if the redirect user was directly logging in. The redirect user just facilitates the act of MFA, which causes any actions available during the login process (password reset, forgot password, account unlock, etc.) to apply to the redirect user's account, even though the original login user is the one using the login.

However, once the login is complete, the login identity will be granted to the original login user, and any actions (password reset, forgot password, account unlock, etc.) will apply back to the original login user's account.

MFA Examples

Phone MFA example:

  • The original login user configures their account to have MFA redirected through the redirect user.
  • The MFA is set up to use a phone number for authentication.

Since the original login user is configured for MFA redirection, the original login user can request the redirect user's phone number MFA challenge, in order to satisfy the phone MFA challenge required to login.

The policy and authentication rules for the original login user still apply whether redirection is used or not. The specified MFA redirect user will be used to determine which MFA mechanisms are able to be satisfied, as well as perform MFA.

Real-world example:

A real-world use case is when an admin (the original login user) uses their dash-A account to perform a privileged task rather than their normal enterprise account (the redirect user). The admin does not have a phone enrolled with their dash-A account but they do with their normal enterprise account. They do have the Mobile Authenticator associated with their enterprise account. MFA redirection enables the admin to carry one phone rather than two and use the Mobile Authenticator to satisfy the MFA.

How to Set Up MFA Redirection

You must have the MFA Redirect Management permission in order to set redirect for a user. All system admins already have this right applied to their account.

To configure a user for MFA redirection:

  1. From the Admin Portal, navigate to Access > Users.
  2. Click on the user account you want to configure for MFA redirection.
  3. Ensure you're on the MFA Redirection tab and check the Redirect Multi-factor Authentication to a different user account box.
  4. On the user selector, click Select.
  5. Search for the user you want to use for the MFA redirection. Select the user you want to use and click OK.
    If you select a user that is the same as the user you're currently editing, you will generate an error.
  6. Click Save.