Configure Mobile Multi-Factor Authentication
Follow these steps to configure Mobile Muli-Factor Authentication.
The following pre-requisites must be met:
- The IBM Security Verify Access Platform and Advanced Access Control Module are activated.
- The runtime component and a reverse proxy instance are configured.
- Basic User support is enabled on the local LDAP.
- Transparent path junction to /scim on localhost is configured.
- BA with easuser enabled
- isam_mobile_rest ACL attached to /scim (ACL won't exist until step 2)
- Username Password Mechanism is configured.
- Server connection to local LDAP is set up.
- SCIM is configured with local LDAP server connection dc=iswga suffix.
Steps
- Create an API Protection definition and client with:
- Authorization code and ROPC enabled
- Redirect URI: https://<webseal_hostname>:<port>/mga/sps/mmfa/user/mgmt/html/mmfa/qr_code.html?client_id=<client_ID>
The redirect URI is essential so that when a user clicks the Register Authenticator button in the USC UI, the user is correctly redirected to the QR Code page.
- Run the Reverse Proxy MMFA Config API.
This step configures the /mga junction and creates the required ACLs.
curl -ki -H 'Accept: application/json' -H 'Content-type:application/json' --user 'admin:XXXX' -X POST https:// 192.168.124.130/wga/reverseproxy/default/mmfa_config -d '{"lmi":{"hostname":"192.168.124.130", "port":443, "username":"admin", "password":"XXXX"}, "runtime":{"hostname":"localhost", "port":443, "username":"easuser", "password":"XXXX"}, "reuse_certs":false, "reuse_acls":false, "reuse_pops":false}’
- Run the AAC MMFA Config API.
This step configures the reverse proxy details into a location where the AAC code can access it.
curl -ki -H 'Accept: application/json' -H 'Content-type: application/json' --user 'admin:XXXX' -X POST https://192.168.124.130/iam/access/v8/mmfa-config -d '{"client_id":"AuthenticatorClient", "hostname":"192.168.124.140", "port":443, "junction":"/mga"}'
Parent topic: Mobile Multi-Factor Authentication