Set up multi-factor authentication
Suggest changes
PDFs
You can use these basic steps via the Element API to set up your cluster to use multi-factor authentication.
Details of each API method can be found in the Element API Reference.
-
Create a new third-party Identity Provider (IdP) configuration for the cluster by calling the following API method and passing the IdP metadata in JSON format:
CreateIdpConfigurationIdP metadata, in plain text format, is retrieved from the third-party IdP. This metadata needs to be validated to ensure that it is correctly formatted in JSON. There are numerous JSON formatter applications available that you can use, for example:https://freeformatter.com/json-escape.html.
-
Retrieve cluster metadata, via spMetadataUrl, to copy to the third-party IdP by calling the following API method:
ListIdpConfigurationsspMetadataUrl is a URL used to retrieve service provider metadata from the cluster for the IdP in order to establish a trust relationship.
-
Configure SAML assertions on the third-party IdP to include the “NameID” attribute to uniquely identify a user for audit logging and for Single Logout to function properly.
-
Create one or more cluster administrator user accounts authenticated by a third-party IdP for authorization by calling the following API method:
AddIdpClusterAdmin
The username for the IdP cluster Administrator should match the SAML attribute Name/Value mapping for the desired effect, as shown in the following examples: -
email=bob@company.com — where the IdP is configured to release an email address in the SAML attributes.
-
group=cluster-administrator - where the IdP is configured to release a group property in which all users should have access. Note that the SAML attribute Name/Value pairing is case-sensitive for security purposes.
-
-
Enable MFA for the cluster by calling the following API method:
EnableIdpAuthentication