Additional information for multi-factor authentication

Contributors Download PDF of this page

You should be aware of the following caveats in relation to multi-factor authentication.

  • In order to refresh IdP certificates that are no longer valid, you will need to use a non-IdP admin user to call the following API method: UpdateIdpConfiguration

  • MFA is incompatible with certificates that are less than 2048 bits in length. By default, a 2048-bit SSL certificate is created on the cluster. You should avoid setting a smaller sized certificate when calling the API method: SetSSLCertificate

    Note If the cluster is using a certificate that is less than 2048 bits pre-upgrade, the cluster certificate must be updated with a 2048-bit or greater certificate after upgrade to Element 12.0 or later.
  • IdP admin users cannot be used to make API calls directly (for example, via SDKs or Postman) or used for other integrations (for example, OpenStack Cinder or vCenter Plug-in). Add either LDAP cluster admin users or local cluster admin users if you need to create users that have these abilities.