Question

MultiFactor Authentication for external connections

Version 10 Security Directory Server

Updated July 23, 2019

asked on July 17, 2019 • Show version history

We have a customer that is looking to add multifactor authentication, but they only want it to apply to users coming from outside their network. So if a user is at therir office (inside the domain network), they are not prompted to use multifactor, but if they are accessing while away from the office (outside the domain network), they do use multifactor authentication.

We would like to request that the multifactor be controlled by the LFDSSTS so that they can turn it on or off based on which LFDSSTS server you are authenticating with.

1 0

Replies

replied on July 23, 2019 • Show version history

Yes, my customer is looking for the ability to have the added layer of security that is provided with MFA for all out of network connections while at the same time not being so onerous for in network connections.

Ideally we would like to control (turn on/off) the MFA by the LFDSSTS site, but control by user or group would also be a good addition.

My customer has some AD users that when in the field (out of the domain/network) should be using MFA and then they have some LFDS users (always out of domain/network) that should always use MFA.

They are currently looking into using Azure AD with ADFS and that should give them the ability to have the MFA for out of network users while bypassing MFA for in network users.

It looks like it should be achievable already with Azure AD. If you are already using (or thinking about using) Azure AD, this is great, but if you do not already use Azure, this would require additional (non-LF) costs to implement. So while it can be achieved with Azure AD, it would still be nice for LF to support this directly.

2 0

replied on July 23, 2019

Thanks for the additional information!

The current plan for MFA for LFDS users is to support a per-user option in addition to a site-wide default of on/off for LFDS users. You will be able to search by MFA status on the user listing for easier bulk changes.

0 0

replied on July 22, 2019

Hi Bert and Ben,

What kind of users are these?

Currently, we have MFA for global Laserfiche users on our roadmap, but we were not planning on adding it for external directory users since there are a variety of MFA options for non-Laserfiche users already, including powerful options like geofencing.

My understanding of your current request is that you would like MFA required/not required to be something you control per STS installation so that your external-facing STS would require it while your internal STS would not. Is that correct?

If so, I will put it in our feature request list and link back to this post so we know to update you when we have evaluated it further.

1 0

replied on July 18, 2019

I'd like this as well. MFA is quickly becoming a standard and is appearing in tenders, in the UK.

0 0

replied on July 23, 2019

Hi Brianna,

If by "global users" you mean LFDS and AD synchronised users, but not AD FS or repository users, then yes, everything you said is what I'm after.

Is there a rough date?

That would be great if you could link back here. Thanks!

0 0

replied on July 23, 2019

The initial MFA release does not include AD users. AD users can support MFA through AD FS, LDAP, or SAML. We are also planning to release SAML authentication for existing AD users for people who wish to update their authentication method for their current users. It will support the Laserfiche users you can create within LFDS.

Do you have a lot of customers that want MFA for AD users only within Laserfiche? If so, have they tried implementing MFA through Active Directory, e.g., using AD FS?

Regarding ETA: the initial MFA support is targeted for before Empower 2020. The per-STS setting needs more research before it would be put on the roadmap.

0 0

You are not allowed to follow up in this post.

Question

Question

MultiFactor Authentication for external connections

Replies

Sign in to reply to this post.