2FA in a session-initiated scenario

That will depend on the configuration, are you using an additional AA plugin (with or without SPP?)

If 2FA is controlled by the AA plugin then likely the configuration has a [authentication_cache] section that determines the behavior.

Here is an example of the [authentication_cache]:

https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-sessions/7.5.1/okta-multi-factor-authentication---tutorial/3#TOPIC-2250498

Thanks!

Hi Tawfiq, they have SPP and SPS joined. Some of them want to use SPP-initiated and once they are logged in (authenticating with 2FA only once, just to access SPP) they do not have to authenticate with 2FA for every session request. Some of them would like to use SPS-initiated but would not want to authenticate with 2FA for every session request. This is the specific point. Is this possible? With which AA plugin it is possible? Thank you very much for your precious help.

PS: their 2FA is with Azure

So, do I also consider the link you sent for this specific scenario or is there something else to consider?

Hi Tawfiq, they have SPP and SPS joined. Some of them want to use SPP-initiated and once they are logged in (authenticating with 2FA only once, just to access SPP) they do not have to authenticate with 2FA for every session request. Some of them would like to use SPS-initiated but would not want to authenticate with 2FA for every session request. This is the specific point. Is this possible? With which AA plugin it is possible? Thank you very much for your precious help.

PS: their 2FA is with Azure

So, do I also consider the link you sent for this specific scenario or is there something else to consider?

1. SPP initiated workflow, yes you can enable Login to SPP with external federation via Azure and enable MFA on Azure AD \ Entra ID side then session requests would not require additional MFA from SPP side

2. SPS initiated workflow that depends on SPP for credential injection,

RDP would require RDP Gateway authentication which supports (Active Directory or Local User Database)

SSH would require SPS Gateway authentication which supports (Password, Public Key, or Kerberos)

There is no current AA plugin that is officially supported for Azure login but only experimental at this point.

Thanks!

perfect, all very clear!
in conclusion, if the user uses the second method described and opens 10 sessions to 10 linux servers, he will never have to authenticate (not even the first time on the first open connection) with 2FA as there is currently no AA plugin that supports 2FA with Azure, correct?

thank you very much Tawfiq, really thank you so much!

Yes but the user would still need to authenticate against SPS as a gateway authentication first, for example using Password option (which supports a backend using Local user database or LDAP or Radius).

That same user must also exist in SPP (with a matching Username AND Identity Provider) and have a SPP entitlement that is pointed at the SPS-initiated connection policy (different policy for SPS initiated workflow) that way SPS would be authorized to fetch credentials of the remote account from SPP for that user.

Thanks!

Hi Tawfiq, i delved into this topic and saw that there is a solution that allows MFA management with AZURE via radius server and its plugin which you can find here: https://github.com/OneIdentity/safeguard-sessions-plugin-radius-mfa (RADIUS MFA)
I see that the plugin is more than 4 years old. Is it still functional? Does the solution work?

Here you can find a solution with these components, Radius and NPS server: Use Microsoft Entra multifactor authentication with NPS - Microsoft Entra ID | Microsoft Learn

thank you so much!

it may work with OTP response but not Push notification is the latter is not yet supported by the SPS Radius client