| Excerpt |
|---|
| MEEM is the MFA Enrollment and Exemption Manager. It is intended to coordinate enrollment in Multi-Factor Authentication. MEEM does not work with any specific technology, but is intended to work with Enrollment Flows and, indirectly, Authenticators. |
MEEM has various configuration points, but broadly it is intended to integrate with two Enrollment Flows:
- A Self Signup or Invitation Flow (the "Initial" Enrollment Flow), used to perform general enrollment into the CO
- An MFA Authenticator Enrollment Flow, used to set up a Multi-Factor Authenticator for the Enrollee
The MeemEnroller Plugin is considered Experimental.
Initial Enrollment Flow
The Initial Enrollment Flow should be considered as usual for Self Signup or Enrollment, including whatever Enrollment Attributes are desired. Beyond that, Email Confirmation must be set to either Automatic or Review. Do not Establish Authenticators as part of this flow.
...
- IdP Identifier Indicator: If set, this is the name of an environment variable that MEEM will examine during enrollment (after the Collect Identifier step) to determine the identifier of the Identity Provider that the Enrollee authenticated with. If this configuration is left blank, MEEM will not record MFA Status (see below).
- MFA Assertion Indicator: If set, this is the name of an environment variable that indicates that the Identity Provider asserted MFA. The value of the environment variable must be the literal string
yes, though this is subject to change in a future release. This setting is only effective if the IdP Identifier Indicator is also set and populated. - MFA Exemption CO Group: If set, this is the CO Group used to track which CO People are currently exempt from MFA. If MFA Assertion Indicator configure, and MFA was not asserted, the Enrollee will be added to this CO Group. Membership in this CO Group may also be manually managed.
- Initial MFA Exemption: If set, when a CO Person is automatically added to the MFA Exemption CO Group, the memberships will be set to expire the configured number of hours after being created, allowing for a "grace period" before MFA is required. Note a Registry Job Shell must be configured to ensure timely reprovisioning of expired CO Group Memberships. See also: Registry Validity Dates.
- MFA Enrollment Flow: The Enrollment Flow that establishes an MFA Authenticator, described below.
- Enable MFA Setup Reminder Splash Page: Whether the MFA Setup Reminder Splash Page (described below) is enabled for this configuration.
- Return URL Allow List: If the MFA Setup Reminder Splash Page is enabled, the a list of regular expressions (PHP syntax, including the delimiter, one regular expression per line) for permitted return URLs. Note that all Registry URLs are automatically considered valid, and so need not be added to this list. (ie: There is no need to adjust this setting to redirect into the MFA Enrollment Flow.)
- API User: If set, the API User granted access to the MEEM REST API, described below.
Configuration Flow Diagram
| Gliffy Diagram | ||||||
|---|---|---|---|---|---|---|
|
MFA Status
If MEEM is configured to record MFA Status, a database entry will be made recording the MeemEnroller configuration, the CO Person ID, the IdP Identifier, and whether or not MFA was asserted. Note MEEM does not currently update MFA Status outside of the Initial Enrollment Flow.
...
- n: The MeemEnroller configuration ID (ie:
cm_meem_enrollers:id). - c: The amount of time in seconds before MFA Exemption expires. This value may be obtained using the MEEM REST API, below.
- The value
0(zero) should be used to indicate that the exemption period has expired, and the Enrollee must set up MFA. - The value
-1should be used to indicate that the exemption period does not have a scheduled end.
- The value
- r: A % encoded URL to redirect the Enrollee to after passing through the splash page. This URL must be permitted by the Return URL Allow List.
...