It is possible to configure Registry to require MFA for access to most Registry functions. The specifics of the MFA setup are outside the scope of this documentation, except that the web server or operating system must be able to signal to Registry the status of MFA via environment variables. The environment variable holding the runtime MFA status is referred to as the MFA Assertion Indicator.

Note this documentation only describes requiring MFA for access to the Registry application. It does not describe requiring MFA for integration with downstream applications.

Configuration

Enabling the MFA requirement is a Platform level configuration, available via COmanage CO > ALL > CO Settings. There are three relevant settings:

• MFA Assertion Indicator: The name of the environment variable indicating if MFA was asserted at login

• MFA Assertion Indicator Value: The expected value of the MFA Assertion Indicator variable if MFA was asserted at login

• Enable MFA Exemption Groups: Whether MFA Exemption Groups should be enabled, see below

If MFA is required but not signaled, the requestor will be redirected to the mfa-required Mostly Static Page. While this redirect target cannot be changed, the content of the default page can be modified on a per CO basis. (If a CO can be identified as part of the request, the redirect will be to that CO's Mostly Static Page, otherwise the redirect will be to the COmanage CO's Mostly Static Page.)

Exceptions

Enrollment Flows

The MFA requirement is ignored when an Enrollment Flow is started or an Enrollment Flow Step is dispatched if the authenticated user is not a registered Person within the CO. This is to allow enrollees whose IdP may not support MFA (or MFA signalling) or who may not have an IdP at all to be able to complete the enrollment process.

Actors registered in the CO (for example, Approvers) are still subject to MFA when viewing or taking action on a Petition.

MFA Exemption Groups

It is possible to allow COs to exempt individual People from the MFA requirement for access to Registry capabilities within their CO. This is controlled via the Platform level Enable MFA Exemption Groups configuration, accessed via CO Settings as described above. When enabled, each CO's MFA Exemption Group (named CO:mfaexempt) will be checked when accessing Registry resources within that CO. Specifically, if

1. The MFA Assertion Indicator configuration is set, and
2. The requested action is not an exception (as described elsewhere in this section), and
3. The specified environment variable does not match MFA Assertion Indicator Value, and
4. Enable MFA Exemption Groups is true, and
5. The requested resource is associated with a CO, and
6. The requestor is a member of that CO, and
7. The requestor is a valid member of the CO's MFA Exemption Group

then the MFA requirement will be ignored.

Because Exemption Groups apply to a CO, it is possible that an individual registered in two COs could be required to have MFA for access to one CO, but be exempt when accessing the other. Furthermore, resources that are not CO specific (including the default landing page) cannot be made exempt. The individual must access a deep link into the CO in order to bypass MFA.

The MFA Exemption Groups are created whenever a new CO is created. Their use in controlling access to Registry is governed by the Enable MFA Exepmtion Groups setting. If the setting is not enabled, the Groups will still exist, but will not be checked as part of this process.

Mostly Static Pages

Because Mostly Static Pages are publicly accessible, MFA is not enforced when viewing their content.

Troubleshooting

While troubleshooting the MFA and signaling process is outside the scope of this document, Registry will log its MFA related decisions to the trace.log, which may facilitate understanding why an individual is or is not required to present MFA for access to Registry resources.

Clearing the MFA Configuration from the Command Line

It is possible to reset the MFA Configuration from the command line use the ResetMfa command. This may be useful if, for example, the MFA configuration is incorrect and it is not possible to login to update it.

$ cd $APP
$ ./bin/cake ResetMfa

Changes From Earlier Versions

As of Registry v5.2.0

• MFA can be required for access to Registry.
• MFA Exemption Groups are supported.