Discuss/Define: User Authentication via Workforce IdP

[jischr]

topic should cover

• set up user authentication via federated relationship with a customer's workforce IdP

[joninusa]

This could include sharing MFA timeout or retry settings.e.g. For automated authentications, when MFA is required, don't exceed the retries to prevent account lockouts from a trusted source
Examples:
https://help.zscaler.com/zscaler-client-connector/configuring-automatic-zpa-reauthentication
https://www.reddit.com/r/fortinet/comments/1c822np/issues_with_forticlient_causing_duo_mfa_causing/
https://pages.nist.gov/800-63-4/sp800-63b.html (3.2.2 Rate Limiting (Throttling) {The goal of this would be to prevent excessive retries}

[joninusa]

Add Location sharing which can include the real client IP address

[dhs-BI]

@joninusa can you describe more about "automated authentications" and the use cases that would require them?

[joninusa]

@joninusa can you describe more about "automated authentications" and the use cases that would require them?

I updated my original comment, does this answer your question?

[dhs-BI]

Yes, that helps. My perspective is that the user should be involved in the authentication ceremony, e.g. NIST S800-63B and the concept of activation secrets for multifactor cryptographic authenticators. However, we should collect the relevant use cases for silent/automated authentication of the user and determine whether they are in/out of scope for IPSIE.