Force MFA with Credential Provider but only for specific AD groups?

Charburner · December 27, 2023, 4:24pm

Hey guys,

is it possible to force only specific Active Directory users/groups to use MFA on Windows machines although having the privacyIDEA Credential Provider installed and configured as the only valid provider?

I’m thinking of following scenario:

there are Windows workstations where normal users should be allowed to login without MFA, just by entering username and password
these computers are administrated by special “workstation admin” users (implementing admin tiering)
these admins should be forced to use MFA, so I would need to configure CP to be the only valid credential provider

But how (if even possible) would I exclude the normal workstation users from being forced to use MFA?
Maybe with a different policy which says “ok normal user, you do not need any token”?

Thanks in advance for any kind of response

Have a nice day!

Charburner · December 29, 2023, 10:08am

For now I will test things with the authentication policy actions “passOnNoToken” and “passthru”

cornelinux · January 2, 2024, 11:39pm

There is no such configuration in the credential provider.

All authentication requests are sent to privacyIDEA and the server will decide whether a user has to use a token or if the second factor is correct.

This is right, you have to rethink the logic, just like you went with certain policies like passonnotoken…

Charburner · January 3, 2024, 1:35pm

Thanks, I solved it by adding an additional ldapresolver with basedn “ou=normal users” and two policies (authentication: “passOnNoToken: true”, webui: “login_mode: disable”).
I’m of course not entirely sure you should do it this way - but it works as intended.