OTP By Resources

How can I implement two factor authentication per resource.
Example: Authentic user in application but I have resource A and Resource B, in which I only want OTP without user authentication. There is the API to run this flow.

Hello and welcome to the privacyIDEA community.

What do you mean with “OTP without user authentication”.

Do you mean “OTP without a static password” (i.e. Username and OTP) or do you mean OTP without anything else, even without username?

(Do you know what is funny: My question to actually understand your initial question contains more characters than your initial question itself)

Sorry, I want the following scenario after the authenticated user. on certain resources I want to request OTP. Example: Resource A - OTP / Resource B - User authentication only

Do you mean one of the below scenarios?

Scenario A

  1. User authenticates with AD Username/Password
  2. If resource is designated as needing OTP, request OTP.
    a. Direct user to input OTP
    b. Validate OTP against PrivacyIDEA.
    c. Forward user on successful authentication to resource.
  3. If resource is designated as needing AD only, allow access to resource

Scenario B

  1. If resource is designated as needing OTP, request OTP
    a. User enters AD Username/OTP
    b. Validate AD username/OTP against PrivacyIDEA with AD as backend user store.
    c. Forward user on successful authentication to resource.
  2. If resource is designated as needing AD only, request user AD credentials

Exact. This scenario is possible to do with PrivacyIDEA

I gave two different scenarios…which one is ‘Exact’?

“Scenario A” would be ideal at this point.

Thanks to both.
@Emerson_Orlando This is possible. Now it depends on what your “resources” actually are.
You can either do this on the resource level or in different ways in privacyIDEA.

But this depends on your “resources”.
Being it different URLs in an application?
Different Applications?
Different IP addresses?
WHICH applications?

In my case they would be different URLs. Example:
www.xxx.com/analysis - (authenticates with AD Username/Password)
www.xxx.com/acquire_products - (This one requests OTP)

This is possible. How this would be done depends - as already mentioned - on your application.
You need to provide more information.
We are not here to guess your thoughts! Noone is. If you want to communicate, you need to talk!
If you think you can not share your secret application for security reasons or privacy reasons, than you should not use a public forum at all.

It might be a good idea to read this: https://www.privacyidea.org/getting-help/

Noone can tell you how you can configure different 2FA policies, if you do not tell, what application or mechanism you are actually using. Are you doing basic authentication? Which browser, which module?Are you doing 2FA in your application? Which application?

The more information you provide, the more likely it is to get an answer. People will not help, if it is to complicated to help. If I get the impression, the guy who wants help, does not put any effort in asking, then the helper will obviously get tired. I am.

Have you read this? This is a must! Is privacyIDEA an open source or a commercial solution

Never done it, but seen here and there that you can configure a web server to redirect to PI for MFA. I’m guessing you’d use the appropriate application plugin for your web server. Setup the webserver to perform AD authentication globally, and then on the specific virtual directories you want MFA authentication, you’d configure the application plugin to do the redirection. I’m only slightly familiar with IIS and know you can do global/site specific settings, not sure Apache, Nginx, etc… can do the same.