Azure Multi-factor Authentication
This documentation provides a high level introduction to vFire Core and Azure Multi-factor Authentication with Azure Active Directory.
Multi-factor authentication (MFA) is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins by requiring the following verification methods:
- Something you know (typically a password)
- Something you have (a trusted device that is not easily duplicated, like a phone)
The security of multi-factor authentication lies in its layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user's password, it is useless without also having possession of the trusted device. Should the user lose the device, the person who finds it won't be able to use it unless he or she also knows the user's password.
Azure Multi-factor Authentication helps safeguard access to data and applications while meeting user demand for a simple sign-in process. It delivers strong authentication via a range of easy verification options —phone call, text message, mobile app notification or verification code.
Alemba use Azure Multi-factor Authentication* in conjunction with the Alemba SSO integration module, to provide connectivity to Azure Active Directory* with SAML authentication
*Azure Services are not provided as part of the Alemba Cloud offering, pricing and further information on Azure can be found at https://azure.microsoft.com
Multi-factor Authentication User Transaction Steps for vFire
The vFire User or Analyst makes a request to access the application by loading an appropriate vFire URL in a Browser. The vFire application will detect this request and generate a SAML request, vFire then redirects the User/Analyst’s browser to the Azure Portal URL.
The Azure Authentication Service detects that the user has been configured to use the Multi-factor Authentication Service and the user is directed to a configuration page. The Users selects from a predefined set of verification methods:
- Phone call
- Text message
- Mobile app notification – allowing users to choose the method they prefer
- Mobile app verification code
Once the user has chosen and configured their preferred verification method the setup of MFA is complete. The user is then able to login and verify their account with the method selected. User Configuration of MFA is only required on the User/Analyst first login with Azure Multi-factor authentication.
Azure Multi-Factor Authentication authenticates the User/Analyst. The SAML Response is then passed back to the User/Analyst’s Browser which is then sent to the vFire URL, once vFire verifies this response the User/Analyst is logged into the vFire application.
Multi-Factor Authentication Technical Transaction Steps for vFire
The User/Analyst browser requests the vfire url to login to the application. vFire SSO intercepts the request and redirects the User/Analyst browser to the Azure portal login. The Azure portal login accepts the User/Analyst AD credentials and request multi-factor authentication from the User/Analyst. At the same time the Azure MFA service provides the User/Analyst with the method for multi-factor authentication.
The User/Analyst supplies the multi-factor authentication to the Azure portal login, which is then passed to the MFA service. Once the MFA verification is authorized, the Azure AD service will generate a SAML assertion which is passed back to the User/Analyst browser. This in turn is passed back to the vFire Core SSO service for verification. Once the SAML assertion is verified the User/Analyst is logged in and redirected to the vFire Core application.
