Hello , I see there is only TOTP MFA option in PRA . We are using PRA for external Vendor access where the accounts are quarterly reviewed but as the number of vendor grows , manual errors might increase. Also as the review can not be made more frequent , there is a possibility that Terminated vendor user still has access as they know their PRA login password and have TOTP MFA configured using a personal mobile device. These user identities are in Active Director as well as PRA internal DB. Is there any way to implement email-based MFA so that terminated user will immediately lose access as they wont have access to company email ?
I see Radius auth and OKTA can be used both have separate trade-offs
Question
PRA - Email based MFA
Quick question, are we using Vendor Portal or other Security Provider for authentication to PRA for those vendors? If they sign in with AD account to PRA, the should not be able to login if the account is disabled in AD.
If they are considered to different identities, one AD and the other local to PRA I could see an automation script checking your AD PRA Accounts if disabled, then disable the same account in PRA. Requires though naming convention are followed etc. or let your SCIM take action on provisioning and de-provisioning.
Worth noting: In PRA all users who sign in using different Security Providers are considered different a user.
Thank you
We are not using vendor portal.
We actually have separate use cases, in first, external vendor accounts are created in a separate Active Directory which is linked with PRA as LDAP provider.
In other use case, the accounts are created in PRA internal/local provider.
In both cases, PRA enforces TOTP MFA.
Active Directory or PRA local accounts are reviewed quarterly ( review happens outside of PRA, where we reach out to vendor to confirm if the account is still needed). If a user is terminated before the review , currently there is no reliable way to terminate the access/account. If email-based MFA is possible , we can effectively terminate the access as soon as the external vendor user loses access to their company email address which we have set on PRA local user / Active Directory user
That sounds like a feature request that could be useful.
I would consider using the Vendor Portal instead and default configure those users with and expiration on the accounts, as these are two different accounts.
Then you could create a API script to take action on the account when disabled in AD as you do have a common email etc.
Jens
I realize you also have Password Safe.
Give the users two account, but have it all AD joined instead and use the Account mapping for granting access to their privileged Account without seeing the password. They don’t need to know about password Safe either.
Once you disable the AD account, they are unable to access.
Jens
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.