As admin I want to disable MFA for the SSO login so that users can use the identity providers MFA without weakening the local authentication process.
Q1. What is the problem that you are trying to solve?
When using SSO with OpenID, users have to continue to pass the local Passbolt MFA step. Usually, the identity provider takes care of the MFA. In our case we enforce MFA on the identity provider side (Keycloak). Therefore it would be useful to have an admin setting to allow users to skip the local MFA. We still want to keep the local MFA step in case the local login (password) is being used.
Q2 - Who is impacted?
Users using OpenID as Single Sign On that have MFA activated.
Q3 - Why is it important and/or urgent?
This would increase the acceptance for Single Sign On and support stronger authentication, for example with FIDO2. At the same time the local authentication is not weakened as MFA is still enabled when using the passphrase login.
Q4 - What is your proposed solution? (optional)
- Add a setting “Skip local MFA” in /app/administration/sso
- If the setting is set, skip the MFA (for example TOTP) step if users use OpenID connect when logging in
- Keep MFA step when users log in with passphrase (fallback)