Some authentication providers can only be used for primary authentication and others can only support secondary authentication. See the table that follows for details on allowable authentication provider combinations.
It is the responsibility of either the Authorizer Administrator or the User Administrator to configure a user account to use two-factor authentication when logging into SPP. For more information, see Requiring secondary authentication log in.
Using Local as the identity provider
|
Primary authentication |
Secondary authentication |
|---|---|
|
Local: The specified login name and password will be used for authentication. |
None OneLogin MFA Radius Active Directory LDAP FIDO2 |
|
Certificate: The specified certificate thumbprint will be used for authentication. |
None OneLogin MFA Radius Active Directory LDAP FIDO2 |
|
External Federation: The specified email address or name claim will be used for authentication. |
None OneLogin MFA Radius Active Directory LDAP FIDO2 |
|
Radius: The specified login name will be used for authentication. NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication. |
None OneLogin MFA Active Directory LDAP FIDO2 |
Using Active Directory as the identity provider
|
Primary authentication |
Secondary authentication |
|---|---|
|
Active Directory: The samAccountName or X509 certificate will be used for authentication. NOTE: The user must authenticate against the domain from which their account exists. |
None OneLogin MFA Radius LDAP FIDO2 |
|
External Federation: The specified email address or name claim will be used for authentication. |
None OneLogin MFA Radius Active Directory LDAP FIDO2 |
|
Radius: The specified login name will be used for authentication. NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication. |
None OneLogin MFA Active Directory LDAP FIDO2 |
Using LDAP as the identity provider
|
Primary authentication |
Secondary authentication |
|---|---|
|
LDAP: The specified username attribute will be used for authentication. |
None OneLogin MFA Radius Active Directory FIDO2 |
|
External Federation: The specified email address or name claim will be used for authentication. |
None OneLogin MFA Radius Active Directory LDAP FIDO2 |
|
Radius : The specified login name will be used for authentication. NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication. |
None OneLogin MFA Active Directory LDAP FIDO2 |
Using Starling as the identity provider
|
Primary authentication |
Secondary authentication |
|---|---|
|
Starling |
None |
Using SCIM as the identity provider
|
Primary authentication |
Secondary authentication |
|---|---|
|
Local: The specified username and password will be used for authentication. NOTE: A SPP user administrator must manually set the password for any newly provisioned SCIM users. |
None OneLogin MFA Radius Active Directory LDAP FIDO2 |
|
External Federation: The specified email address or name claim will be used for authentication. |
None OneLogin MFA Radius Active Directory LDAP FIDO2 |