Some authentication providers can only be used for primary authentication and others can only support secondary authentication. See the table that follows for details on allowable authentication provider combinations.

It is the responsibility of either the Authorizer Administrator or the User Administrator to configure a user account to use two-factor authentication when logging into SPP. For more information, see Requiring secondary authentication log in.

Using Local as the identity provider

Table 113: Allowable local identity provider combinations

Primary authentication

Secondary

authentication

Local: The specified login name and password will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

Certificate: The specified certificate thumbprint will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

External Federation: The specified email address or name claim will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

Radius: The specified login name will be used for authentication.

NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.

None

OneLogin MFA

Active Directory

LDAP

FIDO2

Using Active Directory as the identity provider

Table 114: Allowable Active Directory identity provider combinations

Primary authentication

Secondary

authentication

Active Directory: The samAccountName or X509 certificate will be used for authentication.

NOTE: The user must authenticate against the domain from which their account exists.

None

OneLogin MFA

Radius

LDAP

FIDO2

External Federation: The specified email address or name claim will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

Radius: The specified login name will be used for authentication.

NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.

None

OneLogin MFA

Active Directory

LDAP

FIDO2

Using LDAP as the identity provider

Table 115: Allowable LDAP identity provider combinations

Primary authentication

Secondary

authentication

LDAP: The specified username attribute will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

FIDO2

External Federation: The specified email address or name claim will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

Radius : The specified login name will be used for authentication.

NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.

None

OneLogin MFA

Active Directory

LDAP

FIDO2

Using Starling as the identity provider

Table 116: Allowable Starling identity provider combinations

Primary authentication

Secondary

authentication

Starling

None

Using SCIM as the identity provider

Table 117: Allowable SCIM identity provider combinations

Primary authentication

Secondary

authentication

Local: The specified username and password will be used for authentication.

NOTE: A SPP user administrator must manually set the password for any newly provisioned SCIM users.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

External Federation: The specified email address or name claim will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2