MFA for Identity360 and enterprise applications
MFA assists with safeguarding user accounts and data by requiring multiple forms of verification before granting access to the Identity360 portal and other applications. To enable MFA for enterprise applications, they must be first added to Identity360 by configuring SSO, which allows users access all their applications by logging in once into Identity360. Enable single sign-on for the enterprise apps before configuring MFA for them.
Prerequisites for authentication through Identity360
- It is essential to configure at least one cloud directory—such as Azure AD or Salesforce—as the primary source for enabling MFA during Identity360 portal login. Learn how to set up a directory.
- The MFA and SSO license for Identity360 is required to enable MFA for portal login. Find the details here.
Login authentication
Ensure that Enable Identity360 authentication for portal and application logins is turned on to enforce Identity360 authentication; otherwise, Zoho account authentication will be applied.
Choosing between Identity360 and Zoho account authentication methods
Specifications |
Zoho account authentication |
Identity360 authentication |
Who can use it? |
You can continue to use Zoho authentication:
- If you use Zoho Directory or Zoho applications in your organization and want to use Zoho account authentication for your users before
granting access to them.
- If you have other cloud directories, such as Azure AD and Slack, and want to perform user authentication via Zoho accounts.
|
You can opt for Identity360 authentication:
- If you want the primary authenticator to be the cloud directory solutions, such as Azure AD and Salesforce, that are used in your
organization.
- If you want Identity360 to provide advanced MFA for user authentication before granting access to the Identity360 portal and other
enterprise applications, including Zoho applications.
Note: Identity360 delegates the primary authentication of users to their respective directories, enabling the users to reuse their existing credentials for authentication.
|
How does it work? |
- If the user wants to access the Identity360 portal or any other applications assigned to them through SSO, they will be redirected to
the Zoho account authentication login page, where they will enter their username to proceed with authentication.
- The user will be prompted to validate their identity with authentication methods enabled for their Zoho accounts.
- Once the verification is completed, the user gains access to Identity360 and other enterprise applications assigned to them through SSO.
|
- If the user wants to access the Identity360 portal or wants to access an application, they will be redirected to the Identity360 login
page, where they will enter their username to proceed with authentication.
- Identity360 recognizes the user and allows primary authentication via the user's associated directory through the OpenID Connect (OIDC)
protocol.
- Once the primary authentication is completed, Identity360 proceeds to validate the user identity with the secondary MFA factors
configured.
- After successfully completing authentication with all the enrolled factors, the user gains access to Identity360 and other enterprise
applications assigned to them through SSO.
|
Steps to enable MFA for Identity360 and enterprise applications
- Navigate to the Applications tab and go to Multi-factor Authentication > MFA for
Endpoints.
- Ensure that Enable Identity360 authentication for portal and application logins is turned on to enforce Identity360 authentication.
Note: To streamline your authentication process, ensure that MFA is disabled in both your primary directory and Zoho Directory. If you do not disable MFA in these directories, you will be required to go through the MFA process for all three systems. This step is crucial for using Identity360 as your exclusive MFA provider and avoiding multiple authentication prompts.
- Select the first-factor authentication method from the drop-down menu that lists the directories configured in Identity360. Choose the associated directories for users to complete the primary verification process. Users will be prompted to authenticate through their respective directory when they log in.
Note: Users who are not a part of any of the enabled directories will be denied access to login.
- If MFA is required, ensure that the Enable multi-factor authentication box is checked, and select the number of authentication factors from the drop-down menu. Refer to the Authenticators Setup page for the list of supported authentication methods and how to configure them.
- Choose the authenticators from the Choose Authenticators drop-down menu.
- Explore the Advanced Settings section for further customization options.