Apply MFA for SSO connections

Multi-factor authentication (MFA) is one of UserLock’s key features to protect user identities. When combined with Single Sign-On (SSO), MFA adds an essential layer of verification for cloud and SaaS applications.

🚩️ Before following this guide, make sure that you have completed the Install & configure the SSO guide. Without a properly configured SSO service, MFA cannot be enforced on SSO connections.

• Enforce MFA each time users access SaaS applications via SSO.

• Require stricter MFA only for administrators and privileged accounts.

• Apply lighter MFA rules for internal connections, but stricter ones for external access.

• Combine MFA with time, machine or geolocation restrictions for a layered defense.

To enforce MFA on SSO connections, you need to create a new access policy.

👉️ Follow the general steps described in Configure an access policy until you reach the Policy type selection. At this step, choose Multi-factor authentication.

You will then arrive on the MFA rules form.

1. Set MFA application to Enabled.

2. Choose configuration mode:

   • All at once (same settings for all session types)

   • Distinct setting per session type (recommended for SSO, so you can configure MFA separately for SaaS connections).

3. Configure SSO session rules

   • For Connection type, choose whether MFA applies to all SSO logons, only remote ones, or only from outside IPs.

   • For MFA frequency, select how often MFA is required (at every logon, at first logon of the day, when connecting from a new IP, etc.).

4. Save the rules
   The policy is now active and will enforce MFA on SSO connections.

Enforcing MFA has an impact on both administrators and end-users.

For deployment recommendations (pilot groups, communication, monitoring) and for details on how users enroll when prompted, see Implementing MFA in UserLock.