Content
View differences
Updated by Jan Sandbrink 8 months ago
**As** an administrator
**I want to** configure certain auth providers to skip multi-factor authentication
**so that** users can have MFA configured in OpenProject, but don't have to do it twice, if the authentication provider already performs MFA itself.
**Context**
This can be useful in environments, where users have a backup password to log into OpenProject, but would usually rely on SSO. For example admins that want to login, so they can fix a broken SSO setup.
**Acceptance criteria**
* It is possible to configure on an OIDC or SAML provider that OpenProject's multi-factor authentication (MFA) can be skipped
* When a user signs in through such a provider, there is no MFA prompt
* When a user signs in through another provider or with their password, the MFA prompt appears as usual
* Skipping MFA can be configured to be dependent on the presence of a specific claim in the ID token (e.g. an acr claim)
**Technical notes**
* <br>
**Permissions and visibility considerations**
* Admins
**Translation considerations**
* _Key terms and phrases in the key languages_
**Out of scope**
* <br>
_Set the_ **To be informed/consulted teams** _field to include all teams necessary to be informed of the changes._
**I want to** configure certain auth providers to skip multi-factor authentication
**so that** users can have MFA configured in OpenProject, but don't have to do it twice, if the authentication provider already performs MFA itself.
**Context**
This can be useful in environments, where users have a backup password to log into OpenProject, but would usually rely on SSO. For example admins that want to login, so they can fix a broken SSO setup.
**Acceptance criteria**
* It is possible to configure on an OIDC or SAML provider that OpenProject's multi-factor authentication (MFA) can be skipped
* When a user signs in through such a provider, there is no MFA prompt
* When a user signs in through another provider or with their password, the MFA prompt appears as usual
* Skipping MFA can be configured to be dependent on the presence of a specific claim in the ID token (e.g. an acr claim)
**Technical notes**
* <br>
**Permissions and visibility considerations**
* Admins
**Translation considerations**
* _Key terms and phrases in the key languages_
**Out of scope**
* <br>
_Set the_ **To be informed/consulted teams** _field to include all teams necessary to be informed of the changes._