Configure XFA as an Authentication Factor on OneLogin
This is a beta feature, this feature will receive multiple updates and improvements in the coming weeks.
To make sure that every device in your organization is secure, XFA can be configured on OneLogin to verify each device as part of the authentication to all applications connected to OneLogin. This guide will walk you through the steps to configure XFA as an Authentication Factor of the type 'Trusted IdP as a Factor' and enforce it's usage.
Note: This guide assumes that you have an account set up with XFA for your organization and you're an admin for that organization on both XFA and OneLogin. If you do not have an account for XFA, you can create one at https://dashboard.xfa.tech/signup.
Create an integration in XFA Dashboard
After logging in to the XFA Dashboard, navigate to the Integrations page, click on New and select Onelogin as the integration type. You'll receive the following information:
Client IDClient Secret- (+ the option to download the XFA icon for a later step)
Keep this information handy as you'll need it in the next step.
Create an Authentication Factor in OneLogin
You will need to ask your OneLogin account representative or OneLogin Support to activate the BYO MFA feature on your OneLogin tenant.
To use XFA as an authentication factor, the user must have a username set in their profile. If the username is not set, the user will not be able to register XFA as an authentication factor.
Note: User information is heavily cached, so changing the username may take some time to propagate.
1. Create a trusted IdP to use as Authentication Factor
In the administration portal of Onelogin (log in to OneLogin and click Administration on the right top corner), navigate to Authentication > Trusted IdPs and click on New Trust.
After setting the name of the new trusted IdP to 'XFA', create the following configuration under Settings: (settings that are left out can be ignored or left empty)
- Enable Trusted IdP:
True - Show in Login Panel:
False - Issuer:
https://xfa.tech - Email Domains: (leave empty)
- Sign users into OneLogin:
True - Sign users into additional applications:
False - Send Subject Name ID or Login Hint in Auth Request:
True - User Attribute Value: (leave empty)
- User Attribute Mapping:
Username - Allowed Redirect URIs: (leave empty)
- Authentication Endpoint:
https://device-api.xfa.tech/oauth2/authorize - Token Endpoint Auth. Method:
POST - Token Endpoint:
https://device-api.xfa.tech/oauth2/token - User Information Endpoint:
https://device-api.xfa.tech/oauth2/userinfo - Scopes:
openid profile email - Client ID: (the
Client IDyou received from the XFA Dashboard) - Client Secret: (the
Client Secretyou received from the XFA Dashboard)
Click Save to create the trusted IdP.
2. Create a new Authentication Factor
In the administration portal of OneLogin, navigate to Security > Authentication Factors, click on New Auth Factor and choose the type 'Trusted IdP as a Factor'.
Add the XFA icon (can be downloaded from the XFA Dashboard), set the User description to 'XFA' and select the trusted IdP you created in the previous step. Click Save to create the new Authentication Factor.
3. Allow the Authentication Factor for all users
In the administration portal of OneLogin, navigate to Security > Policies and select the policy you want to edit or create a new policy so you can gradually make XFA available for users.
As in this step we are only making XFA optionally 'available' for users, we recommend editing all policies (including the default policy) to include the XFA Authentication Factor.
To add XFA to a policy, navigate to 'MFA' and tick the 'XFA' box under One-time Passwords. The option to register use XFA as an authentication factor will now be available for all users to which the policy applies.
Next steps
XFA can now be used by all users, configured in the previous step, to register XFA as an Authentication Factor, so it can be used when logging in to an application connected to OneLogin.
Registering XFA as an authentication factor can be done by the user under Profile > Security Factors > Add Factor in the OneLogin portal.
To make sure XFA is enforced for all users, do the following:
Remove other MFA methods from policy
You can either create a new policy to migrate all users towards, or edit the existing policies to remove all other MFA methods. This will enforce the use of XFA for all users.
To remove other MFA methods from a policy, navigate to 'MFA' within the policy settings and untick all other MFA methods except for XFA. This will enforce the use of XFA for all users to which the policy applies.
Won't I lose my 2FA identity verification?
As XFA will completely replace the other authentication methods, we provide 'silent MFA', which allows you to verify your identity through known devices which you've explicitly trusted with XFA. In this way your device act as a second factor. Read our documentation about silent MFA for more information.
Apply the policy to all users
To apply a policy that enforces XFA to all users, navigate to Users in the OneLogin administration portal and either individually open the users and change 'User Security Policy' under Authentication to the desired policy or utilize groups under Users > Groups to apply the policy to multiple users at once.
Remove other MFA options from users
To manually ensure that all users are using XFA as their authentication factor, navigate to Users in the OneLogin administration portal and open each user individually to remove all other MFA options except for XFA under Authentication > Multi-factor methods.