See smart-hooks Menu
  1. Home >
  2. Smart Hooks >
  3. Smart Hooks to Force MFA Enrollment

Smart Hooks to Force MFA Enrollment

This document describes how to generate a pre-authentication smart hook to force the user to enroll a MFA device before switching the user to a passwordless user policy inside of OneLogin.

Note: Best practice is to execute the hook as quickly as possible, so all users will be passwordless by default. The policy will switch when the user does not have a MFA device registered. Policy change affects the login, not the session after the login.

This guide explains how to configure two user policies. The first user policy is the default passwordless policy. This will be the main policy after the registration of the MFA Device.

  1. In the OneLogin administration portal, create a user policy with the following configuration. This is your default passwordless policy and acts as the main policy will be used after registration of the MFA device.

    • Login Flow
      • For Smart Flows, select Passwordless (ID/MFA).
    • Password
      • For Maximum Password Age, enter 0.
    • MFA
      • Under One-time passwords, select OTP Auth Required and any OTP factors you’d like to enable for the passwordless flow.
      • For MFA Device Registration, choose Do not prompt users to register an MFA device during login.
      • Under Enforcement Settings, ensure that OTP required for is set to All users.

  2. Create a second user policy with the following configuration. This is the policy the user is switched for initial login and configuration of the device.

    • Login Flow
      • For Smart Flows, select Standard (ID/Password/MFA).
    • MFA
      • Under One-time passwords, select OTP Auth Required and any OTP factors you’d like to enable for the this authentication.
      • For MFA Device Registration, choose Users without a MFA device must register one before being able to log in.
      • Under Enforcement Settings, ensure that OTP required for is set to All users.

  3. We can now upload the Smart Hook into your OneLogin tenant. If you have not already done so, download the Smart Hooks postman collection and the Access Token postman collection.

  4. Import the Postman commands into your local postman instance, then go to Developers > API Credentials and select New Credential.

  5. Give the credentials a new name like smart hooks and choose Manage All permissions, then click Save.

  6. Copy the Client ID and Client Secret and paste them somewhere safe for later retrieval.

  7. Open Postman and create a new environment for you to store variables in, then click the manage environments icon in the upper-right.

  8. In the Manage Environments modal, select Add.

  9. Create the following five environment variables: api-domain, client_id, client_secret, access_token, and refresh_token.

  10. Set api-domain to api.us.onelogin.com or api.eu.onelogin.com.

  11. Set client_id and client_secret to the client ID and Secret generated in step six of this section.

  12. access_token and refresh_token will be done after the call to token endpoint. Update or Save your environment variables.

  13. Confirm you have selected the proper environment that you just created, then open the Access Tokens - OneLogin API postman collection and double click the Generate Tokens call.

  14. Once the call opens, hit Send. After you receive a 200 OK message, ensure the returned body contains both an access and refresh token, which then populate in your environment variables.

  15. Open the Smart Hooks - OneLogin API collection and expand the Pre-Authentication Hook folder, then open the Smart Hook called Switch policy to allow MFA Enrollment.

  16. Select the Pre-request Script tab in the call and find the user.policy_id, then set that value to the Register MFA policy number you noted earlier.

  17. Double click Create minimum viable function and click Send, then copy the id returned in the body and paste it somewhere safe for later retrieval.

  18. Paste the id copied in step 15 into the hook_id path variable in the Params tab inside Switch policy to allow MFA enrollment, then click Send.

  19. You see a return similar to the one above and the call returns a 200 OK status, which means the pre-authentication hook was successfully updated.

Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.