Failed to authenticate the Provision Manager:Please authenticate with MFA

Getting the above error when trying to prepare our account for SCIM.
The error is being displayed and preventing us from downloading the session file.
Get the same error when trying to generate new credentials as well.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Temporarily disabling MFA enforcement resolved this issue.

  • graham_1Pgraham_1P

    Team Member

    Hi @swatts123

    This is a known issue with the SCIM Bridge and the new 1Password Advanced Protection feature set. I would strongly recommend you to keep the Enforced MFA off until the issue is resolved, otherwise your Provision Manager will not be able to make changes to your account.

    Sorry for the inconvenience.

    Graham

  • Any news about when this issue will be fixed?

  • graham_1Pgraham_1P

    Team Member

    @angrycustomer ,

    I have no explicit timeline to share, but I can say it will not be before the New Year. The fix is not an easy nor simple one without poking a big hole in account security. We have to take the time to fix it properly.

    Graham

  • Any update on being able to Enforce MFA while using a SCIM Bridge?

  • ag_anaag_ana

    Team Member
    edited April 9

    @ICanHasWine:

    We don't have any updates yet, but the request is still on our radar :)

    ref: dev/b5/op-scim#225

  • Isn't it possible to make that option to force-enable 2FA on accounts that belong to specific groups instead of making it a tenant-wide option?

    We would like to use this as well, instead of manually policing our users and tell them they need to.

  • graham_1Pgraham_1P

    Team Member

    Hey @rickh

    We have been working hard on this issue, and it is getting closer to being properly fixed! Currently it is moving from the development stage to the testing stage, so it will be in your hands in the near future.

    To explain a bit as to why we can't just set MFA enforcement on some users/groups, as it is a part of your account security, MFA is baked in at a very low level during the authentication process. By design, when you want to enforce MFA it is applied to all your users during the initial handshake with no exceptions. There were some workarounds we considered implementing, but they all required a level of development time and testing comparable to the solution we chose.

    Therefore we have essentially had to add a whole new type of user who authenticates in a different way. The utility of this user we are very excited about, as it not only fixes this SCIM Bridge issue but adds so much more. I'm getting a little ahead of myself, but the proper fix for this is in the pipeline and is coming soon. We will update this thread when the fix is released.

    Graham

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file