Exempting some users from authentication with a Whitelist

When you activate CTE Multifactor Authentication, all users attempting to log in to the CTE client must successfully pass through CTE Multifactor Authentication to gain entry to the MFA-enabled GuardPoints. However, there are specific exemptions to this rule. Users whose system services, or applications, initiate automatically during system boot-up cannot undergo authentication though CTE Multifactor Authentication, as Multifactor Authentication necessitates user interaction. To accommodate such cases, exempt these users from Multifactor Authentication enforcement within the Client Profile by including them in the user set exemption list. Typically, only system users responsible for running system services are included in this list. However, since many system applications operate under the root user, or even under normal application user accounts, you must also add these system administrator/application users to the list. These users form part of the user set, commonly referred to as a whitelist.

Creating a User Set

See Creating User Sets for information on creating a User Set in a Policy Element.

Adding the User Set to the Client Profile

To add an Multifactor Authentication whitelist to the client profile:

1. Create your Client Profile if it is not already created.

2. Click on your client profile to open it.

3. Click Multifactor Authentication.

4. In the Select OIDC connection field, select the OIDC connection that you created.

5. In the Select the MFA exempted User Set field, select the User Set that contains the people/applications that are exempted from authorization.

6. Click Update.