Disable MFA for enterprise connection

I have setup a SAML Enterprise Connection to delegate authentication to another IdP. When users login at the IdP they perform MFA there. However, when the SAML response is sent to Auth0 it fails due to the “always require MFA settings” I have other Authentication methods configured in this tenant and I want to disable MFA for this Enterprise SAML connection only.

Hi @lcfn

Welcome to the Auth0 community.

You should be able to achieve this use case by using selective MFA via a Post Login Action as per https://auth0.com/docs/customize/actions/flows-and-triggers/login-flow#enforce-custom-mfa-policy

To get this to work you need to set MFA policy to “Never” (Security > Multi-factor Auth) but keep your existing MFA factors in place e.g. if one-time password and email are both switched on, leave them switched on. The MFA will be controlled by the Action instead.

For your specific use case, you may be able to use an Action like the below (please test in a non production tenant):

exports.onExecutePostLogin = async (event, api) => {
  // Require MFA for any connection apart from conn2
  if (event.connection.name !== "conn2") {
    api.multifactor.enable("any");
  };
};

You can just pop your connection name in the above and that should work (please test). All other connections should require MFA.

Please let us know if you need anything further.

Warm regards.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.