Multi-Factor Authentication (MFA) and Integration using SAML (2024)

In the previous article, I have shared what I have learned about SAML, The history behind it, and its working mechanism. But it did not end there, I wanted to know more about it, then I saw that it is also using while configuring and integrating MFA solutions with IDP as an additional layer of authentication Mechanism. So let’s learn more about it.

Multi-Factor Authentication (MFA) and Integration using SAML (3)

Firstly, What is MFA ( Multi-Factor Authentication)?

Multi-Factor Authentication is nothing but an additional level of authentication where we need to provide one more factor which might be an OTP, numeric code from an App( Google Authenticator), or a Hard token for claiming that we are who we are. This will not only enhance security but also reduces the risk of identity theft.

Multi-Factor Authentication (MFA) and Integration using SAML (4)

How MFA works?

MFA's working mechanism is similar to the user-password mechanism. In the above picture, we can see an interlink. First, the user needs to enter his credentials. Once his identity is verified, then he needs to provide his identity one more time in the form for MFA which can an OTP or a token from an app or device.

Like the way how user credentials are stored in the database and used for verification, the MFA device which has its own unique device id as an identifier also needs to be configured to the user profile in order to verify the identity of the user.

Types of MFA

For a user to authenticate, a Password is a mandatory factor of authentication. When it comes to additional layers, a traditional method used to be in the form of One time SMS which will be sent to our email, Mobile device.

MFA comes in the form of Hard Tokens and Soft Tokens.

  • Hard Token: Hard Tokens are a form of authenticating using a physical device like a Biometric, OTP Auth token, etc. The best example is RSA Secure Auth Token.
  • Soft Token: Soft Tokens are a form of using “Phone-as-a-token”. In general, using mobile applications or devices are used as soft tokens. The most common ones are Google authenticator, Microsoft authenticator which has the OTP and also pushes notifications as a soft token.

How to configure MFA

Several Websites are mandating their users to configure MFA while accessing their website. Most of these websites are supporting some MFA soft tokens like Google Authenticator.

  • MFA using Soft token App

Users need to configure this MFA by scanning a QR code or a device link code with their Mobile device. Then the Google Authenticator’s Unique device ID will be linked to the user’s profile.

While enterprises use different approaches to configure MFA based on the requirements. If an enterprise uses Azure active directory solution, Azure provides the feature to configure MFA directly in the portal which can be in the form of SMS, Phone Call, or Microsoft Authenticator Push Notifications. This adds an additional layer of security when Single Sign-on ( SSO) gets enabled.

  • MFA using SAML configuration

As mentioned in a previous article, SAML is used for authentication and also it helps to enable SSO. SAML can also be used to configure MFA between different devices.

In an enterprise where we have different SPs used by multiple hosts. By using SAML we can enforce MFA in any of the below ways.

  • No MFA
  • MFA based on host-to-host
  • MFA for all.

In Some cases, where re-authentication is required for applications with high-security requirements we can use SAML to break the SSO session and initiate re-authentication.


By enforcing MFA across enterprise applications and devices, it’s better to manage identity of users and reduce risk of identity theft. MFA can be enforced directly in Active Directory for Enterprises or can be enforced in Applications if they are connected as a federal identity. Also, we can configure the federal connection using SAML.

Thanks for reading this :)

If you like my work, please support me.

Multi-Factor Authentication (MFA) and Integration using SAML (5)

Additional Resources:

Multi-Factor Authentication (MFA) and Integration using SAML (2024)
Top Articles
Latest Posts
Article information

Author: Errol Quitzon

Last Updated:

Views: 5726

Rating: 4.9 / 5 (79 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Errol Quitzon

Birthday: 1993-04-02

Address: 70604 Haley Lane, Port Weldonside, TN 99233-0942

Phone: +9665282866296

Job: Product Retail Agent

Hobby: Computer programming, Horseback riding, Hooping, Dance, Ice skating, Backpacking, Rafting

Introduction: My name is Errol Quitzon, I am a fair, cute, fancy, clean, attractive, sparkling, kind person who loves writing and wants to share my knowledge and understanding with you.