Assigning a MFA to SSO logins

0

Hello, when I first set up my AWS account on linux, I somehow ended up with separate MFA's for AWS Console versus AWS SSO. At the time, I did not properly understand why this happened. Now my linux computer is down for service, and I am connecting via my windows computer. I managed to add a second MFA for AWS Console so I can connect from windows, but that MFA does not work for AWS SSO, just as it did not for linux, but I can't find the similar way to add a second MFA for SSO. What would be the process to add a second MFA for SSO on my windows computer?

EDIT: I'm making progress. What you have to do to add a new MFA, is first log in to Access Portal. The url for Access Portal is in IAMIC. This reminded me of something I'd forgotten on linux... I'd had a THIRD MFA for Access Portal! I'd only used it once during initial setup, and after that I only used the MFA's for main Console and SSO, and gradually forgot what that THIRD MFA even was. Well now I've just remembered, because I promptly found out I cannot log into Access Portal from my windows computer, because the single MFA I have registered on the windows computer is only for main Console, not Access Portal. So, I'm still stuck, any thoughts appreciated!

SOLVED! The way to register a MFA for Access Portal when you need a MFA to log on to Access Portal in the first place is simply to turn off MFA in IAMIC. Then log in to Access Portal with just user/pass. Then in Access Portal, the link to add MFA devices is not active, because Your Administrator turned off MFA! So now without logging out of Access Portal, go back to IAMIC and turn MFA back on again. Now, simply refresh the Access Portal page, and the MFA link now becomes active, and allows you to register a new MFA. Bingo! How obvious was that.

But, it gets better still. Unlike how I somehow muddled my way to having three different MFA's on linux, in fact this second MFA in Access Portal also works for SSO! Who knew.

1 Answer
0

The root cause of having separate MFAs initially on your Linux setup seems to be related to the different authentication mechanisms used by the AWS Management Console, IAM and IAM Identity Center. Each of these services can have its own MFA configuration, which can lead to the need for multiple MFA devices if not configured correctly. (On July 26, 2022, AWS Single Sign-On was renamed to AWS IAM Identity Center.)

The steps you outlined for disabling and re-enabling MFA in IAM Identity Center (IAMIC) to register a new MFA device for the Access Portal are correct. This approach essentially resets the MFA configuration for the Access Portal, allowing you to register a new MFA device.

profile pictureAWS
answered 8 days ago
profile picture
EXPERT
reviewed 7 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions