Over the last few years various MFA solutions have introduced the so-called Adaptive Authentication. Back in the day all you needed was just a way to secure your users, and Multi-Factor Authentication was the answer. Nowadays when using a modern MFA solution, you also need a way to control every step of your users’ authentication. With Adaptive Authentication you enforce different methods of authentication on different integrated applications. Naturally, the finest MFA solutions allow you to control every step of user authentication on application level. For one, Rublon uses the state-of-the-art Policies. Controlling Multi-Factor Authentication based on applications is an application-based approach to Adaptive Authentication.


But Adaptive Authentication can also be applied to users. In such an approach you manage which users are authenticated, and how. Rublon introduces user-based Adaptive Authentication in many ways. For example, you might want to enforce Multi-Factor Authentication only on selected high-risk users while bypassing all others. You can do this in one of the following ways:


  • Set Enrollment Type to Manual

  • Set User Status to Bypass

  • Set Authorized Networks


Set Enrollment Type to Manual


When Enrollment Type is set to Manual, users must be manually added to your users list by administrators. Login attempts from other users are denied or bypassed. You can set this behavior by selecting either Deny or Bypass under Handling of unknown users.


In order to enable MFA only for users that were added manually, follow these steps:


1. Login to Rublon Admin Console.

2. Select Settings from the pane on the left.

3. Change Enrollment type to Manual.

4. Handling of unknown users will appear next to Enrollment type.

5. Set Handling of unknown users to Bypass.



6. Click Save in the upper-right corner to save the changes.


Only users that you will add manually to the users list in the Rublon Admin Console will be prompted for MFA. Everybody else will log in just like before the Rublon deployment.


Set User Status to Bypass


If you want to disable Rublon MFA for a small number of users, you can manually set the Status of those users to Bypass. When you set a user's Status to Bypass, the user will not have to undergo Rublon 2FA. In this case, all other users whose Status is set to Active will be authenticated by Rublon.


1. Login to Rublon Admin Console.

2. Select Users from the pane on the left.

3. Select users you want to be bypassed.


  • You can select all users by checking the uppermost checkbox in the table.

  • You can select more than one user by checking the checkbox next to their Username.

  • You can search for users with common names or domains.



4. Once you selected all users you want bypassed, click the Edit selected button.

5. An Edit selected users window will appear. Select Bypass and click Save to enable bypass for the selected users.


From now on, all selected users will be bypassed.


Set Authorized Networks


Authorized Networks allows you to enable bypassing MFA for specific IP addresses, IP ranges or CIDRs. If all users you want to bypass have IPs in the same range, you can use Authorized Networks to disable MFA for these users (they will be bypassed). If you set such Authorized Networks in the Global Policy, Rublon will prompt users for MFA except for users in the IP range set in Authorized Networks. You can also set different Authorized Networks in different Custom Policies. Refer to the following examples to learn more.



Examples


Let’s assume you have a group of users with IP addresses in the following range: 


17.5.100.0-17.5.100.50


Let’s say you would like these users to be bypassed by Rublon.


Example 1


Let’s also assume you want all users whose IPs belong to the preceding range to be bypassed regardless of the application they attempt to log in to. To achieve this, you can change the Global Policy.


1. Login to Rublon Admin Console.

2. Select Policies from the pane on the left.

3. Navigate to Global Policy and click Edit Global Policy.

4. Click Authorized Networks on the left.

6. Enter the IP range in the Authorized Networks text field.

7. Click Save.


Now all users whose IPs belong to the range specified in Authorized Networks will be bypassed.


Example 2


Let’s also assume you want all users whose IPs belong to the preceding range to be bypassed but only if they log in to some specific applications.


1. Login to Rublon Admin Console.

2. Select Policies from the pane on the left.

3. Navigate to Custom Policies and click New Policy.

4. Set a name for your policy, e.g. Bypass Users.

5. Click Authorized Networks on the left.

6. Enter the IP range in the Authorized Networks text field.

7. Click Save.

8. You can now go to Applications and assign your newly created policy to one or more applications. Note that a custom policy will have no effect if it is not assigned to any application.


Now all users who fulfill the following requirements will be bypassed:

  • They log in to an application with Bypass Users policy.

  • They have IPs that belong to the range specified in Authorized Networks of the Bypass Users policy.




Helpful Links


Rublon Admin Console - Documentation