BMCMFAID
Related topics
Commands and parameters
BMCMFAID is the multifactor authentication (MFA) identifier that the Okta Gateway uses to locate the mobile device for the authentication challenge. BMCMFAID can take any value that the Okta Gateway recognizes to identify and authenticate the target mobile device. You can also set symbolic variables in the BMCMFAID user and group RACP custom fields. These variables are resolved at runtime.
Symbolic variables
You can use the following symbolic variables defined by EC for Okta for the MFA ID. These variables are derived from various RACF data points. The symbolic variable names must begin with an ampersand (&) and end with a period (.).
| Symbolic variable | Description |
|---|---|
| &WANAME. | RACF work attribute name field |
| &WAEMAIL. | RACF work attribute email field |
| &USERID. | RACF user ID |
| &GROUP. | RACF group ID associated with this user access request |
| &INSTDATA. | RACF installation data |
| &APPLDATA. | RACF application data |
| &OIDCARD. | RACF OID card data |
| &USERDATA. | RACF user data |
Use cases
This section includes different use cases involving BMCMFAID variables.
You can configure the BMCMFAID variables as follows:
To send the specified value to the Okta Gateway for MFA, use the following command
ALTUSER <userID> CSDATA(BMCMFAID(<username@email.com>))
To disable MFA for a user ID, use the following command
ALTUSER <userID> CSDATA(BMCMFAID(*NONE*))
To disable MFA for a group ID, use the following command
ALTGROUP <groupID> CSDATA(BMCMFAID(*NONE*))
Including an email address
If the Okta Gateway requires an email address to identify the mobile device used for authentication, use the following command syntax to include the individual user’s email address in the RACF work attribute email field:
ALTUSER <userID> CSDATA(BMCMFAID(&WAEMAIL.))
ALTGROUP <groupID> CSDATA(BMCMFAID(&WAEMAIL.))
Using multiple variables in a single BMCMFAID substitution
The following command syntax substitutes the user ID and email address for the MFA ID. The forward slash (/) or any other text will be included in the MFA ID passed on to the Okta Gateway.
ALTUSER <userID> CSDATA(BMCMFAID(&USERID./&WAEMAIL.)
ALTGROUP <groupID> CSDATA(BMCMFAID(&USERID./&WAEMAIL.)
Using z/OS system symbolics
To obtain a list of z/OS system symbolics by using the z/OS D SYMBOLS operator command, use the following command syntax:
ALTUSER <userID> CSDATA(BMCMFAID(&SYSNAME./&WAEMAIL.)
ALTGROUP <groupID> CSDATA(BMCMFAID(&SYSNAME./&WAEMAIL.)