# External SSO based MFA

In order to enable the External MFA authentication:

1. Your instance **must have** [external OIDC/SSO configured](https://docs.defguard.net/1.5/features/external-openid-providers).
2. Select the VPN Location from the dropdown list on the Network Overview, and pressing the **Edit Location** button in the top right corner of the page.
3. Select the External MFA in the menu.

<figure><img src="https://content.gitbook.com/content/kHPDOBrb5X1TB8O3GsjW/blobs/5w7DJ9M2nK5OtpCM2j7J/Screenshot%202025-07-29%20at%2017.29.25.png" alt=""><figcaption></figcaption></figure>

#### Client disconnect threshold

When MFA is enabled on a location, Defguard periodically (currently every **1 minute**) checks statistics if a client is connected and if the period of inactivity (defined in this option) is met, a client is disconnected.

Thus, the gateway needs to be configured to send statistics in that period.

{% hint style="info" %}
We recommend to set:

* Gateway to send statistics every 30sec
* Peer disconnect threshold we recommend it to be min. 300 (5 min)
  {% endhint %}

### Testing MFA on Defguard client

When a location has External MFA enabled, after clicking Connect in the Desktop client ([here you can find information about Mobile Client External MFA](https://docs.defguard.net/1.5/using-defguard-for-end-users/mobile-client/instance-connect#external-mfa)), there will be information displayed about authentication requirement:

<figure><img src="https://content.gitbook.com/content/kHPDOBrb5X1TB8O3GsjW/blobs/BKd5pZnR35JMm8h0Bhrm/Screenshot%202025-07-29%20at%2017.32.51.png" alt="" width="375"><figcaption></figcaption></figure>

In order to authenticate the user will be prompted to click on Authenticate with your configured OIDC (like Authenticate with Google) - which will open the browser and start the authentication session with your OIDC/SSO provider by the [Defguard Enrollment ](https://docs.defguard.net/1.5/using-defguard-for-end-users/enrollment)service (which is the only public component).

After successful authentication, the user will be informed by the enrollment service like so:

<figure><img src="https://content.gitbook.com/content/kHPDOBrb5X1TB8O3GsjW/blobs/nspNxbMAeT5bPRkMvIpq/Screenshot%202025-07-29%20at%2017.33.21.png" alt="" width="375"><figcaption></figcaption></figure>

And the VPN should be connected.

Video describing whole process:

{% embed url="<https://www.youtube.com/embed/81MH7VXmHR0>" %}

## Biometry as an internal MFA method

Users can use biometry as an internal MFA method on their mobile devices. If a device has configured biometry as an MFA method, you will see ![](https://4041812211-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkHPDOBrb5X1TB8O3GsjW%2Fuploads%2Ff3Lzf2j9n6jiFrE9KtH1%2FScreenshot%202025-08-18%20at%2013.56.49.png?alt=media\&token=1f50abdb-b307-4c42-93b6-3f6f9785ce7d) icon, next to the device name.

<figure><img src="https://4041812211-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkHPDOBrb5X1TB8O3GsjW%2Fuploads%2FNtsveHNMt3vYsyTbkMpJ%2Fdefguard-devices-fingerprint-icon.png?alt=media&#x26;token=cf9394d8-02b2-4f26-bf20-6d2a8227a250" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.defguard.net/1.5/features/wireguard/multi-factor-authentication-mfa-2fa/external-sso-based-mfa.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.