You can configure specific ACR for specific OpenID client: https://gluu.org/docs/gluu-server/4.5/admin-guide/openid-connect/#setting-the-default-acr

Yeah I am aware of the specific ACR value, My question is if we want to manage the OTP device using API is it possible. For example if user forget the device can we remove the device using API calls, but i don't think Gluu scim doc have anything realted managing the OTP devices.

OTP devices are stored as a user claim, so you can use the SCIM /Users endpoint to manage OTP devices. SCIM doesn't address OTP specifically because it's just a customer user claim.

Hi, Aman & Michael. That's correct - if attribute is present on user's entry, you should be able to change it with SCIM. So, for example, for "oxExternalUID" to be mutable with it, follow next steps: 1. Move to "Configuration" > "Attributes" and click "Register attribute" button 2. For "Name" and "Display name" use "oxExternalUID", type - "text", then set "Include in SCIM extension" checkbox; the rest of the fields can be left at default/blank values, or any value can be put there if its mandatory 3. Click "Register" button From now on, you should be able to manipulate this attribute with SCIM, as long as request is correct. Here is example of request that updates this attribute: ``` { "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:gluu:2.0:User" ], "urn:ietf:params:scim:schemas:extension:gluu:2.0:User": { "oxExternalUID": "lsd:afjljflsajfsafjas21312-cngd" }, "displayName":"test user one scim-upd" } ``` Hope this helps.

Thanks a lot Micheal and Aliaksandr, This resolve the issue regarding the OTP device management. But i have another question regarding MFA can you let me know if this is possible in Gluu: Can we add the ability for the user to optionally defer the second factor for a configurable period of time after the successful second factor login. a) User logs in, provides the second factor, then selects, remember me temporarily b) Subsequent logins from that device only require the first factor until the configurable time period has elapsed (1 day? 1 week? 10 days?)

In Gluu 4 you can do anything with person authentication scripts by making it a two step authentication flow, and the displaying the respective page in step 2. For example, see this example in our [Duo Interception Script](https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/duo/DuoExternalAuthenticator.py#L115) In Gluu Flex, this would be better handled by creating an Agama flow... I'll be posting a lot of content about Agama this year on Linkedin, if you [follow me](https://www.linkedin.com/in/nynymike/).