Is it possible to made a 2-factors authentication with OIDC Identity Brokering
I'm trying to use TOTP to setup the 2-factors authentication, it work for password authentication method but not with OIDC Identity Brokering.
1- with password method:
login + password
OTP password
succes login
2- with OIDC Identity Brokering:
select oidc provider
select account
succes login
is it possible to add stage otp password in oidc method?
May someone know the issue?
It is not a problem of OIDC protocol (actually, I guess your are using OIDC in both cases), but used authentication flow. Make sure you have properly configured First Broker Login flow, which fit your needs. For example:
Source: https://github.com/keycloak/keycloak-community/blob/master/design/multi-factor-admin-and-step-up.md
But I would say it won't be clever idea to require TOTP in the Keycloak in this setup, when Keycloak is only middle layer (Identity Brokering). The proper config will be to configure (T)OTP on used OIDC provider (that's another IDP, which is only used by your Keycloak).
Related
I think this scenario :
Authentication with IDP Provider by rest api passing username, password and a saml request , Is it possibile?
I would like to have my web application which have the page with login and password, on submit we invoke IDP rest api (send username, password, saml request)
s possible to have login form in our page and "invoke" an IDP via rest api and receive saml response by IDP endpoint?
Will Single Sing on work in this way?
Thanks :-)
Image authentication Flow
Is this https://docs.axway.com/en-US/bundle/SecureTransport_55_DeveloperGuide_allOS_en_HTML5/page/Content/DevelopersGuide/restAPI/SSO_REST_API.htm my solution?
Thanks
[07/02/2023] Solved:
No Sso with The resource owner password credentials (ROPC) flow
The OAuth 2 resource owner password credentials (ROPC) grant allows an application to sign in the user by directly handling their password. In your desktop application, you can use the username/password flow to acquire a token silently.
Constraints for ROPC
The following constraints apply to the applications using the ROPC flow:
Single sign-on is unsupported.
Multi-factor authentication (MFA) is unsupported.
Check with your tenant admin before using this flow - MFA is a commonly used feature.
Conditional Access is unsupported.
I use CAS 6.0.x with OAuth 2.0. I have an external app to register new user.
In one of my flow, I want to auto-login user in CAS after successfully registration.
Is it possible?
You might be able to use JWT Authentication. Basically, you create a JWT token and pass it along to CAS; once unpacked and validated, CAS should create an SSO session and log the user in automatically.
I'm trying to authenticate users with the SAML protocol.
So far I have two applications in two different identity providers (Auth0 and OneLogin) to test. I also have my service provider.
What I'm trying to do is authenticate users without redirecting them to any Identity Provider login form.
Something like this:
The user tries to log in to my application (made in React)
My server provider receives the request made by the user and sends
the credentials (username and password) to an identity provider
using the SAML protocol.
The identity provider validates the credentials, if they are
correct, return a SAML assertion to my server provider; otherwise,
it will return an error.
Depends on the identity provider's response if the content is sent
to the user or not.
I know that it is not the intended use of SAML, but I want to know if there is a way to do it and how it will be possible.
Any help or advice will be well received, thank you.
That's not how SAML works and I'm not aware of any SAML identity providers that accept the user's name and password.
It is possible to include the user's name in the SAML authn request sent to the identity provider but there's no provision for including a password.
I think there are a number of security considerations if you were to prompt a user for their credentials for one web site (ie the identity provider) at a different web site (ie service provider).
Using SAML SSO, if the user isn't already authenticated at the identity provider, it will prompt the user to login.
I am using Identity Server for SSO in Thingworx. I am able to federate login, however I am not able to handle Logout.
Pls assist on how to handle logout.
You can specify IDP logout URL from the Saml Federated IDP configuration.
Thanks
Isura
is there a way to ask for an OAuth authorization without redirecting the user to the service and then back again to my app?
In detail, I'm creating a web service that need access to the Facebook Graph API, that requires the OAuth 2.0 authentication. Is that possible?
Thanks
The authorization request has to happen for an authenticated (by the OAuth provider, not you) account, and for security reasons the authentication has to be a direct interaction between the end user and the OAuth provider.
Of course, the provider might decide the user is already authenticated properly (there is a fresh auth ticket in a provider-specific cookie for example) and skip the authentication sequence, but there is no way for you to force it to take your word that the user on whose behalf you are requesting the authorization indeed is an authenticated user of the OAuth provider.