In this post, let's see how to implement a use case with WSO2 Identity Server 5.7.0. We will use the example of the user management system from my previous blog post. For convenience, I'll add the use case below.
There is a user management system in your company. All the users can login to the system and manage their profile and change their password. But if you are an admin user in the system, you can add users, delete users, reset passwords of other users and do all the risky tasks in the system. While all the users can login to the system with just username and password, if you are an admin user, you have to enter your “Time-based One Time Password” (TOTP).First, download the WSO2 Identity Server 5.7.0 from the official download page and start it if you haven't done it already. Now configure the application in Identity Server and add the inbound authentication configuration as described in this documentation.
Now we are ready to configure the adaptive authentication for this service provider. Go to the "Local & Outbound Authentication Configuration" section of the service provider configuration and click on the "Advanced Authentication" button. You will be redirected to below page.
Expand the "Script Based Adaptive Authentication" section and you will be able to see a list of templates available.
From the available template list, we will be using the "Role-Based" template. To use it click on the "+" next to "Role-Based" label. Now the editor will be populated with below template.
// Role-Based from Template... // This script will step up authentication for any user belonging // to one of the given roles // If the user has any of the below roles, authentication will be stepped up var rolesToStepUp = ['admin', 'manager']; function onLoginRequest(context) { executeStep(1, { onSuccess: function (context) { // Extracting authenticated subject from the first step var user = context.currentKnownSubject; // Checking if the user is assigned to one of the given roles var hasRole = hasAnyOfTheRoles(user, rolesToStepUp); if (hasRole) { Log.info(user.username + ' Has one of Roles: ' + rolesToStepUp.toString()); executeStep(2); } } }); } // End of Role-Based.......
The script is pretty much self-explanatory. First, we execute step 1, which is configured to basic authentication in the "Authentication Step Configuration" section. The after successful execution of the first step, we check whether the logged in user has the "admin" or the "manager" roles. If so, we execute step 2, which is configured to either TOTP or FIDO authentication.
Click on the "Update" button and then save the service provider configuration.
Now we are ready to test the adaptive authentication.
First, try to log in as an admin user. After entering the admin credentials, the user will be prompted for a second factor.
Next, try to log in as a normal user (a user that don't have admin or the manager roles). Just by entering the username and the password, the user will be able to log in.
So now we have implemented the scenario successfully. Identity Server has a set of pre-defined templates for adaptive authentication. Explore them and see the use cases you can implement. Adaptive Authentication JS API Reference document contains more information about each API and objects used in the authentication script. Using them you can implement many more use cases.
No comments:
Post a Comment