2:06 p.m.
Hi all,
I'd like to implement the following use case. I need a Browser
authentication flow that will add, after User / Password Form
Authenticator, a kind of "access rules" authenticator, that will, according
to some request parameters, (for example, ip address, or application) will
add dynamically a second factor authenticator in the flow. (Like OTP or
SMS).
Furthermore, I'd like to be able to provide a choice of 2FA systems to the
end user (For example, we provide a set of second factory, and the end user
can choose the one he'd like to use).
So, if some "strong authentication" criteria are matched during browser
authentication process, after providing user and password, user will get a
form allowing him to choose the second factory system he'd like to use to
authenticate.
My goal is to be able to reuse existing authenticator. (So, not to write a
big 2fa authenticator with all authenticators duplicated inside).
Thanks in advance for your valuable input
Cheers
St
6:34 p.m.
Hello Steve,
something similar to what you want is already available in Keycloak.
Look for the "Conditional OTP Form" in the "Create Authenticator
Execution"
screen,
when you create a new Authenticator Execution.
The implementation can be found in the keycloak-services module:
org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator
Cheers,
Thomas
2016-12-14 14:06 GMT+01:00 Steve Favez <favez.steve(a)gmail.com>:
Hi all,
I'd like to implement the following use case. I need a Browser
authentication flow that will add, after User / Password Form
Authenticator, a kind of "access rules" authenticator, that will, according
to some request parameters, (for example, ip address, or application) will
add dynamically a second factor authenticator in the flow. (Like OTP or
SMS).
Furthermore, I'd like to be able to provide a choice of 2FA systems to the
end user (For example, we provide a set of second factory, and the end user
can choose the one he'd like to use).
So, if some "strong authentication" criteria are matched during browser
authentication process, after providing user and password, user will get a
form allowing him to choose the second factory system he'd like to use to
authenticate.
My goal is to be able to reuse existing authenticator. (So, not to write a
big 2fa authenticator with all authenticators duplicated inside).
Thanks in advance for your valuable input
Cheers
St
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:33 p.m.
New subject: two factor authentication using email on trusted devices
Hi All,
We have requirement of two factor authentication using email such as below.
When user attempts to login to system, the system should check for a cookie to confirm the
device has been authorized. If the cookie is not found or is expired, the system will send
an authentication email to the user's email address and ask the user to check their
email which is associated with their account. When the user clicks on a designated link in
the email, their account will be allowed to access system.
The authentication will expire after a time period which needs to be configurable in
through UI
Can you please help with this?
Do we have this feature implemented in place?
Thanks,
Snehalata
Disclaimer: This e-mail may contain Privileged/Confidential information and is intended
only for the individual(s) named. Any review, retransmission, dissemination or other use
of, or taking of any action in reliance upon this information by persons or entities
other than the intended recipient is prohibited. Please notify the sender, if you have
received this e-mail by mistake and delete it from your system. Information in this
message that does not relate to the official business of the company shall be understood
as neither given nor endorsed by it. E-mail transmission cannot be guaranteed to be
secure or error-free. The sender does not accept liability for any errors or omissions in
the contents of this message which arise as a result of e-mail transmission.If
verification is required please request a hard-copy version.
Visit us at http://www.harbingergroup.com/
2425
days inactive
2690
days old
2 comments
3 participants
participants (3)
-
Snehalata Nagaje -
Steve Favez -
Thomas Darimont