Allow user to opt in to MFA - keycloak

I have been able to leverage Keycloak's "Default Actions" section in "Authentication" to force new users to setup MFA via Google Authenticator.
However, I've only been able to make this required for all users or not even possible to turn on. I'm looking for a way to allow users to opt in to MFA via OTP if they would like during Sign Up.

I think you need to use the Authentication api, and specifically the one for extending the registration page/form.
See: https://www.keycloak.org/docs/latest/server_development/#modifying-extending-the-registration-form
I will give it a try tonight, and update my answer.

There is no default option out of the box to implement this authentication flow.
You can create a custom authentication flow with a step asking the user to do the MFA.
This can be made using a javascript authenticator (https://www.keycloak.org/docs/latest/server_development/#_script_providers) or a java service provider interface. https://www.keycloak.org/docs/latest/server_development/#_auth_spi

Related

If I used Ejabberd authentication with JWT, I don't to need to register the user?

Currently, I have a social media project that already has the existing users, I want to enable the chat function. I had config Ejabberd with JWT and Mysql. I tested and I realized that I don't have to register the users in order to chat, I just need to make sure my token has "JID". Is it a good approach? Or do you have any other suggestions?
You don't need to register the users to ejabberd server explicitly while using external authentication mechanism.
However, chances are that you might not be able to see the list of registered users on the admin panel when not using the default authentication mechanism.

Authorization new user - keycloak

I want to secure my user registration page with keycloak but couldn't think of any approaches while reading the docs. The best option for me:
New user register, but his account is unavailable.
When ADMIN accept this new account, user can log in.
Is it possible do it in keycloak ? Or any similar solution ?
Sure you can do it. The easiest way is to give a default role to newly registred users. The default role would give only minimal privileges. Then ADMIN can promote the user to the more appropriate group or role.
Probably to "automate" or smoothen the second part of this flow you might need some flow customization. Cf. https://www.keycloak.org/docs/latest/server_development/#required-action-walkthrough and related.
Another solution is to give to the default minimal role the possibility to request acceptation, or make the request automatically at first logging (eg. mail sent to ADMIN).
EDIT
Programmatically it is also possible to make calls to the Keycloak Admin API (through native Admin Client). For example, you can write some logic (and associated UI or whatever) that will assign or remove groups from a user.
See. Admin REST API

Keycloak flow to allow only authorized IDP accounts

I would like to setup Google federation using Keycloak however only for authorized users in my company.
Setting up Google federation allows any Google account to login.
I have looked at the authentication flow on Keycloak but I have been unable to find a way to set it up. I can think of a few simple scenarios that I had hoped Keycloak allowed out of the box
Instead of automatically creating an account when somebody tries to login, require that an account with the exact same email/username already exists and just link them based on the email when that specific user tries to login.
Automatically create an account the first time the user logs in using Google, link them however require an admin to manually activate the account before it can be used
A combination of the first 2. Enable registration, allow the user to register an account and require an admin to activate the account, at which point the user can link them.
Try as I might, I seem to be unable to configure this. There seems to be no way to have Keycloak create an account that requires activation and if I try to create a flow where the "unique account creation" authenticator is not include, it immediately throws the user to an "invalid username/password" screen.
Did I miss something? Is there no other option than manually creating an account and linking it for every single user (or write my own authenticator which I am trying to avoid)?
If you are OK with folks from a single domain (e.g. #yourco.com), you can use the Hosted Domain parameter on the settings page. For google specifically, at least as of keycloak 11.x, both google and keycloak will ensure the user's email address matches the entered domain. I do not know if it's possible to enter multiple domains.
What we do is use the hosted domain option, and grant these new users a simple role that allows them to log into the admin panel and have read permissions on a few simple areas. This makes it easy to setup new accounts in Keycloak, we just tell users to go log in and they are setup with basic access. If someone warrants more advanced access to read private data or even write some data, they have to contact our ops team who may choose to grant them some more roles in keycloak
You could implement a custom form action. It's easier than you would expect.
If you don't want to write code you could maybe use the 'script' form action which is already available. You can get to it this way:
Authentication -> Select 'First broker login' in the dropdown -> Make a copy of it (Making a copy of it allows you to edit it). Now click 'Add execution' and chose 'Script'. Move it upwards to the top, so it's the first form action in your flow. Put the radio button on 'REQUIRED' and go to actions -> config. Now in the script you could check the username or email to match a pattern (maybe the domain name of your company), if the pattern match fails, you can call the context.failure(..) method, which is already available in the default script.
Make sure that you select this (new) first broker login in your identity provider configuration.

Can IdentityServer3 allow Integrated Windows Authentication with ability to log in as different user

I'd like to know if its worth investing time into developing an IdentityServer3 implementation that would work similarly to how Sharepoint allows for an initial Login using Integrated Windows Authentication, but then allow user to login as a different user with a prompt for credentials. Our hospital has many users where their primary workstation is set up as generic login. I'd like to use integrated Authentication, but allow these users on generic workstations to re-login as themselves.
From my research I think a logout page that actually invalidates the original token along with a secondary external Identity provider running without integrated Authentication is where I'm heading, but would like some validation that its feasible.
You would approach that problem differently with IdentityServer - on the login page you would give the user a choice. Either use integrated authentication or specify some username/password explicitly.
Logging out of identityserver would then also allow to switch identity if needed.
So yes this is possible.
We have an example that does built-in Windows authN (username/password is disabled - but you can re-enable by setting EnableLocalLogin to true here https://github.com/IdentityServer/IdentityServer3.Samples/blob/master/source/WebHost%20(Windows%20Auth%20All-in-One)/WebHost/Startup.cs#L36).

Is it possible to create a new user via ADFS?

I am in the process of scoping out whats involved in setting up single sign on using SAML and ADFS. A query has come back that I can't answer and can't seem to find anywhere.
Is it possible to carry out the usual user profile actions via ADFS? For example :
Can I register new users via ADFS?
Can I provide forgotten password / reset password functionality via ADFS?
I'm getting confused and have a feeling I am barking up the wrong tree!
No, AD FS only delivers security tokens for Active Directory accounts, after providing some form of credentials for such an account. It does not make any kind of changes in Active Directory, nor anywhere else.
No, AD FS has no 'reset password' functionality. However, the AD FS sign-in pages can be customized, and the functionality to change the (AD) password can be added by customizing/creating the appropriate ASP.NET pages. Been there, done that. Unfortunately I cannot share that code.
(This answer applies to AD FS 2.0 only; I'm not sure about AD FS 1.0.)
#Marnix is correct - ADFS is an "Access Manager" not an "Identity Manager".
As you can customise pages, there is nothing stopping you creating provisioning pages or adding links to a provisioning system.
Word to the wise: The "standard" ASP.NET membership pages provision to a SQL DB which won't help you. ADFS authenticates against AD only. You need to use AD membership.
Also, for internal users who login to their desktop with WIA and SSO behind the scenes with ADFS, you get the standard password functionality e.g. password about to expire, change password etc.
In addition to that: Microsoft has another product which integrates with ADFS (and other auth mechanisms) called Forefront Identity Manager which provides password reset / user self management as well as account creation via delegated fine granted rights. All that using a web-interface.
i guess that is what you're looking for.
However: adfs itself is only a tool to provide federation and SSO - so it's there for authentication / delegation, not mangement.