Multiple authentication methods for a user in Keycloak - keycloak

I would like to let my users have a choice which authentication method to use. For example, they could be presented with a menu to pick an option (username/pass, username/pass+OTP, etc).
Then, Keycloak should, based on their choice, assign specific scope to the token.
Is this possible to do with Keycloak (probably by somehow utilizing auth methods chaining) and how? I couldn’t find this in the documentation but it seems as a reasonable use-case to me.

Here is my solution:
Circled authenticators are custom ones for which I provided a custom implementation.
I used the fall-through mechanism, which means I that first authenticator implements a custom form:
which lets the user choose authenticator and captures user's choice in a variable.
Later, this variable is used in the following authenticators to decide whether to do the authentication or to pass on control to the next authenticator.
You can read more about Authentication SPI in the following page: https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi
And here you can see how to implement custom authenticator.

Here is what i did and it works,
'My goal was give ability to client to choose authentication flow, choose between otp based email and sms.'
I created a new authentication flow, see screenshot :
select 'Alternative' on both flows.
On login form new link will appear 'try another way'
Now the client can choose between flows. see screenshot :

Related

Capture IDP User attributes in SAP cloud foundry app via SDK UserAccesor API

I wanted to capture user attributes coming from SAP IDP(Identity & Authentication tenant service like department,salutation ,company etc ,via UserAccessor SDK api,but although those attributes are set and has value in IDP user and all the integration with IDP and sub account is in place post authentication ,user attributes object is empty ,i am only able to retrieve specific attributes like first names ,last name,email address ,user groups etc via JWT and UserAccessor api ,but no luck with other attributes ,in IDP i have mentioned these attributes as well under assertion attributes in SAP Identity authentication tenant .
Please guide and help in this matter .
Thanks Siddharth
Update: As we have now identified the problem, I will update my answer to reflect that. The original answer below is outdated:
Okay so the problem is that you haven't mapped any additional user attributes from your Identity Provider (IdP) to your JWT. As far as I'm aware there are three things you will need to do:
You need to create attributes in your xs-security.json (the file you used to configure your XSUAA service instance). This documentation should explain how to do that.
You need to configure which attributes are exposed by your IdP (in your case the SAP Identity & Authentication service. This documentation looks like a good place to start looking).
You need to map the attributes exposed by your IdP to the attributes defined in your xs-security.json. You will probably need to reconfigure (i.e. delete, recreate and rebind) your XSUAA service instance with the updated config, before you can do this step. Then, navigate to your application in the Cloud Platform Cockpit, from the left toolbar click "Security > Roles" and create your mapping.
Let me know if this works for you!
Original Answer:
As far as I'm aware the default IdP does not support SAML. Without SAML, I'm not sure whether you can propagate any attributes from your IdP into the JWT.
Please also check out this discussion for more information.

How to map social credentials with custom ones

My company has userbase of course, but I want to allow users to login and use my applications with their social accounts e.g. Outlook, Facebook, Gmail. Something that is usually not clear to me when I read resources on the Internet on the topic is how to map the social credentials with ones in our database? I know we should use an API platform or something like that, but the user identity part is not clear to me.
You basically need to, as you noted, tap into the provided response and transform or link or provision it to existing identities in your own userbase. A lot of this depends on your method of delegating authentication to external provides and things they expose back to you as part of the user profile. You basically need to grab the user profile, parse it and then determine which field can be used to link that profile to an existing account, and then establish the authentication session based on the final result.
Here is a link to a technical walkthrough that describes the same process with an SSO solution: https://apereo.github.io/2018/04/20/cas-delegated-authn-account-linking/

Custom Inputs on Identity server 3 login

Is it possible to customize the login page / authentication logic within identity server in order to allow a user to authenticate without there username and password but instead using a customer number and say a postcode.
I have implemented a custom view service that uses the username and password properties but I was hoping on a slightly better solution. Any ideas?
Yes, you can customize it.
You would have to create your own implementation of IUserService to validate whatever values you want and IViewService to render and submit the desired markup.
See more here:
https://identityserver.github.io/Documentation/docsv2/advanced/userService.html
https://identityserver.github.io/Documentation/docsv2/advanced/customViewService.html

CustomViewService (Login) passing additional values to CustomUserService - IdentityServer3

I want to use IdentityServer3 in my solution, but one of my requirements is to connect to multiple databases for users, clients and scopes.
So, I want to customize the Login page and add a database selector. I’m doing this with a custom view service.
Then, when the user click on login button, my custom user service is called, but I don’t know how to send the database selector value to my AuthenticateLocal implementation on custom user service.
I need to know the database selector value in custom client and scope services as well.
I saw this post: http://forums.asp.net/t/2032044.aspx?Custom+User+Service+for+Thinktecture+Identity+Server+V3 where Brock said it isn’t possible.
Does the latest version of IdentityServer3 have any way to archive what I need?
Thanks!
Best regards.
You can add custom form elements to the submit on the login page. In your custom IUserService add the OwinEnvironmentService as a ctor dependency to get access to the incoming OWIN environment. You can then wrap that with an OwinContext for convenience. Then in your AuthenticateLocal you can read the posted custom form elements to do whatever you need in your logic.

Adobe CQ5: SSO without LDAP?

A customer of ours has just purchased CQ5 and would like to externalize all of its security. We'd like to use an STS server for SSO and then leverage a custom authorization/attribute provider instead of the CQ5 repository. Ultimately, we do not want to use LDAP in any way.
Here is how we envision this (some pieces already working):
User browses to CQ5 Dispatcher running in Apache
Apache filter redirects user to STS site where login is completed.
User is redirected back to Apache with SAML Claims.
User ID token is placed as cookie into browser. (everything is working up to here)
CQ5 captures that cookie based on the SSO configuration (working)
Problem starts here: From here, we want to call a custom authorization provider for the user's attributes, roles, groups etc...
We have tried to figure out how to do this and can't seem to find the missing link.
Do we need to create a custom login module? Do we need to create a custom principal provider? Do we somehow use the existing LDAP capability in CQ5 but have it call a custom class which leverages the external auth source?
If anyone here has any idea how to do this, their karma quotient would be full for the year if they could share it. I'm not sure if this is a basic thing you do with JAAS or even where to put my classes after I've created them.
We've worked really hard on this so far and seem to be close, but we keep hitting dead-ends.
Thanks so much if you have an idea where to begin!!
-joe
Recent versions of AEM now include the SAMLAuthenticationHandler which allows you to:
Redirect users to SSO to simulate IDP initiated login, or
Allow AEM to perform SP initiated login with IDP
Specify attributes to take from the SAML Assertion and add to the user's profile node (not sure if you can use this for groups)
Specify which groups users should be added to
Set a cookie called request-path that will store the URL the user arrived at, and then redirect them to that location when they're authenticated (ie. deep linking)
This makes relying on the SAMLAuthenticationHandler better than using Apache to redirect. The current version of the handler bundled with AEM 6.2 does not properly set the cookie when using the redirect method, but Adobe does have an updated version that they can provide that will fix that problem.
I normally recommend that clients do not have their own authentication handlers developed inside AEM.
When not using LDAP, this does create an issue where users will not exist until they've logged in. Additionally, when your architecture includes more than one load balanced publisher, it is possible that a user may exist on one server user synchronization.
Try searching the google group for SSO details. Here's one useful post:
http://groups.google.com/group/day-communique/browse_thread/thread/72c235c83a501252/fba4d08a90487156?lnk=gst&q=SSO#fba4d08a90487156
It seems that you will have to implement a custom LoginModule, more information here: http://dev.day.com/docs/en/crx/current/deploying/custom-login-modules.html