Hi Dan,
Thanks - I've created a ticket here:
https://github.com/FusionAuth/fusionauth-issues/issues/822
Regards
Brad.
B
Best posts made by bradley.kite
-
RE: LDAP LAMBDAposted in General Discussion
-
RE: LDAP LAMBDAposted in General Discussion
In case anyone else would like to do the same, I have found a solution which I have detailed here:
https://github.com/FusionAuth/fusionauth-issues/issues/822#issuecomment-680172776
Latest posts made by bradley.kite
-
OTP mixed with external identity providersposted in General Discussion
Hi there,
We have a mix of customers - mostly using their own Azure or Okta that we federate with using FusionAuth's Identity Providers and associated reconcile lambdas.
In this case, MFA is taken care of with the external identity provider.
However, we sometimes create user accounts manually within FusionAuth, and in this scenario, we want to force MFA (OTP in particular) to be used.
At the Application level, I can force MFA to be used, thereby making sure that all users enrol the MFA OTP token at login time, but this also means that federated Azure customers then have to have a 3rd layer of authentication.
There seems to be no configuration setting requiring MFA at the user level, rather than application level - thereby making the user enrol the OTP token regardless of the application they are accessing.
How do we resolve this?
Thanks
Brad.
-
RE: OIDC and Azure AD Groupsposted in Q&A
Hi,
I'm trying to get this working - specifically to fetch the Azure AD Groups list.
The LAMBDA does not have the required information in order to make the requested API calls into Azure though - we need the "access_token". It is shown in the debug for the external identity provider, but I need it to be passed into the Lambda so that I can use it to make further API calls into Azure (specifically https://learn.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0&tabs=http)
Is there a way I can get an access token from within the Lambda?
OpenID Connect IdP Response Debug Log for [Cybanetix Azure AD] [00c92a11-475e-4207-ae33-XXXXXXXXXXXXX]
7/1/2023 07:33:38 AM Z Call the configured Token endpoint [https://login.microsoftonline.com/5f6cb372-3153-4b59-b2ab-XXXXXXXXXXXXX/oauth2/token]
7/1/2023 07:33:38 AM Z Endpoint returned status code [200]
7/1/2023 07:33:38 AM Z Access Token Response:
{
"token_type" : "Bearer",
"expires_in" : "3599",
"ext_expires_in" : "3599",
"expires_on" : "1688200418",
"access_token" : "YYYYYYYYYYYYYYYYYYYYYYYYYYY",
"refresh_token" : "HHHHHHHHHHHHHHHHHHHHHHHHH",
"id_token" : "KKKKKKKKKKKKKKKKKKKKKKKKKKKK"
}
7/1/2023 07:33:38 AM Z Call the configured Userinfo endpoint [https://login.microsoftonline.com/5f6cb372-3153-4b59-b2ab-XXXXXXXXXX/openid/userinfo]
7/1/2023 07:33:38 AM Z Endpoint returned status code [200]
7/1/2023 07:33:38 AM Z Build a new user object from the returned Userinfo response:
{
"amr" : "["pwd"]",
"family_name" : "Kite",
"given_name" : "Bradley",
"ipaddr" : "1.2.3.4",
"name" : "Bradley Kite",
"oid" : "f8e0dca2-7d1f-4a30-9f69-JJJJJJJJJJJJJ",
"onprem_sid" : "S-1-5-21-4038623597-1531512353-3070216767-1103",
"rh" : "NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN",
"sub" : "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"tid" : "5f6cb372-3153-4b59-b2ab-XXXXXXXXXXXXXXXX",
"unique_name" : "bradley.kite@cybanetix.com",
"upn" : "bradley.kite@cybanetix.com",
"uti" : "KKKKKKKKKKKKKKKKKKKKKKKKK",
"ver" : "1.0",
"wids" : "["62e90394-69f5-4237-9190-012177145e10","b79fbf4d-3ef9-4689-8143-76b194e85509"]",
"groups" : [ "["66d8de0b-511c-40f6-9bb4-336fa94490a2","7e3bec0e-7061-4b1d-8a7e-69ad326e393e","c1f5f027-3b4b-49a5-8dee-069ef62ae9f9","7cb99d2c-1474-480e-8717-760c540b6eb6","d6058a35-9ae3-4be6-9c84-95e58a2f9a29","d7d34237-a871-4aad-babf-e8e19ab03726","5ba09a3f-4568-41ac-a06b-2b28c7fd411e","4a326844-c011-4935-b44d-4ded98b7cfa3","0cb0665b-23c4-46d6-b397-56a94c99799b","67ecc67c-2b6c-41d2-89a6-e317794c410b","04282083-1a01-4f1e-a7d5-22bc6c2e6027","146973ae-64e3-41a5-9ab0-e8c89aa07a0a","d3d652c4-a54b-4213-982f-487d4f363a32","8545dff2-70e3-4b2f-ab29-dac881c39a9a","5deb9bf5-5abc-41ad-ab29-b7fa24e29176","aa665544-e3eb-4594-80f3-4f7964e6af05","3d18328f-1293-48cd-b218-b6a8d3a703e3","c564dd61-6d1b-43c7-8ec0-33f79707dcfa","15548cd8-65c1-4889-b978-a04d1f630e97","84d0320c-beb3-4012-a565-1696982d12b5","f74fc2bd-7995-4a14-be9e-6302716df420","0bc5a7a3-6d2b-444f-824b-5e73c5fbe471","a1d330da-388e-4b55-9f46-97376aab5422","95c361ce-b2b3-413f-bdb5-ab198cb5e689","3ee4b754-9660-45cf-96a0-eb341cf11ea2","3561d960-9354-4cee-bd34-06b72ffd1ee1","8b523c9e-1786-48e7-b7b6-14afe2b615d9","ff3c0a70-62c6-48f1-aaff-3df958e0bb6c"]" ]
}
7/1/2023 07:33:38 AM Z Linking strategy [LinkByEmail]
7/1/2023 07:33:38 AM Z Resolved email to [null]
7/1/2023 07:33:38 AM Z Resolved username to [null]
7/1/2023 07:33:38 AM Z Resolved unique Id to [jwSpJK9odbqmZkzqO5HzCLvUgKKksvUz1b5qsX7JxXA]
7/1/2023 07:33:38 AM Z Identity provider returned a unique Id [jwSpJK9odbqmZkzqO5HzCLvUgKKksvUz1b5qsX7JxXA].
7/1/2023 07:33:38 AM Z User with Id [cfb8a0fc-b0b0-448b-869b-efd8a0955887] is linked to this external user.
7/1/2023 07:33:38 AM Z Invoke configured lambda with Id [89e4f359-83b8-4ca5-9e7f-272d4bae9262]
7/1/2023 07:33:38 AM Z Updating user:
{
"active" : true,
"breachedPasswordLastCheckedInstant" : 1647404340012,
"breachedPasswordStatus" : "None",
"connectorId" : "e3306678-a53a-4964-9040-AAAAAAAAAAAA",
"data" : { },
"email" : "bradley.kite@cybanetix.com",
"firstName" : "Bradley",
"fullName" : "Bradley Kite",
"id" : "cfb8a0fc-b0b0-448b-869b-GGGGGGGGGG",
"insertInstant" : 1598377522115,
"lastLoginInstant" : 1688196656636,
"lastName" : "Kite",
"lastUpdateInstant" : 1688196656636,
"memberships" : [ {
"data" : { },
"groupId" : "12e1f396-885f-45d0-9eb1-b69b5820ea19",
"id" : "e9b4f8cd-61f1-41e8-a270-06ddcf293d47",
"insertInstant" : 1647365944503
} ],
"passwordChangeRequired" : false,
"passwordLastUpdateInstant" : 1647365944496,
"preferredLanguages" : [ ],
"registrations" : [ ],
"tenantId" : "863a8e18-7ae4-8ad7-4fa0-XXXXXXXXXXXX",
"twoFactor" : {
"methods" : [ ],
"recoveryCodes" : [ ]
},
"uniqueUsername" : "bradley.kite",
"username" : "bradley.kite",
"usernameStatus" : "ACTIVE",
"verified" : true
}
7/1/2023 07:33:38 AM Z User is already registered for application with Id [6784dd47-e284-4425-8394-8c3b1d031468].
7/1/2023 07:33:39 AM Z User has successfully been reconciled and logged into FusionAuth.
7/1/2023 07:33:39 AM Z Authentication type: OPENID_CONNECT
7/1/2023 07:33:39 AM Z Authentication state: Authenticated -
RE: Group Based App Registrations?posted in General Discussion
Would it be possible (eg, with some kind of LAMBDA) so that when a user logs in, the LAMBDA can check what groups the user is a member of, and automatically create the app registrations for the app they are trying to access?
The LAMBDA can then create any app-specific usernames, if required. But I'm not sure if the LAMBDA has access to group membership info?
-
Group Based App Registrations?posted in General Discussion
Hi,
I'm not 100% sure how groups are meant to be used in FusionAuth.
I've created a group, assigned it application roles, and put users in the group, but the user still needs to register for the application - is it not possible for app registrations to be inferred from the groups app roles?
I suspect its more a case of me not understanding something.
Thanks for any help offered.
Regards
Brad.
-
RE: MFA / 2FA Force Enrollmentposted in General Discussion
Hi Dan,
Is there a formal / supported way for us to write our own pages & logic and integrate it within the same FusionAuth installation?
For example, is there a directory we can place additional WAR files in? Or Java API's that we can use to create our own plugins?
Regards
Brad.
-
MFA / 2FA Force Enrollmentposted in General Discussion
Hi all,
We have a requirement where a specific application has additional security requirements - specifically that MFA MUST be used before a user can access it.
Is it possible that the first time a user tries to log in, that they are automatically taken to the page were they need to enrol / configure the Google (or other time-based) MFA app?
Example:
User logs in, is redirected to the QR code page where they need to configure Google Authenticator (or another app), then they are allowed access to the SAML application.
Thanks in advance
-
RE: SAML v2 POST methodposted in General Discussion
Hi,
Is the code for io.fusionauth.app.action.samlv2.LoginAction available as open source? I'd like to implement the missing POST method - it appears that the GET method is implemented, but not POST.
I've found some SAML-related bits on github (https://github.com/FusionAuth/fusionauth-samlv2) but not this class.
-
RE: SAML v2 POST methodposted in General Discussion
Hi Dan,
We are using FusionAuth as the IDP. Its already acting as an IDP for another application, but this app is not playing ball.
I'm afraid I'm not able to name the application, but its a web-based cyber security app that has documented support for Okta, Google and ADFS as the IDP, but we are trying to get it to work with FusionAuth. I'm sure it will be possible, but we need to understand what the above error means.
I've checked the CORS settings and they are fine - we've wild-card allowed CORS requests just as a test, and included POST (among others) as allowed requests.
Regards
Brad.
-
RE: LDAP LAMBDAposted in General Discussion
In case anyone else would like to do the same, I have found a solution which I have detailed here:
https://github.com/FusionAuth/fusionauth-issues/issues/822#issuecomment-680172776