Skip to content

Commit

Permalink
Merge pull request #4259 from AnuradhaSK/role-based-template
Browse files Browse the repository at this point in the history
Update role based adaptive script template
  • Loading branch information
ashensw authored Dec 19, 2023
2 parents b43fb25 + 8b6f914 commit 430d8ba
Show file tree
Hide file tree
Showing 5 changed files with 20 additions and 16 deletions.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file not shown.
Original file line number Diff line number Diff line change
Expand Up @@ -5,27 +5,31 @@

# Add MFA based on user roles

You can enable a more secure login flow for users that belong to specific roles by applying the **Role-Based** conditional authentication template for Adaptive MFA. This template enables two-factor authentication with TOTP or FIDO for users who belong to the user role you specify.
You can enable a more secure login flow for users that belong to specific roles associated to the application by applying the **Role-Based** conditional authentication template for Adaptive MFA. This template enables two-factor authentication with TOTP or Passkey for users who belong to the user role you specify.

## Scenario

Consider a scenario with two user roles, `admin` and `manager`. For users assigned to these roles, the login flow in applications should be stepped up with TOTP or FIDO as follows:
Consider a scenario with two roles, `admin` and `manager` associated to an application. For users assigned to these roles, the login flow in the application should be stepped up with TOTP or Passkey as follows:

1. Username and password
2. TOTP or FIDO
2. TOTP or Passkey

![Role based adaptive authentication]({{base_path}}/assets/img/guides/conditional-auth/role-based-adaptive-auth.png)

## Prerequisites

- You need to [register an application with {{ product_name }}]({{base_path}}/guides/applications/). You can register your own application or use one of the [sample applications]({{base_path}}/get-started/try-samples/) provided.

- Create two user roles named `admin` and `manager` and assign user accounts to them. For instructions, see the following:

- Create two roles named `admin` and `manager` in application audience selecting the created application or create roles in organization audience and associate to the created application.
<!-- ADD CONTENT -->

- [Managing roles]({{base_path}}/guides/users/manage-roles/)
- [Managing users]({{base_path}}/guides/users/manage-groups/)

- Assign user accounts to the created roles. For instructions, see the following:
<!-- ADD CONTENT -->

- [Managing users]({{base_path}}/guides/users/manage-users/#onboard-a-user)
- [Assigning users to roles]({{base_path}}/guides/users/manage-roles/#assign-users-to-a-role)

## Configure the login flow

Expand All @@ -45,12 +49,12 @@ To enable conditional authentication:

2. Turn on **Conditional Authentication** by switching the toggle on.

3. Select the **User** > **Role-Based** template.
3. Select the **Adaptive MFA** > **Role-Based** template.

=== "Visual Editor"
To add role-based adaptive MFA using the visual editor:

1. Switch to the **Visual Editor** tab, and expand **Predefined Flows** > **Conditional Login Flows** > **Users**.
1. Switch to the **Visual Editor** tab, and expand **Predefined Flows** > **Conditional Login Flows**.

2. Click **+ ADD** next to **Role-Based** to add the role-based adaptive MFA script.

Expand All @@ -63,7 +67,7 @@ To enable conditional authentication:
4. Verify that the login flow is now updated with the following two authentication steps:

- Step 1: Username and Password
- Step 2: TOTP and FIDO
- Step 2: TOTP and Passkey

5. Update the following parameter in the script.

Expand Down Expand Up @@ -96,11 +100,11 @@ var rolesToStepUp = ['admin', 'manager'];

var onLoginRequest = function(context) {
executeStep(1, {
onSuccess: function (context) {
onSuccess: function(context) {
// Extracting authenticated subject from the first step
var user = context.currentKnownSubject;
// Checking if the user is assigned to one of the given roles
var hasRole = hasAnyOfTheRoles(user, rolesToStepUp);
var hasRole = hasAnyOfTheRolesV2(context, rolesToStepUp);
if (hasRole) {
Log.info(user.username + ' Has one of Roles: ' + rolesToStepUp.toString());
executeStep(2);
Expand All @@ -113,9 +117,9 @@ var onLoginRequest = function(context) {
Let's look at how this script works.

1. When step 1 of the authentication flow is complete, the `onLoginRequest` function retrieves the user from the context.
2. The user and the configured list of roles are passed to the following function: `hasAnyOfTheRoles`.
3. This function (which is available in {{ product_name }} by default) verifies whether the given user belongs to any of the listed roles.
4. If the user belongs to any of the configured roles, authentication step 2 (TOTP or FIDO) is prompted.
2. The user and the configured list of roles are passed to the following function: `hasAnyOfTheRolesV2`.
3. This function (which is available in {{ product_name }} by default) verifies whether the given user belongs to any of the listed roles associated to the login application.
4. If the user belongs to any of the configured roles, authentication step 2 (TOTP or Passkey) is prompted.

!!! note
Find out more about the scripting language in the [Conditional Authentication API Reference]({{base_path}}/references/conditional-auth/api-reference/).
Expand All @@ -125,12 +129,12 @@ Let's look at how this script works.
Follow the steps given below.

1. Access the application URL.
2. Try to log in with a user who does not belong to any of the configured roles (manager or admin). You will successfully sign in to the application.
2. Try to log in with a user who does not belong to any of the configured roles (`manager` or `admin`). You will successfully sign in to the application.
3. Log out of the application.
4. Log in with a user who belongs to the `admin` or `manager` role.

The user will be prompted to select the step-up method, and the sign-in flow will be stepped up according to the user's preference.

![role-based-2fa-conditional-auth-stepup-page]({{base_path}}/assets/img/guides/conditional-auth/totp-fido-step-up.png){: width="300" style="border: 0.3px solid lightgrey;"}
![role-based-2fa-conditional-auth-stepup-page]({{base_path}}/assets/img/guides/conditional-auth/totp-passkey-step-up.png){: width="300" style="border: 0.3px solid lightgrey;"}


0 comments on commit 430d8ba

Please sign in to comment.