You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: docs/admin/recipes/social-login.md
+5-5
Original file line number
Diff line number
Diff line change
@@ -4,17 +4,17 @@ tags:
4
4
- recipes
5
5
---
6
6
7
-
## Implementing Social logins
7
+
## Implementing Social logins
8
8
You can use a `PersonAuthenticationType` script to allow users to sign using credentials from popular **Social Identity providers** or **Inbound Identity Providers** like Facebook, Google and Apple. After users authenticate, we provision their Social Identity Provider credentials into the Jans-auth server. No additional username, password, credentials are needed for this user.
Following is a high-level diagram depicting a typical flow - user authentication on a Social Identity Platform and subsequent user provisioning on Jans-Auth server.
13
+
Following is a high-level diagram depicting a typical flow - user authentication on a Social Identity Platform and subsequent user provisioning on Jans-Auth server.
14
14
15
15
You can copy paste this sequence in [https://sequencediagram.org/](https://sequencediagram.org/)
16
16
```
17
-
title Social login
17
+
title Social login
18
18
Jans AS<-User agent: 1. Invoke /authorize endpoint
19
19
Jans AS->User agent: 2. Discovery: Present list of remote IDPs (Google, Apple, FB...)
20
20
User agent->Jans AS: 3. Select IDP (e.g. click on button)
Copy file name to clipboardexpand all lines: docs/script-catalog/person_authentication/apple-external-authenticator/README.md
+9-14
Original file line number
Diff line number
Diff line change
@@ -4,27 +4,27 @@ tags:
4
4
- recipes
5
5
---
6
6
7
-
## Social Login with Apple
7
+
## Social Login with Apple
8
8
9
9
An out-of-the-box feature, the Sign-in with Apple Authentication script is a `PersonAuthenticationType` script which enables a user to sign-in using Apple credentials. After users authenticate using their Apple credentials, their Apple credentials are provisioned into the Jans-auth server.
10
10
11
-
## Prerequisites
11
+
## Prerequisites
12
12
13
-
- A Jans-auth Server (installation instructions [here](https://github.com/JanssenProject/jans/tree/main/jans-linux-setup#readme))
14
-
- The [Sign-in with Apple authentication script](https://github.com/JanssenProject/jans/tree/main/jans-linux-setup/jans_setup/static/extension/person_authentication/AppleExternalAuthenticator.py) (included in the default Jans-auth Server distribution);
13
+
- A Jans-auth Server installation
14
+
- The [Sign-in with Apple authentication script](./AppleExternalAuthenticator.py) (included in the default Jans-auth Server distribution);
15
15
- An [Apple developer account](https://developer.apple.com/).
16
16
17
17
## Configurations at Apple Identity Provider:
18
-
You will need to configure a service id, linked to your App identifier. For each website that uses Sign In with Apple, register a services identifier (Services ID) and configure your domain and return URL.
18
+
You will need to configure a service id, linked to your App identifier. For each website that uses Sign In with Apple, register a services identifier (Services ID) and configure your domain and return URL.
19
19
1. Under `Certificates, Identifiers and Profiles` --> `Identifiers` --> Click on the `+` button
20
20
2. In the `Register a new identifier` select `Service ID`
21
21
3. After filling out the description and identifier name, save the Service ID
22
22
4. Now edit the saved Service ID and enable the `Sign in with Apple` checkbox and click `Configure` button
23
-
5. Configure the Janssen's server's callback url `https://<your.janssen.server>/postlogin.htm` as a `Website URL`
23
+
5. Configure the Janssen's server's callback url `https://<your.janssen.server>/postlogin.htm` as a `Website URL`
24
24
25
25
## Configure jans-auth server
26
26
27
-
Configure the custom script:
27
+
Configure the custom script:
28
28
### Properties
29
29
30
30
The custom script has the following properties:
@@ -34,7 +34,7 @@ The custom script has the following properties:
34
34
|`apple_client_id`|Name of Service ID on developer.apple.com. |`com.company.name`|
35
35
|`apple_jwks`| Apple’s public JWK to validate Apple Identity Token |`https://appleid.apple.com/auth/keys`|
36
36
37
-
To update this setting in Jans persistence, follow this [link](https://github.com/JanssenProject/jans-cli/blob/main/docs/cli/cli-custom-scripts.md#update-an-existing-custom-script)
37
+
To update this setting in Jans persistence, follow this [link](https://github.com/JanssenProject/jans-cli/blob/main/docs/cli/cli-custom-scripts.md#update-an-existing-custom-script)
38
38
39
39
### Enable Sign-in with Apple Authentication script
40
40
By default, users will get the default authentication mechanism as specified above. However, using the OpenID Connect acr_values parameter, web and mobile clients can request any enabled authentication mechanism.
@@ -67,7 +67,7 @@ Steps:
67
67
68
68
:memo:**NOTE**
69
69
70
-
To make sure `apple` has been enabled successfully as a default authentication method, you can check your Janssen Server's OpenID Connect configuration by navigating to the following URL: `https://<hostname>/.well-known/openid-configuration`. Find `"acr_values_supported":` and you should see `"apple"`.
70
+
To make sure `apple` has been enabled successfully as a default authentication method, you can check your Janssen Server's OpenID Connect configuration by navigating to the following URL: `https://<hostname>/.well-known/openid-configuration`. Find `"acr_values_supported":` and you should see `"apple"`.
71
71
72
72
## Test the feature - Sign-in with Apple
73
73
To test , enter the complete URL for authorization in a browser or create a simple webpage with a link that simulates the user sign-in attempt. If the server is configured properly, the first page for the selected authentication method will be displayed to the user.
@@ -76,8 +76,3 @@ An example of a complete URL looks like this -
Copy file name to clipboardexpand all lines: docs/script-catalog/person_authentication/fido2-external-authenticator/README.md
+17-17
Original file line number
Diff line number
Diff line change
@@ -6,13 +6,13 @@
6
6
FIDO2 is comprised of the [W3C’s Web Authentication specification (WebAuthn)](https://www.w3.org/TR/webauthn/) and FIDO’s corresponding [Client-to-Authenticator Protocol (CTAP)](https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-client-to-authenticator-protocol-v2.0-ps-20170927.html). WebAuthn defines a standard web API that can be built into browsers and related web platform infrastructure to enable online services to use FIDO Authentication. CTAP enables external devices such as mobile handsets or FIDO Security Keys to work with WebAuthn and serve as authenticators to desktop applications and web services.
7
7
8
8
This document explains how to use the Janssen Auth Server's built-in
to implement a two-step, two-factor authentication (2FA) with username / password as the first step, and any FIDO2 device as the second step.
11
11
12
12
## Prerequisites
13
13
- A Janssen Server ([installation instructions](https://github.com/JanssenProject/jans#installation))
14
14
-[FIDO2 interception script](https://github.com/JanssenProject/jans/blob/main/docs/script-catalog/person_authentication/fido2-external-authenticator/Fido2ExternalAuthenticator.py) (included in the default Janssen Server distribution);
15
-
- At least one FIDO2 device for testing, like one of the devices [listed below](#fido2-devices).
15
+
- At least one FIDO2 device for testing, like one of the devices [listed below](#fido2-devices).
16
16
17
17
### FIDO2 devices
18
18
Some well known FIDO2 devices and manufacturers include:
@@ -24,7 +24,7 @@ Some well known FIDO2 devices and manufacturers include:
[Purchase FIDO2 devices on Amazon](https://www.amazon.com/s/ref=nb_sb_noss/146-0120855-4781335?url=search-alias%3Daps&field-keywords=fido2). Or, check [FIDO's certified products](https://fidoalliance.org/certification/fido-certified-products/) for a comprehensive list of FIDO2 devices (sort by `Specification` == `FIDO2`).
27
+
[Purchase FIDO2 devices on Amazon](https://www.amazon.com/s/ref=nb_sb_noss/146-0120855-4781335?url=search-alias%3Daps&field-keywords=fido2). Or, check [FIDO's certified products](https://fidoalliance.org/certification/fido-certified-products/) for a comprehensive list of FIDO2 devices (sort by `Specification` == `FIDO2`).
28
28
29
29
## Properties
30
30
The script has the following properties
@@ -37,18 +37,18 @@ The script has the following properties
37
37
38
38
By default, users will get the default authentication mechanism as specified above. However, **using the OpenID Connect acr_values parameter, web and mobile clients can request any enabled authentication mechanism**.
39
39
40
-
1. Obtain the json contents of `fido2` custom script by using a jans-cli command like `get-config-scripts-by-type`, `get-config-scripts-by-inum` etc.
40
+
1. Obtain the json contents of `fido2` custom script by using a jans-cli command like `get-config-scripts-by-type`, `get-config-scripts-by-inum` etc.
2.[Update the custom script](https://github.com/JanssenProject/jans-cli/blob/main/docs/cli/cli-custom-scripts.md#update-an-existing-custom-script) and change the `enabled` attribute to `true`
45
45
46
-
Now FIDO2 is an available authentication mechanism for your Janssen Server. This means that, using OpenID Connect `acr_values`, applications can now request FIDO2 authentication for users.
46
+
Now FIDO2 is an available authentication mechanism for your Janssen Server. This means that, using OpenID Connect `acr_values`, applications can now request FIDO2 authentication for users.
47
47
48
-
!!! Note
49
-
To make sure FIDO2 has been enabled successfully, you can check your Janssen's Auth Server OpenID Connect
50
-
configuration by navigating to the following URL: `https://<hostname>/.well-known/openid-configuration`.
51
-
Find `"acr_values_supported":` and you should see `"fido2"`.
48
+
!!! Note
49
+
To make sure FIDO2 has been enabled successfully, you can check your Janssen's Auth Server OpenID Connect
50
+
configuration by navigating to the following URL: `https://<hostname>/.well-known/openid-configuration`.
51
+
Find `"acr_values_supported":` and you should see `"fido2"`.
52
52
53
53
## Enable FIDO2 Script as default authentication script:
54
54
Use this [link](https://github.com/JanssenProject/jans-cli/blob/main/docs/cli/cli-default-authentication-method.md) as a reference.
@@ -73,24 +73,24 @@ Below is an illustration of the Janssen Server's default FIDO2 login page:
The design is being rendered from the [FIDO2 xhtml page](https://github.com/JanssenProject/jans/blob/main/jans-auth-server/server/src/main/webapp/auth/fido2/login.xhtml). To customize the look and feel of this page, follow the [customization guide](https://jans.io/docs/admin/developer/customization/customize-web-pages/).
76
+
The design is being rendered from the [FIDO2 xhtml page](https://github.com/JanssenProject/jans/blob/main/jans-auth-server/server/src/main/webapp/auth/fido2/login.xhtml). To customize the look and feel of this page, follow the [customization guide](https://jans.io/docs/admin/developer/customization/customize-web-pages/).
77
77
78
-
## Using FIDO2 tokens
78
+
## Using FIDO2 tokens
79
79
80
80
### Credential enrollment
81
-
FIDO2 device enrollment happens during the first authentication attempt.
81
+
FIDO2 device enrollment happens during the first authentication attempt.
82
82
83
83
### Subsequent authentications
84
-
All subsequent FIDO2 authentications for that user account will require the enrolled FIDO2 key.
84
+
All subsequent FIDO2 authentications for that user account will require the enrolled FIDO2 key.
85
85
86
86
### FIDO2 credential management
87
-
A user's FIDO2 devices can be removed by a Janssen administrator in LDAP under the user entry as shown in the below screenshot.
87
+
A user's FIDO2 devices can be removed by a Janssen administrator in LDAP under the user entry as shown in the below screenshot.
0 commit comments