In OneLogin, is there any example of retrieving all users (maybe filtered by a query and paginated) to determine their MFA enrollment/usage status from a REST or any other programmatic API?
I have been checking here: https://developers.onelogin.com/api-docs/1/getting-started/dev-overview
But I am new to OneLogin and would like to know how this is typically achieved.
You can use this API to get User's enrolled MFA Factors:
https://api-domain/api/1/users/user-id/otp_devices
Please note that This API only returns factors that are enrolled and can be verified via API. Currently OneLogin supports only OneLogin SMS, OneLogin Voice and OTP Authenticators via API.
Let me know if that helps.
Related
I am dealing with firebase authentication from the server-side using REST APIs
But there are some users who have enrolled in Multi-Factor authentication using a Phone provider, is it still possible to handle the authentication method from the server-side?
The Admin SDKs for Firebase don't have any methods to sign the user in, as that should typically done client-side.
Firebase Authentication does has a REST API that you can call from anywhere, and that supports sign in with anonymous, email/password and OAuth providers. But as far as I can tell that doesn't support signing in with Phone Number.
Looking at Google Cloud Identity Platform, that offers features like MFA and multi-tenant provisioning a different pricing model, that does seem to have a documented REST API for signing in with phone number so you might want to check if whether MFA also works from the REST API there. If it does, it might be also worth to check if you can call that from a regular Firebase Authentication project, of whether it requires you to upgrade to GCIP.
My company (C1) has DocuSign implementation feature set up with RestApi and we use oAuth to authenticate users with email and password to create and send envelopes. This functionality works perfect.
One of our clients said they have SSO enabled in their org and would like to SSO directly to DocuSign from my company page instead of providing password option. In our current implementation, users are prompted for email address first and then the password.
If clients have SSO enabled, I assume they go directly to Docusign but to get that functionality, is there anything I need to do regarding changing the existing workflow or implementation for RestAPI.
Do we need to obtain consent for our Client (who has SSO enabled)?
Thanks in advance
You don't need to do anything differently. These clients would be able to authenticate to your integration/app using SSO. If they are already autneticated, a cookie remembers it and they would automatically be redirected back to your app. The first time, the would have to give consent to your app to enable it to do things for them, but after that - smooth sailing, without any need to login or anything.
Feel free to let me know if you run into any issues. Otherwise, you'r good.
As Inbar says, if your application uses either the OAuth Authorization Code or OAuth Implicit grant flow, then your application will automatically support SSO once the user's DocuSign account has been set for SSO.
If your application uses the OAuth JWT grant, then SSO has no bearing on your application since your application is itself authenticating with DocuSign and impersonating a user.
And the above is why Authorization Code grant or Implicit grant is preferred over JWT grant whenever there's an option to not use JWT grant.
If you're using Legacy Header authentication, your application won't be able to authenticate as users who have SSO Login enforced. Until you're able to implement one of the OAuth workflows, users who need to use your API integration will need to have their Login Policy set to allow them to login with a password. More info on Login Policy is available here: https://support.docusign.com/en/articles/How-to-exclude-specific-users-from-SSO-requirements
Within our application we provide a DocuSign integration which uses DocuSign.eSign.dll from DocuSign C# Client.
We currently use the Legacy Header Authentication to authenticate.
One of our customers, would like to enable single sign on using Azure Active Directory. They have set up their account as described on Tutorial: Azure Active Directory integration with DocuSign already (for the DocuSign App).
How do we change our integration to allow Single Sign On using SAML? What API methods do we use? Does the DocuSign C# Client support this?
Legacy Header does not support SSO Authentication. For legacy header to work, users must have a password.
You will either need to grant a Login Policy Exception (to allow them to bypass SSO) to each user that needs to authenticate via the API, or you will need to implement OAuth token authentication.
An example of OAuth token authentication in C# is available on GitHub: https://github.com/docusign/eg-03-csharp-auth-code-grant-core
Once SSO is implemented by your client and has enabled mandatory SSO in their DocuSign configuration, then you should use OAUTH either using Authorization Code Grant-User Application or JSON Web Token Grant-System Integration to generate AccessToken for your Client API user. JSON Web Token Grant is normally used when System Integration is happening in your Integration with DocuSign. In Either way, you need to ask Client API user to provide User Consent to your IntegratorKey, so that your IntegratorKey can generate AccessToken on Client API User's behalf. Obtaining Consent explains how to get User Consent for Either User Application or System Integration. In Providing the consent to your Integrator, Customers will login to DocuSign via their SSO setup, in the same way how they login to DocuSign to access DocuSign WebApp.
Can I authenticate using jwt-gmail api?
google developer : 'https://github.com/googleapis/googleapis/tree/master/google'
It says that only the api at this address can use this method.
But I can not find the gmail api here.
Can the gmail api only use the access token method using oauth 2.0?
I do not know what you mean by jwt-gmail api. That being said.
I think your looking at the wrong library try google-apis-nodejs-clinet.
Gmail api facts normal user gmail accounts can only be accessed using Oauth2 if its a gsuite account then you can use domain wide deligation and user a service account
I am attempting to generate a SAML assertion using the OneLogin API. For some assertions, multi-factor authentication is required. User accounts can have either or both of OneLogin security questions or the OneLogin Protect app as secondary factors.
My question is, what is the process to initiate either of those factors?
The SAML Assertion API call verify factor works when the OTP from OneLogin protect is provided, however we would like to initiate a push to the OneLogin Protect App. Additionally there does not seem to be any documentation for using the OneLogin security questions. How are the question(s) returned via the OneLogin API, and how are responses verified?
We have attempted the Activate Factor API call, however it returns an "Insufficient Permission" error, even though the API credential used has the Read Users scope, which the API documentation indicates is sufficient.