I am attempting to generate a SAML assertion using the OneLogin API. For some assertions, multi-factor authentication is required. User accounts can have either or both of OneLogin security questions or the OneLogin Protect app as secondary factors.
My question is, what is the process to initiate either of those factors?
The SAML Assertion API call verify factor works when the OTP from OneLogin protect is provided, however we would like to initiate a push to the OneLogin Protect App. Additionally there does not seem to be any documentation for using the OneLogin security questions. How are the question(s) returned via the OneLogin API, and how are responses verified?
We have attempted the Activate Factor API call, however it returns an "Insufficient Permission" error, even though the API credential used has the Read Users scope, which the API documentation indicates is sufficient.
Related
I want to authenticate a valid Azure Directory user from my application. So the output that I want is the user is valid or not?
I use this API https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token with following urlencoded body like client_id, scope, client_secret, username, password, grant_type the for the authentication but this API is working only when the user disabled their MFA, but I want to authenticate even the user has enabled MFA.
You have hit one of the limitations of the ROPC flow.
It is not possible to authenticate a user with MFA enabled with that flow.
The solution will be to change your application to use an interactive flow like Authorization Code flow.
This will require that your app forwards the user to Azure AD to sign in, and then your application gets access tokens in exchange.
Pros:
You don't need to handle passwords
All the security features of Azure AD can be used, including MFA
Cons:
Complexity will increase (libraries help here)
Docs: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
If you have a Javascript front-end app, you can use MSAL.js to handle the authentication.
Other OpenID Connect compatible libraries can also be used.
My company (C1) has DocuSign implementation feature set up with RestApi and we use oAuth to authenticate users with email and password to create and send envelopes. This functionality works perfect.
One of our clients said they have SSO enabled in their org and would like to SSO directly to DocuSign from my company page instead of providing password option. In our current implementation, users are prompted for email address first and then the password.
If clients have SSO enabled, I assume they go directly to Docusign but to get that functionality, is there anything I need to do regarding changing the existing workflow or implementation for RestAPI.
Do we need to obtain consent for our Client (who has SSO enabled)?
Thanks in advance
You don't need to do anything differently. These clients would be able to authenticate to your integration/app using SSO. If they are already autneticated, a cookie remembers it and they would automatically be redirected back to your app. The first time, the would have to give consent to your app to enable it to do things for them, but after that - smooth sailing, without any need to login or anything.
Feel free to let me know if you run into any issues. Otherwise, you'r good.
As Inbar says, if your application uses either the OAuth Authorization Code or OAuth Implicit grant flow, then your application will automatically support SSO once the user's DocuSign account has been set for SSO.
If your application uses the OAuth JWT grant, then SSO has no bearing on your application since your application is itself authenticating with DocuSign and impersonating a user.
And the above is why Authorization Code grant or Implicit grant is preferred over JWT grant whenever there's an option to not use JWT grant.
If you're using Legacy Header authentication, your application won't be able to authenticate as users who have SSO Login enforced. Until you're able to implement one of the OAuth workflows, users who need to use your API integration will need to have their Login Policy set to allow them to login with a password. More info on Login Policy is available here: https://support.docusign.com/en/articles/How-to-exclude-specific-users-from-SSO-requirements
we are using lots of ADB2C built-in policies and wanna now switch on custom policies thanks to the Identity Experience Framework.
One of our use-cases is: make some calls (from the policy) on endpoints (that are protected by access token) just after an authentication (signup or signin). For example : just after the signup we would like to call an api for the privacy policy management. In order to have it working, we need to have the access token.
Is there a way, thanks to custom policies, to call an http endpoint with the access token just issued right after the authentication ?
When an access token or id token is generated by Identity Experience Framework (IEF), it signifies that all requirements of the user journey were met. That is, if the user journey required some privacy policy management and user needed to consent to it, only then would the access token or id token be generated.
The scenario that you are mentioning could be achieved by IEF calling the privacy policy management API using service-to-service trust and passing user's identity by other means, such as objectId in header or in the body.
Because IEF is directly calling the Rest API, it is unclear how IEF generating a token and sending that to the Rest API is more beneficial than IEF making a request over SSL and providing user's data.
Within our application we provide a DocuSign integration which uses DocuSign.eSign.dll from DocuSign C# Client.
We currently use the Legacy Header Authentication to authenticate.
One of our customers, would like to enable single sign on using Azure Active Directory. They have set up their account as described on Tutorial: Azure Active Directory integration with DocuSign already (for the DocuSign App).
How do we change our integration to allow Single Sign On using SAML? What API methods do we use? Does the DocuSign C# Client support this?
Legacy Header does not support SSO Authentication. For legacy header to work, users must have a password.
You will either need to grant a Login Policy Exception (to allow them to bypass SSO) to each user that needs to authenticate via the API, or you will need to implement OAuth token authentication.
An example of OAuth token authentication in C# is available on GitHub: https://github.com/docusign/eg-03-csharp-auth-code-grant-core
Once SSO is implemented by your client and has enabled mandatory SSO in their DocuSign configuration, then you should use OAUTH either using Authorization Code Grant-User Application or JSON Web Token Grant-System Integration to generate AccessToken for your Client API user. JSON Web Token Grant is normally used when System Integration is happening in your Integration with DocuSign. In Either way, you need to ask Client API user to provide User Consent to your IntegratorKey, so that your IntegratorKey can generate AccessToken on Client API User's behalf. Obtaining Consent explains how to get User Consent for Either User Application or System Integration. In Providing the consent to your Integrator, Customers will login to DocuSign via their SSO setup, in the same way how they login to DocuSign to access DocuSign WebApp.
We're using OneLogin w/Active Directory to achieve Single Sign On with a SAML enabled 3rd party application. We would additionally like to perform API calls related to the 3rd party app. The API calls require a 'basic authentication' header which depend on the 3rd party app's username and password being available. Is it possible to retrieve the username/password information through OneLogin for a SAML integrated application?
From what I understand, apps integrated via SAML or OAuth do not store their passwords with OneLogin. Which means I cannot look them up in our integrated Active Directory (they would be encrypted anyway). However... if during user provisioning, I were to force all 3rd party accounts to have the same username/password as the OneLogin account... might that work?
Any assistance or suggestions would be appreciated. I have some flexibility to work with here as we have not yet created any OneLogin or 3rd party accounts.
Passwords are not provided by the SAML protocol.
You will find this thread interesting:
SAML assertion with username/password - what do the messages really look like?
Alternatives:
Use SAML on the API calls (Oauth2 SAML2 token).
When provisioning the user account on the 3rd party app, force the user to set a local password to be used on the API calls.