Flexible Authentication Improvements

Last modified 15 Mar 2024 10:45 +01:00
Planned feature
This feature is planned feature. This feature is roughly designed and it was evaluated as feasible. However, there is currently no specific plan when it will be implemented, because there is no funding for this development yet. In case that you are interested in supporting development of this feature, please consider purchasing midPoint Platform subscription.

Motivation

In midPoint 4.1 new Flexible Authentication mechanism was introduced. Since then, a lot of improvements were made resulting to the support of multi-factor and multi-step authentication. However, there are still some missing pieces.

Requirements

What we need:

  • Authentication that can take advantage of account linking. MidPoint knows that Active Directory account "foo" actually belongs to user X12345. Therefore, the user can log in with his Active Directory account foo, but midPoint will display self-service for user X12345.

  • Make sure that the old password provided in self-service password reset is checked on the particular resource where authentication is delegated.

  • (Optional) There is an authentication function in ConnId connectors. This function might be used. This will avoid duplication of connectors and authentication modules. E.g. Active Directory connector may take care of both identity management and authentication. The same configuration can be reused.

Multi-Factor Authentication Credential Management

Note that that is not strictly a matter of authentication mechanisms, as we will not be using those credentials to authenticate users. This is all a question of credential management. However, for the lack of better place we are listing the requirements here.

  • Native support for SSH keys

  • Native support for X.509 certificates/keypairs

  • Native support for other authentication types (HOTP, TOTP, FIDO, yubikeys,…​)

Was this page helpful?
YES NO
Thanks for your feedback