Thanks for the clarification Pulasthi. Just to add a bit more explanation to Pulasthi's answers,
On Wed, Apr 24, 2019 at 12:56 AM Pulasthi Mahawithana <pulast...@wso2.com> wrote: > Hi Johann, > > On Fri, Apr 19, 2019 at 6:26 PM Johann Nallathamby <joh...@wso2.com> > wrote: > >> *[+architecture]* >> >> Hi Pulasthi, >> >> On Fri, Apr 19, 2019 at 1:36 AM Pulasthi Mahawithana <pulast...@wso2.com> >> wrote: >> >>> Hi Johann, >>> >>> I think if there is an existing session we don't even go into the >>>> authentication phase for the adaptive authentication script to be executed. >>>> >>> >>> This is not really the case. The adaptive authentication script would >>> execute for all the authentication requests. However, the 'executeStep()' >>> function calls won't try to re-authenticate the users if the user's session >>> is already authenticated with the idp configured in the step. Any other >>> logic such as stepping up or any other decision/action will get executed. >>> >> >> So if I understood this correctly, >> 1. The adaptive authentication script will execute regardless of SSO >> sessions >> 2. 'executeStep()' function will also be called regardless of SSO sessions >> 3. The default implementation inside the 'executeStep()' function checks >> if the user is already authenticated with any of the IdPs configured in the >> step, and if (s)he has it will skip authentication. >> >> So if I understood this correctly, we can do step-up authentication >> without any issue. But we can't force re-authentication with same step >> according to our default implementation. >> >> Questions: >> 1. Can we override the default implementation in 'executeStep()' method? >> > No, it's not overridable for the script. > Although currently it is not overridable in the script it can be overridden at Java level. So one can still extend and override the StepHandler specifically for a particular use case. 2. Is it possible to configure username/password authenticator as first >> step and second step as well, and then write some conditional logic to skip >> the second step when needed? >> > This won't work as expected here because at the 2nd step, it will skip the > step execution as the user is already authenticated with the same > authenticator before. > So we found that the logic which checks whether the particular step should be executed or not, has the following logic. If any of the IdPs in the step has already been used to authenticate in any step during a previous authentication, or in the case of local authenticators if any one of the local authenticator has already been used to authenticate in any step during a previous authentication, then the step will be skipped. The important point here is that the step in which the IdP or authenticator was previously used is not considered. All steps are treated as the same. So according to this logic, even if we configure username/password for in first step as well as second step, both will be skipped if we have used the username/password authenticator any time previously for any step. > > So, the best way would be to introduce a function to clear authenticators > as mentioned by Ruwan, or to introduce an option to execute step function > to force authentication for the particular step. > One of the better solutions as discussed with Pulasthi would be, to be able to pass the force authentication parameter to the executeStep() method in the script level. According to Pulasthi, we already have a property bag which is passed to the StepHandler from SequenceHandler and this bag can hold any number of properties. So we can improve the code to pass 'forceAuthentication' as a property as well. If so, we can write the logic that decides whether to force the authentication or not for a particular step in the script level and then pass the forceAuthentication variable as an argument to executeStep(). This solution seems like it would need an improvement to the framework code to pass the forceAuthentication property. Thanks & Regards, Johann. > > Regards, >> Johann. >> >> >>> -- >>> *Pulasthi Mahawithana* | Associate Technical Lead | WSO2 Inc. >>> (m) +94-71-5179022 | (w) +94-11-2145345 | (e) pulast...@wso2.com >>> >>> Blog: https://medium.com/@pulasthi7/ >>> >>> <https://wso2.com/signature> >>> >> >> >> -- >> *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | >> WSO2 Inc. >> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com >> [image: Signature.jpg] >> > > > -- > *Pulasthi Mahawithana* | Associate Technical Lead | WSO2 Inc. > (m) +94-71-5179022 | (w) +94-11-2145345 | (e) pulast...@wso2.com > > Blog: https://medium.com/@pulasthi7/ > > <https://wso2.com/signature> > -- *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | WSO2 Inc. (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com [image: Signature.jpg]
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture