Build
CI
published

IdP Hook Updates

Please note that this repository has been archived and will not be receiving any updates.

This project is designed to synchronize user identities between cloud based Identity Providers (IdPs) and cloud based Multi Factor Authentication (MFA) providers.
While some of the user identities synchronization can be achieved using the SCIM specification (RFC 7643), that specification does not not cover MFA use cases.

The project relies on IdPs to provide Webhooks for asynchronous notifications of user identity changes on one side, and relies on the MFA providers to provide administrative APIs to reflect these changes.
The project uses Hexagonal architecture to allow connecting different IdPs and MFA providers.

Supported Identity Providers

  • Okta
  • Auth0

Supported MFA Providers

  • Duo Security

Supported Cloud Providers

  • AWS
  • Azure
  • GCP

The Webhooks endpoint can run anywhere as long as it can get the IdP requests and invoke the MFA providers APIs.

Use Case Description

  1. Create sophisticated MFA policies:
    When a user enrolls an MFA device, the information the MFA provider collects is the user email and phone number.
    The user's profile information and group/role information are not transferred to the MFA provider.
    By using this integration, the profile information and group/role information are constantly synchronized to the MFA provider and can be used for creating sophisticated MFA policies.

  2. Simpler operations when a user cannot access an MFA device:
    If a user cannot access an MFA device, an admin needs to reset the MFA link in the IdP portal to trigger enrollment of a new MFA device for the user.
    When an admin resets the MFA for a user in the IdP portal, it deletes the link between the user and the MFA account; however, the user is still associated to the enrolled device in the MFA provider.
    In this case, when the user next logs in to the IdP and is required to add MFA, the MFA provider recognizes the user already has an enrolled device and does not prompt the user to enroll new devices.
    The workaround in this case is to delete the MFA device in the MFA portal as well.
    By using this integration, when an admin resets the MFA for a user in the IdP portal it also deletes the association between the user and the enrolled device in the MFA provider automatically.

Flow diagram

A user can update his profile details in the IdP service.
An admin can perform the following actions in the IdP service:

  • create/delete a user
  • create/rename/delete a group
  • associate/disassociate a user to a group
  • disable/reenable a user
  • reset MFA for a user

Installation

Prerequisites

  • yarn Package Manager
  • terraform Infrastructure provisioning tool

macOS

  1. Install Brew
  2. Install yarn - brew install yarn
  3. Install terraform - brew install terraform

Windows

  1. Install yarn
  2. Intsall terraform

Installing dependencies

Run yarn install

Create artifacts

Run yarn zip to create zip files with the hook function code that can be deployed using the instructions below

Instructions for deployment

The instructions below use terraform to automatically provision resources on your selected cloud provider, deploy the hook function code and register the hook in the Identity Provider service.

How to test the software

Run unit tests and code coverage yarn test

Unit tests are executed on every push to master and the status is shown in a badge on the top of this page.

Getting help

If you have questions, concerns, bug reports, etc., please create an issue against this repository.

View code on GitHub

Code Exchange Community

Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
Disclaimer:
Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.