PWF forgotten password OAuth integration

[Anton K]

Hi everyone!

I'd like to setup forgotten password feature and onboard MFA integration.

Target goal is to setup integration with MFA provider using OAuth integration and redirect user to MFA to pass this option first and then allow to change password.

Despite the fact that my settings seem to be correct, PWM still challenges user with questions instead of redirecting to MFA portal when user press fortoggen password button

Could someone please advise what can be the problem?

Thanks!

[Jason Rivard]

That's not a simple config, and there's no simple answer.  Start with examining the log files.

[Anton K]

Hi Jason,

Sure, will do, just hoped it can be resolved a little bit faster :)

Also I've just understood that OAuth option doesn't meet my goals.

OAuth option works if I have somewhere yet another Identity provider that can serve like a source of truth and has nothing to do with Active Directory (in my case this is a user container)..

But in my case I want MFA provider to act like an API which is not an option here...

Probably there is an option for forget password feature to integrate with 3rd party API endpoint, like DUO MFA for example?

Thanks,

[Paul Hodgdon]

You can use the MFA feature of reset password where you register PWM as an app within DUO and then can generate an OTP using your device.

Paul Hodgdon
Principal Consultant | Identity Works LLC
Epping | New Hampshire 03042 | USA
+1 603 661 1508 (mobile) | +1 603 734 2681 (office)
www.identityworksllc.com

     

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/85cf9315-a57c-4e8f-9feb-62da85b87597n%40googlegroups.com.

[Anton K]

Hi Paul,

Not sure that I got you correctly.

I looked though the DUO docs here https://duo.com/docs/authapi#/auth and seems like it is about API but not about oauth integration

In my case I'm not using DUO SSO

Thanks,

[Paul Hodgdon]

I am suggesting if you use the Setup OTP module a user can enroll PWM in an authenticator app like DUO and use that to reset their password if they forgot it.

Paul Hodgdon
Principal Consultant | Identity Works LLC
Epping | New Hampshire 03042 | USA
+1 603 661 1508 (mobile) | +1 603 734 2681 (office)
www.identityworksllc.com

     

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/9e324559-0518-4aa0-840b-f24f554c4a14n%40googlegroups.com.

[Anton K]

Hi Paul,

Thanks for a tip.

If I'm not mistaken in this case I need to implement user registration via PWM and require them to enroll some OTP service like google or DUO or whatever)

I thought about it but in my case I cannot use it as I have completely different user onboard procedure.

Anyway - appreciate your advice.

And seems like if PWN could log a feature request to implement API integration like an option for forgotten passwords this could be an awesome thing!

Regards,