Merge pull request #361 from DuendeSoftware/anders/mfa

MFA
DuendeSoftware · Oct 19, 2023 · 247be52 · 247be52
2 parents fa9a7f6 + 8a44fe8
commit 247be52
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 0 deletions.
diff --git a/IdentityServer/v6/docs/content/ui/_index.md b/IdentityServer/v6/docs/content/ui/_index.md
@@ -7,6 +7,14 @@ chapter = true
 
 # User Interaction and Pages
 
+The design goal of Duende IdentityServer is to supply a full implementation of the OpenID Connect protocol while on the same time be the most flexible and extendible solution. One area that is customized in all deployments of IdentityServer is the user interface. It is typically branded to have the same look and feel as other web sites of the organization. The logic driving the pages is also closely related both to the design and the business rules. To allow full flexibility of the UI, including business rules and user flow, the UI is separated from the core IdentityServer product.
+
+![Overview](images/host.png)
+
+To get a quick start with the UI, we provide a [quick start UI]({{< ref "./../quickstarts/2_interactive#add-the-ui">}}) as well as a [quick start UI adapted to Asp.Net Identity]({{< ref "./../quickstarts/5_aspnetid">}}).
+
+## Required Pages
+
 As browser requests are made to the protocol endpoints in your IdentityServer, they will be redirected to the interactive pages for the user to see. Depending on the features required, the pages expected in your IdentityServer are:
 * [Login]({{< ref "./login" >}}): allows the user to login. This could be achieved with a local credential, or could utilize an external login provider (e.g. social or enterprise federation system).
 * [Logout]({{< ref "./logout" >}}): allows the user to logout (including providing single sign-out).

diff --git a/IdentityServer/v6/docs/content/ui/images/host.png b/IdentityServer/v6/docs/content/ui/images/host.png
diff --git a/IdentityServer/v6/docs/content/ui/login/mfa.md b/IdentityServer/v6/docs/content/ui/login/mfa.md
@@ -0,0 +1,14 @@
+---
+title: "Multi Factor Authentication"
+weight: 50
+---
+
+# Multi Factor Authentication
+
+IdentityServer itself doesn't implement MFA. MFA is of the login which is the [responsibility of the hosting application]({{< ref "..">}}).
+
+## MFA hosted in IdentityServer
+To make the local IdentityServer login page offer MFA anything that works with Asp.Net Core also works with IdentityServer. One approach is to use [Microsoft Asp.Net Identity](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity) that offers [MFA support](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-enable-qrcodes).
+
+## MFA and external authentication
+When using Duende IdentityServer as a [federation gateway](../../federation) the user authentication is done on the upstream provider. It is common to let the upstream provider deal with the entire user authentication, including any MFA required. There's no special configuration or implementation needed on IdentityServer in this case, as the upstream provider handles everyting.