Skip to content

Commit

Permalink
Minor edits to the new mfa page, expanded UI page
Browse files Browse the repository at this point in the history
  • Loading branch information
josephdecock committed Nov 14, 2023
1 parent cbc3025 commit 2999598
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 12 deletions.
15 changes: 12 additions & 3 deletions IdentityServer/v6/docs/content/ui/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,24 @@ chapter = true

# User Interaction and Pages

The design goal of Duende IdentityServer is to supply a full implementation of the OpenID Connect protocol while on the same time be the most flexible and extendible solution. One area that is customized in all deployments of IdentityServer is the user interface. It is typically branded to have the same look and feel as other web sites of the organization. The logic driving the pages is also closely related both to the design and the business rules. To allow full flexibility of the UI, including business rules and user flow, the UI is separated from the core IdentityServer product.
The design goal of Duende IdentityServer is to provide a full implementation of the OpenID Connect and OAuth protocols that is extremely flexible and easily customizable. One facet of IdentityServer that implementations typically customize is the user interface that users see when they need to log in, log out, etc. This UI is almost always branded to have the same look and feel as other applications of the organization that is implementing IdentityServer. But the customization that is possible within the UI goes much deeper than a logo or stylesheet. The entire user experience in your IdentityServer implementation is code that you control. This allows you to build customizations such as
- Multi-factor authentication
- Knowledge-based authentication
- Passwordless authentication
- Requiring the user to accept terms of service or other legal agreements
- Home-realm discovery to determine which user store or external authentication provider should be used
- Reconciliation of accounts across multiple user stores
- Gathering additional user information and provisioning resources when new users arrive from external providers

To allow full flexibility of the UI, including business rules and user flow, the UI is separated from the core IdentityServer engine. The engine implements the endpoints specified in the protocols and hands off control to your code in the UI as necessary.

![Overview](images/host.png)

To get a quick start with the UI, we provide a [quick start UI]({{< ref "./../quickstarts/2_interactive#add-the-ui">}}) as well as a [quick start UI adapted to Asp.Net Identity]({{< ref "./../quickstarts/5_aspnetid">}}).
Our templates include a [quick start UI]({{< ref "./../quickstarts/2_interactive#add-the-ui">}}) as well as a [quick start UI adapted to ASP.NET Identity]({{< ref "./../quickstarts/5_aspnetid">}}) which provide a starting point for all the necessary pages, ready to be customized.

## Required Pages

As browser requests are made to the protocol endpoints in your IdentityServer, they will be redirected to the interactive pages for the user to see. Depending on the features required, the pages expected in your IdentityServer are:
As browser requests are made to the protocol endpoints in your IdentityServer implementation, they will be redirected to the interactive pages for the user to see. Depending on the features required, the pages expected in your IdentityServer implementation are:
* [Login]({{< ref "./login" >}}): allows the user to login. This could be achieved with a local credential, or could utilize an external login provider (e.g. social or enterprise federation system).
* [Logout]({{< ref "./logout" >}}): allows the user to logout (including providing single sign-out).
* [Error]({{< ref "./error" >}}): display error information to the end user, typically when there are workflow errors.
Expand Down
6 changes: 3 additions & 3 deletions IdentityServer/v6/docs/content/ui/login/mfa.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@ title: "Multi Factor Authentication"
weight: 50
---

IdentityServer itself doesn't implement MFA. MFA is part of the login which is the [responsibility of the hosting application]({{< ref "..">}}). Microsoft provides some [general guidelines](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/mfa) on how to enable MFA for Asp.Net Core.
Duende IdentityServer itself doesn't implement multi-factor authentication (MFA). MFA is part of the login process in the user interface which is the [responsibility of the hosting application]({{< ref "..">}}). Microsoft provides some [general guidelines](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/mfa) on how to enable MFA in ASP.NET Core.

## MFA hosted in IdentityServer
To make the local IdentityServer login page offer MFA anything that works with Asp.Net Core also works with IdentityServer. One approach is to use [Microsoft Asp.Net Identity](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity) that offers [MFA support](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-enable-qrcodes).
An IdentityServer implementation can include MFA in its login page using anything that works with ASP.NET Core. One approach is to use [ASP.NET Identity](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity)'s [MFA support](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-enable-qrcodes).

## MFA and external authentication
When using Duende IdentityServer as a [federation gateway](../../federation) the user authentication is done on the upstream provider. It is common to let the upstream provider deal with the entire user authentication, including any MFA required. There's no special configuration or implementation needed on IdentityServer in this case, as the upstream provider handles everyting.
When using IdentityServer as a [federation gateway](../../federation), interactive users authenticate at the upstream provider. Typically the upstream provider will perform the entire user authentication process, including any MFA required. There's no special configuration or implementation needed in IdentityServer in this case, as the upstream provider handles everything.
15 changes: 12 additions & 3 deletions IdentityServer/v7/docs/content/ui/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,24 @@ chapter = true

# User Interaction and Pages

The design goal of Duende IdentityServer is to supply a full implementation of the OpenID Connect protocol while on the same time be the most flexible and extendible solution. One area that is customized in all deployments of IdentityServer is the user interface. It is typically branded to have the same look and feel as other web sites of the organization. The logic driving the pages is also closely related both to the design and the business rules. To allow full flexibility of the UI, including business rules and user flow, the UI is separated from the core IdentityServer product.
The design goal of Duende IdentityServer is to provide a full implementation of the OpenID Connect and OAuth protocols that is extremely flexible and easily customizable. One facet of IdentityServer that implementations typically customize is the user interface that users see when they need to log in, log out, etc. This UI is almost always branded to have the same look and feel as other applications of the organization that is implementing IdentityServer. But the customization that is possible within the UI goes much deeper than a logo or stylesheet. The entire user experience in your IdentityServer implementation is code that you control. This allows you to build customizations such as
- Multi-factor authentication
- Knowledge-based authentication
- Passwordless authentication
- Requiring the user to accept terms of service or other legal agreements
- Home-realm discovery to determine which user store or external authentication provider should be used
- Reconciliation of accounts across multiple user stores
- Gathering additional user information and provisioning resources when new users arrive from external providers

To allow full flexibility of the UI, including business rules and user flow, the UI is separated from the core IdentityServer engine. The engine implements the endpoints specified in the protocols and hands off control to your code in the UI as necessary.

![Overview](images/host.png)

To get a quick start with the UI, we provide a [quick start UI]({{< ref "./../quickstarts/2_interactive#add-the-ui">}}) as well as a [quick start UI adapted to Asp.Net Identity]({{< ref "./../quickstarts/5_aspnetid">}}).
Our templates include a [quick start UI]({{< ref "./../quickstarts/2_interactive#add-the-ui">}}) as well as a [quick start UI adapted to ASP.NET Identity]({{< ref "./../quickstarts/5_aspnetid">}}) which provide a starting point for all the necessary pages, ready to be customized.

## Required Pages

As browser requests are made to the protocol endpoints in your IdentityServer, they will be redirected to the interactive pages for the user to see. Depending on the features required, the pages expected in your IdentityServer are:
As browser requests are made to the protocol endpoints in your IdentityServer implementation, they will be redirected to the interactive pages for the user to see. Depending on the features required, the pages expected in your IdentityServer implementation are:
* [Login]({{< ref "./login" >}}): allows the user to login. This could be achieved with a local credential, or could utilize an external login provider (e.g. social or enterprise federation system).
* [Logout]({{< ref "./logout" >}}): allows the user to logout (including providing single sign-out).
* [Error]({{< ref "./error" >}}): display error information to the end user, typically when there are workflow errors.
Expand Down
6 changes: 3 additions & 3 deletions IdentityServer/v7/docs/content/ui/login/mfa.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@ title: "Multi Factor Authentication"
weight: 50
---

IdentityServer itself doesn't implement MFA. MFA is part of the login which is the [responsibility of the hosting application]({{< ref "..">}}).
Duende IdentityServer itself doesn't implement multi-factor authentication (MFA). MFA is part of the login process in the user interface which is the [responsibility of the hosting application]({{< ref "..">}}). Microsoft provides some [general guidelines](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/mfa) on how to enable MFA in ASP.NET Core.

## MFA hosted in IdentityServer
To make the local IdentityServer login page offer MFA anything that works with Asp.Net Core also works with IdentityServer. One approach is to use [Microsoft Asp.Net Identity](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity) that offers [MFA support](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-enable-qrcodes).
An IdentityServer implementation can include MFA in its login page using anything that works with ASP.NET Core. One approach is to use [ASP.NET Identity](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity)'s [MFA support](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-enable-qrcodes).

## MFA and external authentication
When using Duende IdentityServer as a [federation gateway](../../federation) the user authentication is done on the upstream provider. It is common to let the upstream provider deal with the entire user authentication, including any MFA required. There's no special configuration or implementation needed on IdentityServer in this case, as the upstream provider handles everyting.
When using IdentityServer as a [federation gateway](../../federation), interactive users authenticate at the upstream provider. Typically the upstream provider will perform the entire user authentication process, including any MFA required. There's no special configuration or implementation needed in IdentityServer in this case, as the upstream provider handles everything.

0 comments on commit 2999598

Please sign in to comment.