Open in app

Sign in

Write

Sign in

User store based conditional authentication with Asgardeo

Wathsara Wishwantha Daluwatta
4 min readJul 31, 2022

Asgardeo conditional authentication allows you to customize the logic flows by using a script. This allows you to validate multiple factors before granting access to a resource.

With this blog I am focusing on how to use conditional authentication based on the user store domain. This will educate you on

  1. How to grant access to a resource based on the user store domain of a user.
  2. How to use Adaptive MFA (Multi Factor Authentication) based on the user store domain.

Prerequisites.

1. Sign up to Asgardeo.

2. Connect a remote user store to your Asgardeo Organization.
If you haven’t heard about this please go through my article on Let’s connect your on-premises user store to Asgardeo

Step 1 — Register a Single-Page Application

  1. Login to Asgardeo Console.
  2. Go to the Develop section and then select Applications.
  3. Click New Application.
  4. Select Single-Page Application.
  5. Provide a Name to the application and Click Add Now anchor to set Authorized redirect URLs of the sample application.
  6. Then Click register to create the application.

Then you’ll be redirected to the Quick-start Section of the Application. There you can select a technology you prefer. Then select a Try out a sample and follow the setup guide to run the sample application.

Step 2 — Create a customer user in Asgardeo.

  1. Go to the Manage section and then select Users.
  2. Click New User and select Customer.
  3. Enter the customer Email, First Name, Last Name and select Set a temporary password for the user and enter a password and then click Finish.

How to grant access to a resource based on the user store domain of a user.

For the application I have configured above I want to allow only the users from my remote user store to access the Application. For the users from other user stores (Default) I want to show an error message saying the user is unauthorized to access the application.

1. On the Asgardeo console, click Develop > Applications.

2. Select the application for which the conditional login flow should apply.

3. Go to the Sign-in Method tab.

4. Click Start with default configuration to define the login flow starting with username and password.

5. Turn on Conditional Authentication by switching the toggle.

6. Then Update the script with the following content.

Above script will extract the user store domain from the authenticated subject. Then sending the error message to the error page (In here it’s the default one as I haven’t added an error page) with the relevant parameters.

Try it out

Access the application URL and try to login using a user from the MY-REMOTE-USERSTORE. Users will be able to successfully login to the application.

Access the application and try to Login to the application from the user we have created previously (Or any other user from Default user store). Those users will get the error message we have passed from our conditional authentication script.

How to use Adaptive MFA (Multi Factor Authentication) based on the user store domain.

For the application I have configured above I want to prompt TOTP as the second factor authenticator for the users from my remote user store to access the Application. For the users from other user stores (Default) providing the user name and password is enough.

1. Go to the Sign-in Method tab of the application.

2. Add TOTP as the second step.

3. Then Update the script with the following content.

Above script will extract the user store domain from the authenticated subject. Then only If the user store domain of the user is equals to ‘MY-REMOTE-USERSTORE’, it will execute the second step.

Try it Out

Access the application URL and try to login using a user from the MY-REMOTE-USERSTORE. Users will have to provide the TOTP as well to access the application.

Once you logged in you can see the TOTP in the Decode ID token as well

“amr”:[
   0: “BasicAuthenticator”
   1: “totp”
]

Access the application and try to Login to the application from the user we have created previously (Or any other user from Default user store). Those users won’t be asked to provide a TOTP to log in.

Once you logged in you can only see the BasicAuthenticator in the Decode ID token as well

“amr”:[
   0: “BasicAuthenticator”
]

Thank you for reading. Have a Good Day!!

References

https://wso2.com/asgardeo/docs/guides/authentication/conditional-auth

Asgardeo
Wso2
Wso2is

--

--

Wathsara Wishwantha Daluwatta

Written by Wathsara Wishwantha Daluwatta

50 Followers

Software Engineer at WSO2 | Studied BSc (Hons) Software Engineering at University of Colombo School of Computing

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams