Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Examples on how to integrate with AD #68

Closed
abergs opened this issue Jan 6, 2019 · 2 comments
Closed

Examples on how to integrate with AD #68

abergs opened this issue Jan 6, 2019 · 2 comments

Comments

@abergs
Copy link
Collaborator

abergs commented Jan 6, 2019

I get a lot of emails about how this can be integrated with both on-premise AD and Azure AD.

@aseigler You have worked on this. Can we do a write-up or share some examples?

@aseigler
Copy link
Collaborator

aseigler commented Jan 6, 2019

Absolutely! My initial intent with this project was to get on-premises Active Directory integration and an ADFS MFA adapter so that users could register organizationally approved FIDO2 authenticators to their AD user accounts and then use those authenticators to log on through ADFS to federated applications and/or other applications behind ADFS in a one-shot manner for true, secure passwordless login experience.

If you look at https://github.com/abergs/fido2-net-lib/blob/ActiveDirectory/fido2-net-lib/ActiveDirectoryStore.cs, there is the start of an implementation of this. It starts with a small schema addition to support adding a FIDO2 authenticator object as a child object, very similar to how ActiveSync devices work. When registering an authenticator on the sample app, the authenticator is associated to the user object so that the next time that authenticator object is found during a logon, the server knows who the associated user is and can process the logon accordingly.

I have tested the sample to work that far, but the concept could allow for token pre-registration by administrators, user self-service add/remove of authenticators, and other help desk workflow scenarios, including things like authenticator inventory lifecycle, or allowing removal of lost/stolen authenticators or removing all authenticators of a certain type (by AAGUID for instance) if that type of authenticator has been found to be compromised or otherwise been made obsolete, or notifying or forcing users to update firmware or such.

@alexeygritsenko
Copy link

alexeygritsenko commented Feb 9, 2024

Good starting example, questions

  1. Is this example related to Windows Hello or Windows Hello for Business?
  2. Why do I have to enter a name and domain instead of picking up my credentials logged in now?
  3. Does this authorization take into account any restrictions on my account, just like logging in with password (account disabled, account expired, when user attempts to login outside logon hours or not granted permission to login to the computer etc) does?
  4. Do you plan to further develop this project and why is it not included in the master branch?

@passwordless-lib passwordless-lib locked and limited conversation to collaborators Nov 5, 2024
@abergs abergs converted this issue into discussion #572 Nov 5, 2024

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants