By: Aman Negi user 15 Jan 2024 at 8:34 a.m. CST

6 Responses
Aman Negi gravatar
This ticket is in behalf of AAAS: https://support.gluu.org/single-sign-on/11619/issue-with-the-gluu-passport-serrvice-to-integrate-azure-for-authentication/#at87595 Here is a reference to previous ticket where i was asked to create a new ticket for it. Is there any way to manage the OTP registered device using APIs? In Gluu doc we can't find any endpoint to update the oxExternalUID attribute that generally store the OTP device? **Will Gluu Server ask for OTP every time AAAS employee will try to use Gluu Server or they want to protect any specific SP/RP with 2FA?** Gluu need to ask for 2FA only for some particular clients

By Mohib Zico Account Admin 15 Jan 2024 at 10:13 a.m. CST

Mohib Zico gravatar
You can configure specific ACR for specific OpenID client: https://gluu.org/docs/gluu-server/4.5/admin-guide/openid-connect/#setting-the-default-acr

By Aman Negi user 15 Jan 2024 at 10:30 a.m. CST

Aman Negi gravatar
Yeah I am aware of the specific ACR value, My question is if we want to manage the OTP device using API is it possible. For example if user forget the device can we remove the device using API calls, but i don't think Gluu scim doc have anything realted managing the OTP devices.

By Michael Schwartz Account Admin 15 Jan 2024 at 12:42 p.m. CST

Michael Schwartz gravatar
OTP devices are stored as a user claim, so you can use the SCIM /Users endpoint to manage OTP devices. SCIM doesn't address OTP specifically because it's just a customer user claim.

By Aliaksandr Samuseu staff 15 Jan 2024 at 7:20 p.m. CST

Aliaksandr Samuseu gravatar
Hi, Aman & Michael. That's correct - if attribute is present on user's entry, you should be able to change it with SCIM. So, for example, for "oxExternalUID" to be mutable with it, follow next steps: 1. Move to "Configuration" > "Attributes" and click "Register attribute" button 2. For "Name" and "Display name" use "oxExternalUID", type - "text", then set "Include in SCIM extension" checkbox; the rest of the fields can be left at default/blank values, or any value can be put there if its mandatory 3. Click "Register" button From now on, you should be able to manipulate this attribute with SCIM, as long as request is correct. Here is example of request that updates this attribute: ``` { "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:gluu:2.0:User" ], "urn:ietf:params:scim:schemas:extension:gluu:2.0:User": { "oxExternalUID": "lsd:afjljflsajfsafjas21312-cngd" }, "displayName":"test user one scim-upd" } ``` Hope this helps.

By Aman Negi user 17 Jan 2024 at 1:30 p.m. CST

Aman Negi gravatar
Thanks a lot Micheal and Aliaksandr, This resolve the issue regarding the OTP device management. But i have another question regarding MFA can you let me know if this is possible in Gluu: Can we add the ability for the user to optionally defer the second factor for a configurable period of time after the successful second factor login. a) User logs in, provides the second factor, then selects, remember me temporarily b) Subsequent logins from that device only require the first factor until the configurable time period has elapsed (1 day? 1 week? 10 days?)

By Michael Schwartz Account Admin 17 Jan 2024 at 6:52 p.m. CST

Michael Schwartz gravatar
In Gluu 4 you can do anything with person authentication scripts by making it a two step authentication flow, and the displaying the respective page in step 2. For example, see this example in our [Duo Interception Script](https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/duo/DuoExternalAuthenticator.py#L115) In Gluu Flex, this would be better handled by creating an Agama flow... I'll be posting a lot of content about Agama this year on Linkedin, if you [follow me](https://www.linkedin.com/in/nynymike/).