Topics created by bradley.kite

It sounds like you have a complex identity management setup with various types of users accessing your applications. To address the requirement of enforcing MFA (OTP) at the user level rather than the application level, you might need to adjust your approach slightly. Here's a suggestion on how you could resolve this:

Customize User Registration Process: When creating user accounts manually within FusionAuth, you can customize the registration process to include mandatory enrollment of MFA (OTP). This could involve adding a step during account creation where users are prompted to set up MFA, and they can't proceed without completing this step.

Use FusionAuth Hooks or Lambda Functions: FusionAuth provides hooks or Lambda functions that allow you to execute custom logic during various events, such as user registration. You can leverage these hooks to enforce MFA enrollment for manually created user accounts. For example, you could write a custom hook that checks if the user account was created manually and if so, requires MFA enrollment before allowing the account creation process to complete.

Communicate MFA Requirement Clearly: Ensure that users are aware of the MFA requirement during the account creation process. Provide clear instructions on how to set up MFA and why it's necessary for their security. This helps in ensuring user compliance with the MFA enrollment process.

User Education and Support: Offer resources and support to assist users in setting up MFA. This could include documentation, tutorials, or even direct support channels where users can get assistance if they encounter any issues during the MFA enrollment process.

By implementing these steps, you can enforce MFA (OTP) at the user level for manually created accounts within FusionAuth, while still allowing federated Azure customers to access your applications seamlessly without requiring an additional layer of authentication.

That is one path that might work in the future, but you can't create arbitrary registrations, call the APIs, or know which groups someone is part of right now.

I know the roadmap includes reworking the lambda so that it is more flexible. That's tied up in upgrading from Nashorn. If we allowed you access to any APIs from the lambda, you'd then be able to do this.

See https://github.com/FusionAuth/fusionauth-issues/issues/571 and https://github.com/FusionAuth/fusionauth-issues/issues/267 for more on that. If you can, it'd be great to comment pointing to this forum post about wanting more flexibility in Lambdas.

Hiya,

There's no formal recommendation for how to integrate with FusionAuth, other than the APIs.

The way I'd build pages and logic that I wanted side by side (like a login page which required two factor auth for a given application 🙂 ) with FusionAuth would be to proxy fusionauth with something like an ALB or nginx. Then have one path for fusionauth login pages and another path for your custom application. You could pull the retrieve the theme CSS and reuse it.

The only plugins that FusionAuth supports right now are for password importing.

The java client library of course is available for integration, but if you are building a side by side webapp, I'd use whatever client library makes sense for your environment.

But perhaps I'm not sure what you're trying to accomplish with this integration. Would you like one deployable artifact or something similar? Can you explain more?

Thanks Dan,

I've created a github issue here:

https://github.com/FusionAuth/fusionauth-issues/issues/845

In case anyone else would like to do the same, I have found a solution which I have detailed here:

https://github.com/FusionAuth/fusionauth-issues/issues/822#issuecomment-680172776