This project is designed to synchronize user identities between cloud based Identity Providers (IdPs) and cloud based Multi Factor Authentication (MFA) providers.
While some of the user identities synchronization can be achieved using the SCIM specification (RFC 7643), that specification does not not cover MFA use cases.
The project relies on IdPs to provide Webhooks for asynchronous notifications of user identity changes on one side, and relies on the MFA providers to provide administrative APIs to reflect these changes.
The project uses Hexagonal architecture to allow connecting different IdPs and MFA providers.
Supported Identity Providers
- Okta
- Auth0
Supported MFA Providers
- Duo Security
Supported Cloud Providers
- AWS
- Azure
- GCP
The Webhooks endpoint can run anywhere as long as it can get the IdP requests and invoke the MFA providers APIs.
-
Create sophisticated MFA policies:
When a user enrolls an MFA device, the information the MFA provider collects is the user email and phone number. The user's profile information and group/role information are not transferred to the MFA provider.
By using this integration, the profile information and group/role information are constantly synchronized to the MFA provider and can be used for creating sophisticated MFA policies. -
Simpler operations when a user cannot access an MFA device:
If a user cannot access an MFA device, an admin needs to reset the MFA link in the IdP portal to trigger enrollment of a new MFA device for the user.
When an admin resets the MFA for a user in the IdP portal, it deletes the link between the user and the MFA account; however, the user is still associated to the enrolled device in the MFA provider.
In this case, when the user next logs in to the IdP and is required to add MFA, the MFA provider recognizes the user already has an enrolled device and does not prompt the user to enroll new devices.
The workaround in this case is to delete the MFA device in the MFA portal as well.
By using this integration, when an admin resets the MFA for a user in the IdP portal it also deletes the association between the user and the enrolled device in the MFA provider automatically.
A user can update his profile details in the IdP service.
An admin can perform the following actions in the IdP service:
- create/delete a user
- create/rename/delete a group
- associate/disassociate a user to a group
- disable/reenable a user
- reset MFA for a user
yarnPackage ManagerterraformInfrastructure provisioning tool
- Install Brew
- Install yarn -
brew install yarn - Install terraform -
brew install terraform
Run yarn install
Run yarn zip to create zip files with the hook function code that can be deployed using the instructions below
The instructions below use terraform to automatically provision resources on your selected cloud provider, deploy the hook function code and register the hook in the Identity Provider service.
- Synchronizing Okta and Duo Security using AWS
- Synchronizing Okta and Duo Security using GCP
- Synchronizing Okta and Duo Security using Azure
- Synchronizing Auth0 and Duo Security using AWS
- Synchronizing Auth0 and Duo Security using GCP
- Synchronizing Auth0 and Duo Security using Azure
Run unit tests and code coverage yarn test
Unit tests are executed on every push to master and the status is shown in a badge on the top of this page.
If you have questions, concerns, bug reports, etc., please create an issue against this repository.