Knowledge Base
  • Login
Font Size:

Identity Providers and Multi Factor Authentication

Introduction

Starting in Joget DX 9, support for Identity Providers and Multi Factor Authentication is available. These additions allow administrators the capability to provide an extra layer of protection on top of a username and password combination for application logins. Previously, this was only attainable through plugins.

Prerequisites

IdP and MFA is only supported in Joget Enterprise Edition.

How does it work?

Identity Provider (IdP)

When the Identity Provider feature is enabled, Joget users are able to manually link the configured IdPs to their Joget accounts.

There are a few concepts to understand here:

  • Joget User – A user that already exists in Joget, such as the “admin” account.
  • IdP User – A user that exists on the IdP’s user list. For example, since Google supports OpenID Connect, Google is considered an IdP. An “IdP User” in Google would be your Google account.
  • Linking an IdP – Involves associating some unique data about an IdP User from an IdP to a Joget account. This effectively ties the IdP and the IdP User to the Joget account. Allows the Joget account to be signed in with a specific IdP User.

The matrix below illustrates scenarios with a combination of settings that are standard in the IdP Framework (Automatic Linking and User Provisioning):

 

Automatic Linking disabled

Automatic Linking enabled

User Provisioning disabled

  1. No linked users
    Login fails: no users are linked or provisioned.

  2. One linked user
    Login success: an existing Joget User linked to the IdP User is logged in. No additional users are linked or provisioned.

  3. Multiple linked users
    Login fails: no users are linked or provisioned.

  1. No linked users
    Login fails: If no users with the same email as the IdP User exist. No users are linked or provisioned.

    Login success: If only one Joget User with the same email as the IdP User exists, it will be automatically linked and logged in. No user is provisioned.

    Login fails: If multiple Joget users have the same email. No users are linked or provisioned.

  2. One linked user
    Login success: an existing Joget User linked to the IdP User is logged in. No additional users are linked or provisioned.

  3. Multiple linked users
    Login fails: no users are linked or provisioned.

User Provisioning enabled

  1. No linked users
    Login success: a Joget User with the details provided by the IdP will be created and linked to this IdP User.

  2. One linked user
    Login success: an existing Joget User linked to the IdP User is logged in. No additional users are linked or provisioned.

  3. Multiple linked users
    Login fails: no users are linked or provisioned.

  1. No linked users
    Login success: If no users with the same email as the IdP User exist, a Joget User with the details provided by the IdP will be created and linked to this IdP User.

    Login success: If only one Joget User with the same email as the IdP User exists, it will be automatically linked and logged in. No user is provisioned.

    Login fails: If multiple Joget users have the same email. No users are linked or provisioned.

  2. One linked user
    Login success: an existing Joget User linked to the IdP User is logged in. No additional users are linked or provisioned.

  3. Multiple linked users
    Login fails: no users are linked or provisioned.

 

Multi-factor Authentication (MFA)

The multi-factor authentication only works with local Joget account logins and does not work with identity provider logins. This is because it is the burden of the identity provider to provide sufficient identification and authentication for the users in its database.

The MFA pop-up screen will show up when the user submits the login form and only if the user has registered a valid MFA method. A valid MFA method means that the MFA plugin is:

  1. Installed and configured in the system, and

  2. The user has registered the MFA method in their account

The MFA pop-up screen differs depending on the number of registered MFA methods the user has:

  • If the user has more than one valid MFA registered, the pop-up will first show a list of the user’s registered MFA methods. The user will be able to choose their desired method, and the MFA method’s login page will be shown.

  • If the user has only one valid MFA method registered, then that MFA method’s login page will be directly shown.

  • If the user does not have any valid MFA method registered, then the user will be immediately logged in.

Admin Console

Introduction

The admin console can be accessed by administrators of the system. It is located in:

Admin Bar > Settings > Directory Manager Settings.

The admin console allows management and configuration of the identity provider (IdP) and multi-factor authentication (MFA) plugins installed on the system. With the admin console, administrators can add, remove, and edit IdP and MFA plugin configurations; enable/disable IdP and MFA features system-wide; and configure a custom MFA list template that is displayed during login.

Managing Identity Provider and Multi-Factor Authentication Configurations

Adding a Plugin Configuration

  1. Make sure the identity provider plugin you wish to configure is installed in the system.

  2. Click on the + Add new Identity Provider or + Add new Multi Factor Authenticator button.

  3. Choose the plugin from the pop-up list.

    Some identity provider plugins are multi-instanced. This means that multiple configurations may co-exist and will act as “separate plugins”. This is useful for plugins that support a standard and allow configuration for different providers (e.g.: OpenID Connect).

  4. Configure the plugin accordingly.

  5. Click the Submit button.

  6. The pop-up closes, and the plugin is now configured and shown on the page.

Editing a Plugin Configuration

  1. Click the cogwheel iconfor the plugin you want to configure.

Warning
If no cogwheel icon is shown, it means that the plugin does not provide an editable configuration.

  1. A pop-up should appear with the plugin’s configuration.

  2. Edit the desired fields.

  3. Click the Submit button.

  4. The pop-up closes, and the new configuration is saved.

Removing a Plugin Configuration

  1. Click on the Delete  icon for the plugin you wish to remove.

  2. A confirmation dialog will appear to confirm your action.

  3. Clicking OK removes the configuration, and clicking Cancel retains the configuration.

  4. The page is updated with the configuration removed.

Enable/Disable Feature System-Wide

The Identity Provider and Multi-Factor Authentication features can be independently enabled/disabled system-wide. This allows system administrators to control whether to allow all users in the system to use the feature. To toggle the setting, follow the instructions below:

  1. Click the checkbox unchecked or checked next to the title of each section.

  2. A confirmation dialog will appear to confirm your action.

  3. Clicking OK will toggle the feature, and clicking Cancel will not toggle the feature.

  4. The page will update with the updated setting.

Configuring Multi-Factor Authentication List Template (Advanced)

The UI of the list of MFA methods shown can be customised by supplying an Apache FreeMarker template.

The table below contains a list of variables that can be accessed in the FreeMarker template:

Variable Name

Type

Description

pluginUrlMap

Map<MfaPlugin, String>

Maps the MfaPlugin object to the URL of the page of the MFA method.

pageTitle

String

The title of the page.

request

HttpServletRequest

The request of the page.

To apply a template:

  1. Click the Configure List Template button in the Multi-Factor Authentication section.

  2. A pop-up will appear with a text box.

  3. Paste the Apache FreeMarker template in the text box.

  4. Click on the Submit button. The list template is now updated.

IdP and MFA Plugins

Created by Aadrian Last modified by Debanraj on May 23, 2025
Tags:
Previous LDAP User Management NextOpenID Connect Identity Provider Plugin