Description
When there is an authentication requirement such that authentication is successful with just a passkey, but if not, ID/password and OTP are required, the following authentication chain can be considered:
- WebAuthn (Authenticate) - sufficient
- LDAP - requisite
- ForgeRock Authenticator (OATH) - required
In this authentication chain, the username is first entered in WebAuthn. If a passkey is not registered, the username must also be entered in LDAP.
This is very inconvenient. Therefore, it is necessary to change the process so that the username entered in WebAuthn is carried over to LDAP.
Solution
For ID/password authentication such as LDAP, DataStore, or Active Directory, if the username is included in the Shared State, modify the process to prompt only for the password.
Description
When there is an authentication requirement such that authentication is successful with just a passkey, but if not, ID/password and OTP are required, the following authentication chain can be considered:
In this authentication chain, the username is first entered in
WebAuthn. If a passkey is not registered, the username must also be entered inLDAP.This is very inconvenient. Therefore, it is necessary to change the process so that the username entered in
WebAuthnis carried over toLDAP.Solution
For ID/password authentication such as
LDAP,DataStore, orActive Directory, if the username is included in theShared State, modify the process to prompt only for the password.