By Yasin

Recently, folks at Asgardeo released a new feature called the Asgardeo Try it Application for quickly testing various login flows effortlessly. The best part of this feature is that you don't even need a functional application to get started with Asgardeo. How crazy is that, huh?

Alright, now let's get into it.

Getting Started

When you first log in to the Console application using your tenant admin credentials, it will present you with the following landing page.

Once created, it will immediately redirect you to the Try it application. But for now, you can close that tab and head back to the Asgardeo Console.

Configuring First-Factor Auth

In every application, you'd either have email/password, social or entirely password-less authentication. Well, lucky for us; Asgardeo has all these options baked-in, so we can nibble instantly. I'll configure some social connections along with email & password and biometric authentication. You can refer below video for adding first-factor authentication to the Try it application flow.

Connections Configuration

I already have Google & GitHub connections configured, and they are available for me to add to this application. However, if you don't see them, you should refer the official Asgardeo documentation on configuring social connectors or refer to my previous article about Asgardeo JIT User Provisioning for a quick tutorial.

Add a User

Also, note that I have created a Customer User in my default user store. You can easily do this by navigating to the Manage > Users section by clicking the + Add User button. Or you can refer official Asgardeo documentation on how to add users.

Okay, now we have the first-factor authenticators; it is time for us to Try it! We can instantly try this out by clicking the "Try Login" button.

Alright, You've got me!

I'm not trying out Biometric Authentication because it requires setting up using the self-care portal before we can authenticate users. And on the other hand, I want to expand a bit about Asgardeo's Security Key / Biometrics authenticator in this article.

Also, if you're using an Apple Chip, there's a hint mentioned on making it work in Asgardeo in a password-less fashion using an iPhone & XCode written by Thamindu. Regardless, Asgardeo will seamlessly function with any functional FIDO2-compliant device on the fly.

Security Key and Biometrics 101

Asgardeo lets you configure FIDO2 compliant devices to enable password-less authentication for your Users. In the above figure, we configured it in the first-factor configuration, and you can see that we can easily attach a FIDO authentication to the authentication sequence's first step.

So here's how we configure a device as a first-factor biometric authentication (I don't have a proper Fido2 key, but my machine can act as a biometric authenticator).

The following illustration is the initial authentication flow users go through to set up their devices for authentication using the Asgardeo's My Account self-care portal.

Asgardeo docs also mention that we can configure FIDO2 password-less login for our application using two primary methods: -

  • 👉

    Security key/Biometrics: An application user uses a FIDO2-supported authenticator to log in without entering a username or a password.

  • 👉

    Identifier first + Security key/Biometrics: An application user enters a username first. Asgardeo verifies the identity from the username and prompts the user to use a FIDO2-supported authenticator to log in.

Configure Second-Factor Auth

Asgardeo allows us to add second-factor authentications such as TOTP and Email OTP to the Try it application's authentication flow.

How convenient!

Guess what? It doesn't require additional configurations to test it. We can directly jump into the playground.

Hmm, Something is Odd

We have configured second-factor authenticators, but we haven't considered the user experience of these authenticating options. Usually, when we configure multi-login options (i.e., email/password along with social connectors), it is best practice to avoid 2FA when a user authenticates from a federated connection. Here's why: -

When you log in through Google/GitHub connection, it usually prompts a notification on a device or email asking for validation whether only you are trying to log in (i.e., one-tap popups, mobile OTP code etc.). Now assume you completed either one of those.

If everything goes as expected, then the flow is validated by Google. So, it doesn't make sense to initiate another 2FA/MFA verification in Asgardeo if you sign in using Google, correct? If we do that, it leads to a poor user experience. So, how can we fix those without making those mistakes in production?

Well, lucky you, Asgardeo has thought about this already!

Adaptive Authentication to the Rescue

In Asgardeo, every application has its adaptive authentication script to manage its authentication flows. This script allows you to enforce adaptive MFA in the login flow of your applications. For example, you can control authentication based on Group, Sign-in-option, New-device, IP, and API calls.

We are particularly interested in the Sign-on-option based script, where we can conditionally skip 2FA for Google and GitHub. The great thing about Asgardeo is that you can directly test it within the Try it application. It mimics what a user would go through, and you can deploy your application to production with finesse!

Just turn on the Conditional Authentication switch and paste the above code snippet like the following: -

Adaptive authentication script location

Once you update the script with the above, you can verify that Asgardeo skips TOTP and Email OTP for FIDO and Social Connectors.

Well, now that we have covered the customization of Sign-in Methods in this Try it application, we are only left with the User Attributes and Advance Settings to cover.

Other Settings

User Attributes

Specifically, the user attributes are pre-configured for the Try it application as it is a static application that aims to test the login flows. However, we can enable and configure additional user claims/attributes after integrating our actual application to Asgardeo.

Advanced Configurations

Asgardeo allows you to control and test the User consent screen rendered during the sign-in and sign-out flow in an application. You can refer the official Asgardeo documentation on user consent management for more information. The best part is that you can do this in the Try it application.

Well, now you know how to try out Asgardeo without an application. Asgardeo makes testing and experimenting with complex logical authentication flows in the application effortless.

Thanks a bunch for reading !

Published