You are viewing limited content. For full access, please sign in.

Question

Question

2FA Okta Authentication (SAML) on Laserfiche Forms with LFDS Authentication using SSO or JWT

Forms Directory Server
Updated June 14, 2021
asked on June 10, 2021 Show version history

Hi,

We currently have 2FA setup on our Laserfiche Forms using Okta so the users are directed to the Okta site, which then Authenticates with LFDS on the STS site we created. This all works perfectly fine without any issues. 

My question is, we have a client facing application we using and the Clients login with Okta on this application. This app is logged in on phone or computer web browser and it does not require login until you physically logout or being inactive more than a day or few days, then it will log you out. Timeout specified on forms is set to 24 hours as well. 

In this client facing application, we have quick links where we have created processes for the clients on Laserfiche Forms. If we logged in with Okta on the client facing app and within the next few mins we click on the quick link which opens up a certain Laserfiche Forms process then we don't have to login with Okta again, it logs in Automatically. If we do the same thing more than an hour later, the client facing app does not require login, but when we click on the quick link to Laserfiche Forms process then we require to login.

Is there a way to pass the JWT or SSO token from the client facing app or are there something different happening here? I have seen many posts more or less regarding the setup, but nothing pointing me to the exact answer. This basically has to get the user details from the client facing app and then after that go see if the user has an okta account (it does not confirm the okta session) then it logs in. Any documentation around this or where/how to setup on LFDS?

Any advice or assistance would be greatly appreciated.

0 0

Replies

replied on June 14, 2021

Hi Gert,

What's happening is that the SAML token is expiring, likely after 5 minutes. After these 5 minutes are up, LFDS is unable to use this token to create a Laserfiche session for a user. I don't think there is a workaround for this at this time, unless someone wants to chime in with something custom.

If you were to login to Laserfiche first, then try to log in to your other application after >5 minutes has elapsed, is that other application still able to log in without entering credentials into Okta again? I'd assume the problem would be symmetrical.

1 0
replied on June 14, 2021

As a follow-up, here is what I believe to be the relevant Okta documentation on setting the Okta session durations: 

  1. Enforce a limited session lifetime for all policies
    1. Note that the default Okta session lifetime is two hours, so it sounds like your organization's might be set particularly aggressively at five minutes. I'd check with your IT security folks about why this might be.
  2. Configure an Okta sign-on policy
1 0
replied on June 14, 2021

Hi Chase, 

Once you have logged into Forms via the Okta auth, then you are able to login to the Client facing app without any issue. The other app seems like it auth with Okta, but timeout is really long. This is day 3 I can just open up with the client facing app without having to login again to Okta, but then clicking on the Laserfiche Forms quicklink, I have to login with Okta again.  Our IT team has developed another link for reporting, this app also requires Okta auth when logging in, but instead, they have done custom dev so when you click on the link, it fetches the user details from our Client Facing app (Moxtra) and then it checks if there is an Okta user (does not check active session) and it auto authenticate. I guess this functionality is not yet available on Laserfiche Forms.

 

 

Hi @Samuel, 

 

Thank you for the documentation, this is great and I think this could help for sure. I will pass this on to our IT team so they can see what can be done!

 

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...