Passwordless Authentication

After the one-time enrollment, the user will no longer be prompted for a password. Instead, they will authenticate with Secfense IdP using a passkey. However, Secfense IdP will continue to use the on-premise Secfense Broker to query the LDAP server for verification of user security groups and access rights.

The authentication flow and user experience are as follows:

1. The user initiates authentication in a SAML-enabled service.
2. The service redirects the user to a browser, where they authenticate with Secfense IdP using their previously created passkey.
3. Secfense IdP checks with the on-premise IAM system to verify that the user still exists in the database and belongs to the appropriate security groups.
4. If everything is verified, the IdP sends a SAML response, allowing the user to authenticate.

Note: No password is involved at any point in this flow. Even if the user’s LDAP password were changed, they would still be able to authenticate with Secfense IdP using their passkey.