Passwordless Authentication

After the one-time enrollment, the user will no longer be prompted for a password. Instead, they will authenticate with Secfense IdP using a passkey. However, Secfense IdP will continue to use the on-premise Secfense Broker to query the LDAP server for verification of user security groups and access rights.

The authentication flow and user experience are as follows:

1. he user initiates authentication in a SAML-enabled service. 2. The service redirects the user to a browser, where they authenticate with Secfense IdP using their previously created passkey. 3. Secfense IdP checks with the on-premise IAM system to verify that the user still exists in the database and belongs to the appropriate security groups. 4. If everything is verified, the IdP sends a SAML response, allowing the user to authenticate.

Note: No password is involved at any point in this flow. Even if the user’s LDAP password were changed, they would still be able to authenticate with Secfense IdP using their passkey.