Han The general approach to this kind of complex sign on scenario would be to use an external authentication service/protocol e.g. OAuth2/Open ID Connect which handles the multi-factor authentication and then configure your applications authentication layer to just validate the Json Web Tokens (JWTs) that assert a users identity.
Shrio out of the box does not have OAuth2 integration, this tutorial post - https://dzone.com/articles/how-to-use-apache-shiro-and-oauth-20-to-build-a-se - looks like a possible approach and refers to https://github.com/oktadeveloper/okta-shiro-plugin as a plugin to provide this capability. So my recommendation would be to provide your own separate OAuth2 compliant authentication server (try JBoss Keycloak if you're looking for an OSS solution) and then add validation of its tokens into your Fuseki setup Rob On 12/04/2021, 14:26, "Kruiger, J.F. (Han)" <han.krui...@tno.nl.INVALID> wrote: Hi there, I'm looking for a solution to have multifactor authentication (MFA) in Fuseki. I'm pretty sure this lies outside of the scope of Apache Jena, but perhaps Fuseki's UI should be able to be compatible with it at some point in the future. I have found a potential solution to get multifactor authentication to work in Shiro: http://shiro-user.582556.n2.nabble.com/MFA-Possible-Solution-td7581444.html TLDR; they use 2 Shiro realms, and a login can only succeed if both realms allow it. However, if we were to keep using Fuseki's UI, this will break, since it only asks for a username and password. Is there a (not too hacky) way to customize Fuseki's UI so that it can ask the user for more authentication details? And perhaps to add pages for user registration with one-time passwords to set up the MFA. What are your thoughts on this? Any suggestion is welcome. Best, Han This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. TNO accepts no liability for the content of this e-mail, for the manner in which you use it and for damage of any kind resulting from the risks inherent to the electronic transmission of messages.