Today we have a SSO connection with auth0 and our own AD. Given security requirements I would like to get failed login logs back to auth0 instead of perhaps creating a connection between each AD (we could potentially have one per customers) and a log tool such as Splunk.
Is this possible ? We do get positive login information in auth0 today.
You should be getting a “Failed login” entry in the Auth0 logs for wrong username/password attempts (at least in scenarios where Auth0 is the one asking for the credentials). Are you not seeing those?
As for:
creating a connection between each AD (we could potentially have one per customers)
Be aware that the AD/LDAP Connector is designed for scenarios where your company controls the AD/LDAP server. The connector should not be installed on your customer’s servers. For B2B scenarios where you want to allow your customer’s users to access your applications using their enterprise credentials, you should be connecting to your customer’s federation service (like their own Auth0 service, ADFS or any SAML identity provider) using one of the other available enterprise connections.
Installing an AD/LDAP connector on your customer’s premises connected directly to your Auth0 domain means that you are handling the passwords of your customer’s users directly. We don’t support these types of deployments and recommend strongly against them.
(I just sent a PR to our AD/LDAP Connector docs to add this exact warning).
Currently we don’t get any failed login information back to Auth0 from our internal AD. I’m wondering if this is related to any configuration issues in either auth0 or the AD/LDAP connector ?
We do NOT want to manage any passwords or any other personal information connected to our customers, just an entry that a user has failed to login. This of course works if I login via Auth0 to our application directly where the applications has the access management.
For our customers we’re looking into a SAML integration or something similar.
Would you be able to provide a .HAR file of a user attempting to log in with the wrong credentials?
The .HAR file will contain your auth0 domain, the client ID, the connection name and the (fake) user credentials. None of that information is particularly secret but if you prefer to send them over a DM instead of attaching here that’s OK.
For customers, if you use federation protocols (as recommended) you won’t get information of failed logins. Federation protocols only respond after a successful authentication, and any failed attempt logging is the responsibility of the identity provider used.
An update on this thread: there was a confusion on the setup. All my responses above refer to AD Connections, where the user directory is an on-premises Active Directory or other LDAP server. Auth0 uses the AD-LDAP connector to connect to these servers which are normally not exposed to the internet. As I said before, this setup is only recommended when the AD server is controlled/owned by the same company that controls the Auth0 domain.
As with any other federated authentication protocol, Auth0 gets absolutely no record of invalid credentials attempts or any other kind of attack done directly at the external identity provider. Auth0 only gets a response after the authentication succeeds, or an error response is something is wrong in the configuration.