identity-idp icon indicating copy to clipboard operation
identity-idp copied to clipboard
verified publisher icon 18F

LG-14455: Improved messaging for PIV/CAC mismatch

Open aduth opened this issue 1 year ago • 0 comments

🎫 Ticket

LG-14455

🛠 Summary of changes

Implements a new workflow to help guide a user to adding a replacement PIV/CAC if they attempt to authenticate with a PIV which isn't the one associated with their account, such as if a user receives a new PIV/CAC card.

📜 Testing Plan

This is easiest to test using the simulated PIV/CAC service in local development, where you can create custom subject names for PIV/CAC to force a mismatch:

# config/application.yml
identity_pki_disabled: true

Verify that the PIV/CAC mismatch replacement workflow is shown under expected circumstances:

  1. Have sample application running in a separate process
  2. Go to http://localhost:3000
  3. Create an account with PIV/CAC as an authenticator. Optionally add another MFA, as this will affect the experience that follows
  4. From account dashboard, click "Forget all browsers" and confirm the prompt
  5. Sign out
  6. Go to http://localhost:9292 . Optionally change "Authentication Assurance Level (AAL)" to "HSPD12 required", as this will affect the experience that follows
  7. Click "Sign in"
  8. Submit email and password for the account you just created
  9. When prompted to authenticate with PIV/CAC, submit with a subject different from what you set up with
  10. Observe that you see a screen "This government employee ID is not connected to your account".
    1. If you did not add any other MFAs to your account, observe that this only gives you the option to delete your account
    2. Observe that you see an option to skip adding PIV/CAC, unless you chose "HSPD12" required in sample application
  11. Click primary action button
  12. If you chose to "Authenticate and add PIV/CAC", observe that you're brought to the MFA options page with all options listed, PIV/CAC disabled, and an alert banner indicating you'll add PIV after authenticating
  13. Authenticate with another MFA method
  14. Observe that you're brought to the PIV/CAC setup screen. You're given another option to skip adding PIV/CAC, unless you chose "HSPD12" required in sample application
  15. Setup new PIV/CAC
  16. Observe that you're sent along to confirm consent to share information with partner application

👀 Screenshots

Language Mismatch Prompt Mismatch Prompt (HSPD12) Mismatch Prompt (No other options) MFA Options PIV/CAC Setup PIV/CAC Setup (HSPD12)
English mismatch-prompt-een mismatch-prompt-hspd12-en mismatch-prompt-no-mfa-en mismatch-mfa-en mismatch-piv-setup-skippable-en mismatch-piv-setup-hspd12-en
Spanish mismatch-prompt-es mismatch-prompt-hspd12-es mismatch-prompt-no-mfa-es mismatch-mfa-es mismatch-piv-setup-skippable-es mismatch-piv-setup-hspd12-es
French mismatch-prompt-fr mismatch-prompt-hspd12-fr mismatch-prompt-no-mfa-fr mismatch-mfa-fr mismatch-piv-setup-skippable-fr mismatch-piv-setup-hspd12-fr
Chinese mismatch-prompt-zh mismatch-prompt-hspd12-zh mismatch-prompt-no-mfa-zh mismatch-mfa-zh mismatch-piv-setup-skippable-zh mismatch-piv-setup-hspd12-zh

aduth avatar Oct 21 '24 14:10 aduth