Skip to content

LG-14455: Improved messaging for PIV/CAC mismatch#11368

Merged
aduth merged 2 commits intomainfrom
aduth-lg-14455-piv-mismatch
Oct 24, 2024
Merged

LG-14455: Improved messaging for PIV/CAC mismatch#11368
aduth merged 2 commits intomainfrom
aduth-lg-14455-piv-mismatch

Conversation

@aduth
Copy link
Contributor

@aduth aduth commented Oct 21, 2024

🎫 Ticket

LG-14455

🛠 Summary of changes

Implements a new workflow to help guide a user to adding a replacement PIV/CAC if they attempt to authenticate with a PIV which isn't the one associated with their account, such as if a user receives a new PIV/CAC card.

📜 Testing Plan

This is easiest to test using the simulated PIV/CAC service in local development, where you can create custom subject names for PIV/CAC to force a mismatch:

# config/application.yml
identity_pki_disabled: true

Verify that the PIV/CAC mismatch replacement workflow is shown under expected circumstances:

  1. Have sample application running in a separate process
  2. Go to http://localhost:3000
  3. Create an account with PIV/CAC as an authenticator. Optionally add another MFA, as this will affect the experience that follows
  4. From account dashboard, click "Forget all browsers" and confirm the prompt
  5. Sign out
  6. Go to http://localhost:9292 . Optionally change "Authentication Assurance Level (AAL)" to "HSPD12 required", as this will affect the experience that follows
  7. Click "Sign in"
  8. Submit email and password for the account you just created
  9. When prompted to authenticate with PIV/CAC, submit with a subject different from what you set up with
  10. Observe that you see a screen "This government employee ID is not connected to your account".
    1. If you did not add any other MFAs to your account, observe that this only gives you the option to delete your account
    2. Observe that you see an option to skip adding PIV/CAC, unless you chose "HSPD12" required in sample application
  11. Click primary action button
  12. If you chose to "Authenticate and add PIV/CAC", observe that you're brought to the MFA options page with all options listed, PIV/CAC disabled, and an alert banner indicating you'll add PIV after authenticating
  13. Authenticate with another MFA method
  14. Observe that you're brought to the PIV/CAC setup screen. You're given another option to skip adding PIV/CAC, unless you chose "HSPD12" required in sample application
  15. Setup new PIV/CAC
  16. Observe that you're sent along to confirm consent to share information with partner application

👀 Screenshots

Language Mismatch Prompt Mismatch Prompt (HSPD12) Mismatch Prompt (No other options) MFA Options PIV/CAC Setup PIV/CAC Setup (HSPD12)
English mismatch-prompt-een mismatch-prompt-hspd12-en mismatch-prompt-no-mfa-en mismatch-mfa-en mismatch-piv-setup-skippable-en mismatch-piv-setup-hspd12-en
Spanish mismatch-prompt-es mismatch-prompt-hspd12-es mismatch-prompt-no-mfa-es mismatch-mfa-es mismatch-piv-setup-skippable-es mismatch-piv-setup-hspd12-es
French mismatch-prompt-fr mismatch-prompt-hspd12-fr mismatch-prompt-no-mfa-fr mismatch-mfa-fr mismatch-piv-setup-skippable-fr mismatch-piv-setup-hspd12-fr
Chinese mismatch-prompt-zh mismatch-prompt-hspd12-zh mismatch-prompt-no-mfa-zh mismatch-mfa-zh mismatch-piv-setup-skippable-zh mismatch-piv-setup-hspd12-zh

@aduth aduth requested a review from a team October 21, 2024 14:06
@aduth aduth mentioned this pull request Oct 21, 2024
Merged
aduth
aduth commented Oct 21, 2024
View reviewed changes
jmdembe
jmdembe approved these changes Oct 21, 2024
View reviewed changes
Copy link
Contributor

@jmdembe jmdembe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍🏾

kevinsmaster5
kevinsmaster5 approved these changes Oct 21, 2024
View reviewed changes
Copy link
Contributor

@kevinsmaster5 kevinsmaster5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good and behaves as expected in local test.

@aduth aduth force-pushed the aduth-lg-14455-piv-mismatch branch 3 times, most recently from 59452ac to 8249ad2 Compare October 23, 2024 14:06
aduth added 2 commits October 24, 2024 08:08
@aduth
LG-14455: Improved messaging for PIV/CAC mismatch
94b7a90 
changelog: User-Facing Improvements, PIV/CAC, Add PIV/CAC replacement workflow for mismatched PIV authentication
@aduth
Remove "user uses incorrect PIV/CAC as their second factor"
6de1d3b 
These behaviors now described in piv_cac_sign_in_spec.rb
@aduth aduth force-pushed the aduth-lg-14455-piv-mismatch branch from 8249ad2 to 6de1d3b Compare October 24, 2024 12:09
@aduth aduth merged commit fccc098 into main Oct 24, 2024
@aduth aduth deleted the aduth-lg-14455-piv-mismatch branch October 24, 2024 12:43
@mitchellhenke mitchellhenke mentioned this pull request Oct 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmdembe jmdembe jmdembe approved these changes

@kevinsmaster5 kevinsmaster5 kevinsmaster5 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aduth @jmdembe @kevinsmaster5