Common parameters and context
Common parameters
Common parameters are parameters that all protocol agnostic authenticators have in common. These are:
| Name | Description | Default value | Mandatory |
|---|---|---|---|
| setSSOParameters | Whether or not SSO parameters should be set upon successful execution of the authenticator | false | No |
| localizationKey | The localization key that the authenticator should use. This is used to control texts and icons in the authenticator. | N/A | Yes |
| localizationArguments | A JSON object of arguments used together with the localizationKey to present correct texts in the application. Expandable with scope request, item (if part of a sequence), and session. Example value: { "email" : "{{item.email}}, "otherparameter": "somevalue"} |
N/A | No |
| prePipeId | ID of an optional pre-authenticator pipe. Run before the authenticator is executed, and it's resulting item is available inside the normal authenticator pipe. | N/A | No |
| alwaysRunPrePipe | Whether or not a pre-authenticator pipe should be run on each incoming request, or just when the authenticator state is initialized. | false | No |
| defaultPipeErrorCode | The default error code to use when a pipe fails in the authenticator. | generalError | No |
| defaultPrePipeErrorCode | The default error code to use when a pre-authenticator pipe fails. | generalError | No |
| metaAttributesToSet | The meta attributes to set for the current SSO Group. On subsequent logins these attributes may be used to direct authentication flows. Attributes are expandable with the scope of the resulting item, see example below. | N/A | No |
Meta attributes
After an authenticator is executed successfully and metaAttributesToSet is not empty, these meta attributes will be stored
in the current SSO Group and available from the Context API. This means you may use it in AgnosticDispatcher to direct authentication flow,
or you may access it via the request context parameters as listed below.
Meta attributes can be useful if you use multiple authentication flows, and you know that the user for example has a valid SSO state for one of the flows. If you use authentication of different levels-of-assurance (LoA) this might be particularly useful.
Example configuration of meta attributes
In this example configuration, two meta attributes are set. One for the LoA, and one that just keeps the user id of the authenticated user. These attributes don't do anything on their own, but are available if the administrator wants to customize their SSO flows further.
{
"id" : "effaaf1b-0045-46b8-ba6c-a42536c1d1ff",
"alias" : "uidpwd",
"name" : "DynamicAuthenticator",
"configuration" : {
"localizationKey" : "usernamePassword",
"defaultPipeErrorCode" : "incorrectUsernameOrPassword",
"userIdentifierAttribute" : "uid",
"pipeID" : "55f55b8e-33b8-4fd1-bad0-5731fc98c08c",
"inputElements" : [ {
"name" : "username"
}, {
"name" : "password"
} ],
"setSSOParameters" : "true",
"metaAttributesToSet" : {
"loa" : "1",
"username" : "{{item.uid}}"
}
},
"created" : "2024-10-29T08:32:24.437Z",
"modified" : "2024-11-26T08:15:38.232Z"
}
Pre-authenticator pipes
Pipes can optionally be run before an authenticator starts executing, and its result used in the subsequent pipe in the authenticator. This can be useful for example in OTP flows, where you want one pipe to generate an OTP, and one to validate it. This can also be useful if you need to run a pipe to setup for a dispatch flow.
Accessing the current authentication context
Before each authenticator's main pipe (and the SAML IdP's default assertion pipe) is run, the request has some context parameters added to it. This context is simply some key parameters from the authentication request that might be of interest to look at during the authentication flow. These context parameters are the same which are available in AgnosticDispatcher, but with slightly different format. The values are accessible inside a pipe with the following syntax:
| Name | Description | If OIDC | If SAML | If Internal |
|---|---|---|---|---|
| {{request.contextrequestissuer}} | ID of the request issuer | The client_id | The SP entityID | The successUrl |
| {{request.contextprotocol}} | The protocol used in the authentication request | OIDC | SAML | Internal |
| {{request.contextrequestedauthenticationcontext}} | The requested authentication context as comma-separated string | The acr_values | The RequestedAuthnContext values as comma-separated string | N/A |
| {{request.contextloginhint}} | The login hint | The login_hint | N/A | N/A |
| {{request.contextbindingishok}} | Whether or not the holder-of-key binding is used | N/A | "true"/"false" depending on if the path ends with /login/hok or just /login | N/A |
| {{request.contextsignmessage}} | The sign message in the request | N/A | Value of the SignMessage in the request | N/A |
| {{request.contextissignrequest}} | Whether or not a SignMessage is present | N/A | Whether or not a SignMessage is present | N/A |
| {{request.contextscope}} | The authorized scope for the OIDC authentication request. | The authorized scope (the recognized subset of the scope request parameter) |
N/A | N/A |