Table of Contents

AgnosticDispatcher

Note

Used to set up access rules for different authentication possibilities.  The dispatcher will, based on incoming data, select the appropriate route the user to the correct authentication.

The first authenticator with a matching expression will be selected.

Properties

Name Description Default value Mandatory
mapping An array of mapping rules used to determine which authenticator should handle the incoming request. Matching rules contains of java script expressions. N/A Yes

Authenticator Options

AgnosticDispatcher utilizes the Authenticator Options configuration pattern, just like AgnosticAuthSelector.

Authenticator options are configured as follows:

Name Description Default value Mandatory
authenticator The authenticator to continue the flow with N/A Yes
expression The expression that determines if the option should be used N/A Yes, unless used in selector or useForRequestIssuers is configured
useForRequestIssuers A list of request issuers the option should be used for. A request issuer can be e.g. a SAML SP EntityID or an OIDC RP ClientID. N/A No
forceAuth If this option is used, subsequent authenticators will not be able to use SSO. false No
useAssertionProfile If this option is used and the entrypoint is SAML, this assertion profile should be used. N/A No

Available data to use in expressions

The data that is available are:

  • Request (request.getParameter("myparameter", "defaultvalue"))
  • Session (session.properties().getValueOrDefault("mysessionproperty", "mydefaultvalue"))
  • Item -- only if used within a SequenceAuthenticator or when using a pre-authenticator pipe -- (item.getPropertyValue('itemproperty',''))
  • Context (context.property) -- the following properties are available in Context:
    • requestIssuer (In SAML, this will be the EntityID of the Service Provider issuing the AuthnRequest, in OIDC this will be the client_id parameter)
    • protocol (SAML / OIDC / INTERNAL)
    • requestedAuthenticationContext (List of requested authentication contexts from the SAML or OIDC request)
    • loginHint (the OIDC login_hint parameter)
    • bindingIsHok (SAML parameter -- is the holder-of-key binding selected for the request?)
    • signMessage (SAML parameter -- the SignMessage of the AuthnRequest)
    • isSignRequest (shorthand for 'does signMessage have a value)
    • metaAttributes -- A map of key-value pairs available for this SSO Group. Set by successfully executed authenticators if configured, read more on how to set it here.
    • scope (A list of the authorized OIDC scopes)

Usage notes and differences between usage in Selector / Dispatch

  • In AgnosticAuthSelector, all options that match the configured expression (if any) and the configured useForRequestIssuers will be available for selection. In AgnosticDispatcher, the first matching option will automatically be used.
  • In AgnosticDispatcher, either an expression or useForRequestIssuers needs to be configured. For AgnosticAuthSelector, you may opt to not configure either of these.
  • If both useForRequestIssuers and expression are configured, both need to match for an option to be used.
  • If you configure forceAuth on an option, this setting will only apply to authenticators downstream of that authenticator. It will not affect a Sequence that the Dispatcher or Selector itself is part of, only the 'child branch' of the option.
  • If your authentication tree encounters several useAssertionProfile, the last one encountered will be used.
  • Features in AgnosticAuthSelector such as SSO and rememberSelection will only be used if the matching options for the current flow would allow for the same option that set the initial SSO or selection.

Example Configuration

{
    "alias": "dispatch",
    "name": "AgnosticDispatcher",
    "configuration": {
        "mapping": [
            {
                "expression": "context.metaAttributes.getOrDefault('SomeAttribute','').equals('SomeValue')",
                "authenticator": "auth99"
            },{
                "expression": "context.bindingIsHok",
                "authenticator": "auth1"
            },{
                "expression": "!request.getParameter('remoteAddress').startsWith('192.168.1')",
                "authenticator": "auth2"
            },
            {
                "useForRequestIssuers": ["myIssuerId"],
                "forceAuth": "true",
                "useAssertionProfile": "someProfile",
                "authenticator": "auth3"
            },
            {
                "expression": "context.requestedAuthenticationContext.contains('myacrvalue1')",
                "authenticator": "auth4"
            },
            {
                "expression": "true",
                "authenticator": "mydefaultauthenticator"
            }
        ]
    }
}

Requirements

One or more protocol agnostic authenticators configured.

Authentication