Table of Contents

AgnosticAuthSelector

Note

Used when wanting to present a list of authentications options to a user.  For instance user can choose authentication using username & password, or OneTouch.

This authenticator only supports HTTP based scenarios.

Properties

Name Description Default value Mandatory
possibleAuthenticators A list of possible authenticators to choose from N/A Yes
rememberSelection Should the selection made be remebered by the system false No
sortByLatestUsed If the list should be sorted by latest used true No
autoSelectIfOneOption Whether or not an option should be automatically selected if it is the only available option left true No

Possible authenticator options (standard)

You simply configure the list of authenticator ids to choose from. Their appearance in terms of icon and display name is determined by which localizationKey the authenticator has in its own configuration. If no localizationKey is configured, a default is used based on the type of authenticator.

Possible authenticator options (advanced)

AgnosticAuthSelector may utilize the Authenticator Options configuration pattern, just like AgnosticDispatcher.

By using this configuration pattern, you may for example make selector options conditional.

Authenticator options are configured as follows:

Name Description Default value Mandatory
authenticator The authenticator to continue the flow with N/A Yes
expression The expression that determines if the option should be used N/A Yes, unless used in selector or useForRequestIssuers is configured
useForRequestIssuers A list of request issuers the option should be used for. A request issuer can be e.g. a SAML SP EntityID or an OIDC RP ClientID. N/A No
forceAuth If this option is used, subsequent authenticators will not be able to use SSO. false No
useAssertionProfile If this option is used and the entrypoint is SAML, this assertion profile should be used. N/A No

Available data to use in expressions

The data that is available are:

  • Request (request.getParameter("myparameter", "defaultvalue"))
  • Session (session.properties().getValueOrDefault("mysessionproperty", "mydefaultvalue"))
  • Item -- only if used within a SequenceAuthenticator or when using a pre-authenticator pipe -- (item.getPropertyValue('itemproperty',''))
  • Context (context.property) -- the following properties are available in Context:
    • requestIssuer (In SAML, this will be the EntityID of the Service Provider issuing the AuthnRequest, in OIDC this will be the client_id parameter)
    • protocol (SAML / OIDC / INTERNAL)
    • requestedAuthenticationContext (List of requested authentication contexts from the SAML or OIDC request)
    • loginHint (the OIDC login_hint parameter)
    • bindingIsHok (SAML parameter -- is the holder-of-key binding selected for the request?)
    • signMessage (SAML parameter -- the SignMessage of the AuthnRequest)
    • isSignRequest (shorthand for 'does signMessage have a value)
    • metaAttributes -- A map of key-value pairs available for this SSO Group. Set by successfully executed authenticators if configured, read more on how to set it here.
    • scope (A list of the authorized OIDC scopes)

Usage notes and differences between usage in Selector / Dispatch

  • In AgnosticAuthSelector, all options that match the configured expression (if any) and the configured useForRequestIssuers will be available for selection. In AgnosticDispatcher, the first matching option will automatically be used.
  • In AgnosticDispatcher, either an expression or useForRequestIssuers needs to be configured. For AgnosticAuthSelector, you may opt to not configure either of these.
  • If both useForRequestIssuers and expression are configured, both need to match for an option to be used.
  • If you configure forceAuth on an option, this setting will only apply to authenticators downstream of that authenticator. It will not affect a Sequence that the Dispatcher or Selector itself is part of, only the 'child branch' of the option.
  • If your authentication tree encounters several useAssertionProfile, the last one encountered will be used.
  • Features in AgnosticAuthSelector such as SSO and rememberSelection will only be used if the matching options for the current flow would allow for the same option that set the initial SSO or selection.

Example Configuration (standard)

{
    "alias": "selector",
    "name": "AgnosticAuthSelector",
    "configuration": {
        "possibleAuthenticators": ["<id or alias of authenticator1>","<id or alias of authenticator2>"]
    },
    "id": "<unique_id>"
}

Example Configuration (advaned)

{
    "alias": "selector",
    "name": "AgnosticAuthSelector",
    "configuration": {
        "possibleAuthenticators": [
            {
                "authenticator": "authenticator1"
            },
            {
                "authenticator": "authenticator2",
                "expression": "context.metaAttributes.getOrDefault('SomeAttribute','').equals('SomeValue')"
            },
            {
                "authenticator": "authenticator3",
                "expression": "request.getParameter('remoteAddress').startsWith('192.168.1')"
            },
            {
                "authenticator": "authenticator4",
                "useForRequestIssuers": ["myIssuerId", "otherIssuer"],
            },
        ]
    },
    "id": "<unique_id>"
}
Authentication