Authenticator (List)#
Path: /profiles/profile/settings/authentication-service/authenticators/authenticator
Keys: id
Parameters#
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| id | string | required | - | |
| authentication-context-class-reference | string | optional | - | The Authentication Context Class Reference (ACR) that this authenticator supports |
| template-area | string (length: 1..9223372036854775807) | optional | - | Select an optional Template Area or Theme to apply to this Authenticator. If they have the same name, both will be applied. |
| account-domain | leafref → ../../../account-domains/account-domain/id | optional | - | Optional domain in which accounts are stored |
| description | string | optional | - | A readable description of the Authenticator, for User presentation, can be a locale key |
| sso-expiration-time | uint32 | optional | - | This controls the expiration time for this specific authenticator. If this is not set, the value set on the profile will be used instead.A common scenario is to allow some factors to have longer lifetimes than others, which is accomplished by setting this value on the authenticator in question |
| sso-inactivity-timeout | uint32 | optional | - | The maximum time an SSO session created by this authenticator will be valid without being used. If this value is not set, then the profile value will be used (if set there). |
| previous-authenticator | leafref → ../../../authenticators/authenticator/id | optional | - | Optional authenticator (or any from a group) that the user must authenticate with prior to this one |
| cross-site-block-enabled | boolean | optional | - | Enables the unsafe (e.g. POST) cross-site requests blocking mechanism. Blocks cross-site requests (those originating from a different or third-party domain) with an unsafe method from being accepted, except for endpoints the explicitly allow it. Disabling this feature can help with interoperability but does pose security risks, and should only be enabled if strictly required. |
| purpose | union (enumeration (end-users, onboarding, employees) | string) | optional | - | A category of usage that this authenticator instance is intended for. |
| exclude-from-metadata | boolean | optional | false | Whether or not the authenticator should be excluded from the OAuth and OpenID Connect metadata (“acr_values_supported” attribute) of a token profile linked to this authentication profile |
Subsections#
| Name | Type | Description |
|---|---|---|
| geo-filtering | Section | |
| authentication-actions | Section | |
| additional-context-attributes | Section | List of key/value attributes that will be added to the context attributes when this authenticator finishes. |
| registration-requirement | OneOf | |
| request-validations | Section | |
| authenticator-type | OneOf |