Deny Action
The Deny authentication action terminates the ongoing authentication with an access denied error. It supports two different operation modes: Always (always deny authentication) and Attribute Condition (check for a boolean attribute and deny authentication if that attribute value matches the expected one).
This action is useful when combined with other actions that set attributes based on certain conditions, allowing for conditional access control.
Configuration#
The following configuration options are available:
| Configuration | Mandatory | Description |
|---|---|---|
always | No | Always deny authentication. |
attribute-condition | No | Deny authentication depending on the presence of an attribute. |
attribute-condition/name | Yes | The name of the attribute. |
attribute-condition/source | Yes | The source of the attribute (subject-attributes, context-attributes, action-attributes) |
attribute-condition/expected-value | No | The expected value of the attribute to deny authentication. Defaults to: true |
error | No | The error string used when the action denies the authentication. |
Back-channel support#
This action can be used in back-channel authentication.