Authenticator Filters#
Authenticator Filters are used to restrict the Authenticators available for a client.
They can be configured to be used on Service Providers or on Clients .
The base path for all authenticator-filters is the following:
configuration-reference/profiles/profile/settings/authentication-service/authenticator-filters/authenticator-filter
All authenticator-filters have a common base, but different types provide further settings.
The basic parameters for all authenticator-filters are as follows (see the configuration reference for the complete definition):
| Parameter name | Mandatory | Description |
|---|---|---|
id | Yes | The unique identifier of the authenticator-filter |
filter-type | Yes | The type of the authenticator-filter. Values can be user-agent, cidr or script-filter. |
The following sections explain how you can configure each type of authenticator-filter.
User-Agent Authenticator Filter#
The User-Agent Authenticator Filter can be used to filter authenticators based on the Request User-Agent header.
filter-type for User-Agent authenticator filters is user-agent.The following parameters can be configured (see the configuration reference for the complete definition):
| Parameter name | Mandatory | Description |
|---|---|---|
user-agent-regex | Yes | Regular expression to match against a Request’s User-Agent |
exclusions | Yes | Container of authenticators to exclude |
exclusions/authenticator | 1 or more | Reference to an existing authenticator (by ID) |
Example configuration:
<authenticator-filter>
<id>curl-no-html</id>
<user-agent xmlns="https://curity.se/ns/conf/authenticator-filters/user-agent">
<user-agent-regex>.*curl.*</user-agent-regex>
<exclusions>
<authenticator>htmlSql</authenticator>
<authenticator>htmlScimMock</authenticator>
<authenticator>htmlLdap</authenticator>
<authenticator>htmlFormJson</authenticator>
</exclusions>
</user-agent>
</authenticator-filter>CIDR Authenticator Filter#
CIDR (Classless Inter-Domain Routing) is defined in the REF-1519 specification
The CIDR authenticator-filter allows authenticators to be restricted based on the origin of the Request.
IPV4 and IPv6 CIDRs are supported.
Only quad-dotted decimal notation is supported for IPv4 (eg. 10.77.12.11), and the standard 8-group hexadecimal
notation for IPv6 addresses (may be abbreviated, eg. 0A:0B:1F:2A:82:1:55:6666, 1::FFFF:ABCD) .
Valid CIDRs include 10.77.12.11/18 and 0A:0B:1F:2A:82:1:55:6666/2, for example.
filter-type for CIDR authenticator filters is cidr.The following parameters can be configured (see the configuration reference for the complete definition):
| Parameter name | Mandatory | Description |
|---|---|---|
filter-cidr | Yes | CIDR describing the origins to which this filter applies |
exclusions | Yes | Container of authenticators to exclude |
exclusions/authenticator | 1 or more | Reference to an existing authenticator (by ID) |
Example configuration:
<authenticator-filter>
<id>ip-address-authenticator-filter</id>
<cidr xmlns="https://curity.se/ns/conf/authenticator-filters/cidr">
<filter-cidr>192.168.10.0/24</filter-cidr>
<exclusions>
<authenticator>htmlSql</authenticator>
<authenticator>ping1</authenticator>
</exclusions>
</cidr>
</authenticator-filter>Script Authenticator Filter#
The Script authenticator-filter can be configured to use existing Filter Procedures to perform filtering.
The filter-procedure must be of type authenticator for it to be acceptable by a script-authenticator-filter.
filter-type for Script authenticator filters is script-filter.The following parameters can be configured (see the configuration reference for the complete definition):
| Parameter name | Mandatory | Description |
|---|---|---|
authenticator-filter-procedure | Yes | Reference to an existing filter-procedure |
Example configuration:
<authenticator-filters>
<authenticator-filter>
<id>check-header-authenticator-filter</id>
<script-filter xmlns="https://curity.se/ns/conf/authenticator-filters/script">
<authenticator-filter-procedure>check-header-authenticator-filter</authenticator-filter-procedure>
</script-filter>
</authenticator-filter>
</authenticator-filters>Geolocation Authenticator Filter#
The Geolocation Authenticator Filter can be configured to allow or deny specific countries to use a list of authenticators.
The filter can be configured using a list of countries in the form ISO-3166 code and which authenticators to exclude
from being available for usage. For instance, for a user to be able to use an htmlSql authenticator when the request
originates from Sweden, then the filter-countries parameter should be SE, as the ISO-3166 code, the apply-filter-when-match
parameter should be set to true and the authenticator list should include the id htmlSql for this specific authenticator.
| Parameter name | Mandatory | Description |
|---|---|---|
filter-countries | Yes | The list of countries in form of ISO-3166 code that are allowed or denied to use the authenticators. |
apply-filter-when-match | Yes | True to exclude an authenticator for a matching country, false otherwise. |
exclusions | Yes | Container of authenticators to exclude. |
exclusions/authenticator | 1 or more | Reference to an existing authenticator (by ID). |
Example configuration:
<authenticator-filters>
<authenticator-filter>
<id>geolocation-filter</id>
<geo-country xmlns="https://curity.se/ns/conf/authenticator-filters/geo-country">
<filter-countries>IT</filter-countries>
<filter-countries>SE</filter-countries>
<apply-filter-when-match>true</apply-filter-when-match>
<exclusions>
<authenticator>htmlSql</authenticator>
</exclusions>
</geo-country>
</authenticator-filter>
</authenticator-filters>