Create an Authentication Profile#

The Getting Started Guides explain how to use the Admin UI’s basic setup wizard to generate an initial configuration for the Curity Identity Server, to create an authentication profile and a token profile. If required you can remove the default profile and recreate it, or create additional authentication profiles, using the authentication profile setup wizard. This guide briefly summarizes the steps.

Check Prerequisites#

Before running the wizard, ensure that core Facilities like a data source, credential manager and account manager already exist. The authentication service requires a credential manager if you verify password credentials, for example against a SQL database, LDAP data source or SCIM-backend web service. Many authenticators work without credential managers, like the OIDC authenticator, where all credential verification is done externally.

Run the Setup Wizard#

The setup wizard walks you through the creation of the profile in a number of steps.

  1. Create Authentication Profile

    The first step of the wizard requests a name and a URL prefix for authentication endpoints. The default authentication profile uses a prefix of /authn.

    Basic Setup Create Authentication Profile Name and Prefix

  2. Configure Services

    Next the wizard requests a data source for data generated during authentication operations, and this source must already exist. You can also configure particular SMS or Email services that the authentication profile uses.

    Basic Setup Create Authentication Profile Services

  3. Configure a Signing Key

    Next, select the signing key that the authentication profile uses behind the scenes for some authentication operations. Typically you can select the system’s default signing key.

    Basic Setup Create Authentication Profile Signing Key

  4. Deploy to Service Roles

    Next, deploy the configuration to one or more service roles, to expose the authentication endpoints. For a simple deployment, select the default service role.

    Basic Setup Create Authentication Profile Deployment

  5. Select the Integration Profile

    For the vast majority of use cases, select the Curity Token Service option, to integrate the authentication profile into OAuth-based flows. The other options are rarely used but explained in Standalone Federation .

    Basic Setup Create Authentication Profile Integration Protocol

    If you need to integrate web applications that use the SAML protocol with the Curity Identity Server, create a SAML IDP Profile rather than a new authentication profile.

Configure the Profile Base Settings#

Finally, commit all changes and select the new profile to view its details in the Admin UI.

Authentication Profile General SettingsAuthentication Profile General Settings

To understand the deployed settings for the authentication profile, select the View XML option in the Admin UI, which use a structure similar to the following XML snippet.

<config xmlns="http://tail-f.com/ns/config/1.0">
    <profiles xmlns="https://curity.se/ns/conf/base">
    <profile>
    <id>authentication-service</id>
    <type xmlns:auth="https://curity.se/ns/conf/profile/authentication">auth:authentication-service</type>
      <settings>
      <authentication-service xmlns="https://curity.se/ns/conf/profile/authentication">
        <persisted-sso-session>true</persisted-sso-session>
        <authentication-actions>
          ...
        </authentication-actions>
        <authenticators>
          ...
          <include-attributes-of-all-authenticators/>
        </authenticators>
        <protocols>
          <protocol>
            <id>default-simple-protocol</id>
            <simple-api/>
          </protocol>
        </protocols>
      </authentication-service>
      </settings>
  </profile>
  </profiles>
</config>

id (string, mandatory) : The name of the profile.

tenant_id (string, optional) : Set a distinct value per tenant if you use account-multi-tenancy and multiple authentication profiles.

logout-redirect-url (url, optional) : If set, the user will be redirected to this URL after logout.

redirect-url-whitelist/uri (url, optional, multivalue) : Each entry defines a whitelisted URL that the Authentication Service accepts redirects to.

sms-provider (ref, optional) : The SMS provider to be used by this profile when any component in the profile need to send SMS messages. This setting is required if the SMS OTP Authenticator is used.

base-url (url, optional) : In specialized deployments, override the base URL from SystemGeneral. For example, in multi-tenant deployments you can use distinct authentication profiles per tenant, each with a branded base URL for login screens.

include-attributes-of-all-authenticators (boolean, default false) : Activate this setting if you use multi-factor authentication and authentication actions.

sso-expiration-time (uint32, default 3600) : The time in seconds the SSO cookie will be valid, to enable single sign-on across applications.

username-cookie-name (string, default se.curity.user) : The name of the cookie that will store the username for the cookie that is used cross authenticators to pickup the username and pre-populate the forms.

persisted-sso-session (boolean, default false) : Activate this setting to use database persistence of SSO details and reduce the size of SSO cookies. This is recommended if, for example. a login with an external identity provider returns large ID tokens.

protocol-id (ref, mandatory) : The id of the protocol plugin that should be used. If this is the first configuration of the Profile, then the protocol plugin must be created in the same transaction. (Same request if using REST).

Was this helpful?