The Authentication Service can be configured to allow users to authenticate against an Encap server from
Encap A/S. The Encap authenticator supports both authentication and registration. The registration
can be configured to be allowed during login or not, on a per authenticator basis.
When a user is prompted to login using Encap, the first screen they will see is one where they will enter their username:
Fig. 57 Entering a username to find the devices associated with a user
The username will be saved and automatically filled in on subsequent logins and will also be used in other
authenticators that require a username (e.g., SMS and HTML forms).
After the user enters their username, they will be presented with a list of devices that are associated with their
Fig. 58 Multiple Encap devices associated with a user
If registration is allowed during login, they will also be given the opportunity to add a new device.
Fig. 59 No Encap device associated with a user
If not, they will be presented with information about how to add a new device.
Fig. 60 No Encap device associated with a user without the possibility to add one
To configure an Encap authenticator, an authenticator element needs to be created in an authentication service
profile like all other authenticators. This configuration will look something like this:
The meaning of these configuration elements is described in the following table:
Depending on the circumstances, you may or may not want to allow a user to add a new device during login. In general,
users should not be allowed to add a new device when the service provide they are accessing is a mobile app. This is
the case because it can be very cumbersome to register a new device when on the same mobile. This is especially true if
the Encap authentication app isn’t yet installed on the user’s device. In this case, it is better to direct them to
a place where they can provision a new device using a laptop or desktop computer. To easily implement this best
practice, set the encap/allow-registration-during-login setting to false.
When registration is allowed during the login flow, a user will be given the option to add a new device after entering
their username. Because required-authenticator-for-registration must be set to a valid authenticator, the user will
be prompted to login as soon as they see this button. This can be jarring if the user isn’t aware of why they are
being asked to login. To give them this context, the encap/show-info-before-registration setting can be set to
true (the default). If true, the user will be shown an anonymous page after electing to add a new device. This
page can contain information about what Encap is and the download URL will be available, so the templatized view can
render a link to allow the user to install it on their device.
The default view for this page is shown in the following figure:
Fig. 61 Encap - Information page
When enabled, automatic login is available after successfully registering a new device.