The HTML Forms Authenticator is a Username / Password authenticator that serves HTML pages and connects the data to a Data Source backend using an Account Manager.
It also supports user account registration, password management as well as forgotten user id’s.
The HTML Forms Authenticator is mounted on the Authentication endpoint with the subpath of it’s ID.
So if an authenticator with the ID html1 is configured and the Authentication endpoint is configured to have the path /authenticate then the paths of the HTML Forms authenticator are found under /authenticate/html1.
The following tables list the different paths used by the authenticator, as well as the templates rendered by each of them.
In Curity 5.4, the subPath where users actually define their new passwords was changed from set-password to reset-password.
If you have a validation script configured to validate new user passwords, ensure that the new path is used.
The HTML Forms authenticator supports Validation Procedures. These can be configured on all of the listed SubPaths. For more information on Validation Procedures see Validation section.
When an email-provider is defined, it will be used for the “forgot password” and “forgot username” features. If it is left unset, then the default email provider configured for the zone will be used.
When enabled, automatic login is available after successfully completing one of the following operations:
When password only mode is enabled, the authenticator can only be used as a second factor. It can either be configured to have a previous authenticator, or, it can be triggered by an authentication action (i.e. the multifactor-condition action).
The authenticator will use the subject from the AuthenticatedState and the password provided when submitting the form to authenticate the user. If a different username is posted to the backend, it will be ignored. The username field is disabled by default in the authenticate/get.vm template, it can also be removed with a template override.
password only mode
The authenticator can be configured with the option show-remember-me-option. This enables a checkbox on the login screen that let’s the user decided if the session should be persisted or not. If the user deselects the checkbox, the SSO cookie will be set as a session cookie only. This means that the cookie will be removed when the browser is closed. This configuration is only available if session cookies are not set as the default on the profile via the sso-cookie-is-session-cookie option.
When an authentication request includes a binding message, then the login form will render this message to the user.
A binding message is only accepted from an authenticated (signed or pushed) request.
The specific configuration for the HTML Authenticator is the Account Manager, Credential Manager and the Validation Procedure. The HTML Forms Authenticator support full user management, if the selected Account Manager allows for it.
See the configuration guide for details on the parameters on Authenticators and on the Html Form Authenticator.
Html Form Authenticator