HTML Forms Authenticator

The HTML Forms Authenticator is a Username / Password authenticator that serves HTML pages and connects the data to a Data Source backend using an Account Manager.

It also supports user account registration, password management as well as forgotten user id’s.


The HTML Forms Authenticator is mounted on the Authentication endpoint with the subpath of it’s ID. So if an authenticator with the ID html1 is configured and the Authentication endpoint is configured to have the path /authenticate then the paths of the HTML Forms authenticator are found under /authenticate/html1

Endpoint-kind: auth-authentication

SubPath Method Template Description
index (/) GET authenticate/get.vm The index (/) contains the authentication form
POST authenticate/get.vm The index (/) contains the authentication form
forgot-account-id GET forgot-account-id/get.vm  
POST forgot-account-id/post.vm  
forgot-password GET reset-password/get.vm  
POST reset-password/post.vm  

Endpoint-kind: auth-registration

SubPath Method Template Description
index (/) GET create-account/get.vm The index (/) contains the authentication form
POST create-account/post.vm The index (/) contains the authentication form

Endpoint-kind: auth-anonymous

SubPath Method Template Description
set-password GET set-password/get.vm  
POST set-password/post.vm  

Validation Scripts

The HTML Forms authenticator supports Validation Procedures. These can be configured on all of the listed SubPaths. For more information on Validation Procedures see Validation section.

Email Provider

When an email-provider is defined, it will be used for the “forgot password” and “forgot username” features. If it is left unset, then the default email provider configured for the zone will be used.

Automatic Login

When enabled, automatic login is available after successfully completing one of the following operations:

  • Account activation.
  • Account activation with mandatory password definition.
  • Account registration, when activation is not required.
  • Setting a new password, after a password recovery flow.

Password Only

When password only mode is enabled, the authenticator can only be used as a second factor. It can either be configured to have a previous authenticator, or, it can be triggered by an authentication action (i.e. the multifactor-condition action). The authenticator will use the subject from the AuthenticatedState and the password provided when submitting the form to authenticate the user. If a different username is posted to the backend, it will be ignored. The username field is disabled by default in the authenticate/get.vm template, it can also be removed with a template override.

note:The html-form authenticator will throw a 500 Internal Server Error if it is used directly, when password-only is se to true

Remember Me

The authenticator can be configured with the option show-remember-me-option. This enables a checkbox on the login screen that let’s the user decided if the session should be persisted or not. If the user deselects the checkbox, the SSO cookie will be set as a session cookie only. This means that the cookie will be removed when the browser is closed. This configuration is only available if session cookies are not set as the default on the profile via the sso-cookie-is-session-cookie option.


The specific configuration for the HTML Authenticator is the Account Manager, Credential Manager and the Validation Procedure. The HTML Forms Authenticator support full user management, if the selected Account Manager allows for it.

See the configuration guide for details on the parameters on Authenticators and on the Html Form Authenticator.

Configuration Example

        <description>Username authentication</description>
        <html-form xmlns="">