Defining an Authentication Service Profile

To use the Authentication Service, a profile needs to be defined. The Authentication Service profile is special, in that it contains plugin extension points. These are called Authenticators and are responsible for authenticating the User in various ways.

The Profile defines three endpoints.

  • The Authentication endpoint
  • The Anonymous endpoint
  • The Registration endpoint

See the Developer guide about how to use these.

Note

If activation and account registration isn’t supported by the data source, there is no need to enable the registration endpoins. Only the Authentication and possibly anonymous endpoint is needed then.

Preparing the Authentication Service Profile

The authentication service requires Credential Managers in order to be able to authenticate Users directly, for example against an SQL database or a SCIM backend webservice. Some Authenticators work without Credential Managers, like the PingFederate. There all authentication is performed by the 3rd party and the Authentication Service is the broker/mediator that handles the identity transformation.

If you intend to use any authenticator that requires local authentication, make sure that the Credential Managers and corresponding Data-Sources are properly configured.

Pre-requisite configuration

  • Data-Sources
  • Credential Managers
  • Account Managers
  • Token Issuers

Base Configuration of an Authentication Service Profile

Tip

The profile configuration for authentication is can be found in the configuration reference

'authentication-profile'
id(string, mandatory)

The given name of the profile

redirect-url-whitelist/uri(url, optional, multivalue)

Each entry defines a whitelisted URL that the Authentication Service accepts redirects to

sso-expiration-time(uint32, default 3600)

The time in seconds the SSO cookie will be valid

username-cookie-name(string, default se.curity.user)

The name of the cookie that will store the username for the cookie that is used cross authenticators to pickup the username and pre-populate the forms

logout-redirect-url(url, optional)

If set, the user will be redirected to this URL after logout.

protocol-id(ref, mandatory)

The id of the protocol plugin that should be used. If this is the first configuration of the Profile, then the protocol plugin must be created in the same transaction. (Same request if using REST)

sms-provider(ref, optional)

The Sms provider to be used by this profile when any component in the profile need to send SMS messages. This setting is required if the SMS OTP Authenticator is used.

Example Create request

    <profile>
  <id>authentication</id>
  <type xmlns:auth="https://curity.se/ns/conf/profile/authentication">auth:authentication-service</type>
  <settings>
    <authentication-service xmlns="https://curity.se/ns/conf/profile/authentication">
      <redirect-url-whitelist>
        <url>*</url>
      </redirect-url-whitelist>
      <authenticators>
        <authenticator>
          <id>html1</id>
          <html-form>
            <account-manager-id>SqlDSAccountManager</account-manager-id>
          </html-form>
          <template-area>html1</template-area>
        </authenticator>
      </authenticators>
      <service-providers>
        <service-provider>
          <id>se.curity</id>
          <default-authenticator>html1</default-authenticator>
          <required-claim>subject</required-claim>
          <context-info>Something human readable. Probably a text key.</context-info>
          <target-url>https://example.com/redirect</target-url>
          <template-area>html1</template-area>
        </service-provider>
      </service-providers>
      <protocols>
        <protocol>
          <id>simpleapi1</id>
          <simple-api/>
        </protocol>
      </protocols>
    </authentication-service>
  </settings>
  <endpoints>
    <endpoint>
      <id>authenticate</id>
      <uri>/authenticate</uri>
      <endpoint-kind>auth-authentication</endpoint-kind>
    </endpoint>
    <endpoint>
      <id>register</id>
      <uri>/register</uri>
      <endpoint-kind>auth-registration</endpoint-kind>
    </endpoint>
    <endpoint>
      <id>meta</id>
      <uri>/meta</uri>
      <endpoint-kind>auth-anonymous</endpoint-kind>
    </endpoint>
  </endpoints>
</profile>