To use the Authentication Service, a profile needs to be defined. The Authentication Service profile is special, in that it contains plugin extension points. These are called Authenticators and are responsible for authenticating the User in various ways.
The Profile defines three endpoints.
See the Developer guide about how to use these.
Note
If activation and account registration isn’t supported by the data source, there is no need to enable the registration endpoins. Only the Authentication and possibly anonymous endpoint is needed then.
The authentication service requires Credential Managers in order to be able to authenticate Users directly, for example against an SQL database or a SCIM backend webservice. Some Authenticators work without Credential Managers, like the PingFederate. There all authentication is performed by the 3rd party and the Authentication Service is the broker/mediator that handles the identity transformation.
If you intend to use any authenticator that requires local authentication, make sure that the Credential Managers and corresponding Data-Sources are properly configured.
Tip
The profile configuration for authentication is can be found in the configuration reference
'authentication-profile'
id
The given name of the profile
redirect-url-whitelist/uri(url, optional, multivalue)
Each entry defines a whitelisted URL that the Authentication Service accepts redirects to
sso-expiration-time(uint32, default 3600)
The time in seconds the SSO cookie will be valid
username-cookie-name(string, default se.curity.user)
The name of the cookie that will store the username for the cookie that is used cross authenticators to pickup the username and pre-populate the forms
logout-redirect-url(url, optional)
If set, the user will be redirected to this URL after logout.
protocol-id(ref, mandatory)
The id of the protocol plugin that should be used. If this is the first configuration of the Profile, then the protocol plugin must be created in the same transaction. (Same request if using REST)
sms-provider(ref, optional)
The Sms provider to be used by this profile when any component in the profile need to send SMS messages. This setting is required if the SMS OTP Authenticator is used.
<profile> <id>authentication</id> <type xmlns:auth="https://curity.se/ns/conf/profile/authentication">auth:authentication-service</type> <settings> <authentication-service xmlns="https://curity.se/ns/conf/profile/authentication"> <redirect-url-whitelist> <url>*</url> </redirect-url-whitelist> <authenticators> <authenticator> <id>html1</id> <html-form> <account-manager-id>SqlDSAccountManager</account-manager-id> </html-form> <template-area>html1</template-area> </authenticator> </authenticators> <service-providers> <service-provider> <id>se.curity</id> <default-authenticator>html1</default-authenticator> <required-claim>subject</required-claim> <context-info>Something human readable. Probably a text key.</context-info> <target-url>https://example.com/redirect</target-url> <template-area>html1</template-area> </service-provider> </service-providers> <protocols> <protocol> <id>simpleapi1</id> <simple-api/> </protocol> </protocols> </authentication-service> </settings> <endpoints> <endpoint> <id>authenticate</id> <uri>/authenticate</uri> <endpoint-kind>auth-authentication</endpoint-kind> </endpoint> <endpoint> <id>register</id> <uri>/register</uri> <endpoint-kind>auth-registration</endpoint-kind> </endpoint> <endpoint> <id>meta</id> <uri>/meta</uri> <endpoint-kind>auth-anonymous</endpoint-kind> </endpoint> </endpoints> </profile>