The Authentication Profile is responsible for performing authentication according to the contracts defined by configuration and the incoming request.
The service does more than figuring out who the user is. It can transform the username and attributes before handing off to the application, or it can link two accounts that are related. It can also handle password resets, new account creations and more.
The Authentication profile has the following components
Fig. 41 Overview of Authentication Profile components
Authentication is performed by Authenticators. Each authenticator has it’s own set of capabilities that is listed on each authenticator’s page. The Authentication Profile let’s you configure these in chains to create multi-factor flows, or in groups to create selector pages where the user can pick any.
Authentication Actions can perform authorization steps or transform the attributes of the incoming request. They can auto create accounts or link accounts.
The Authentication service takes care of maintaining logged in sessions. When the user returns it will try to find an existing login session, and if it meets the requirements re-use it. This will cause the user to be singled signed on. The factors it takes into account are, freshness, type of login (acr) and if the authentication should be forced. The configuration allows the admin to set time to live on any authenticator’s session, as well as a system default for the profile. Read more about SSO
A user can logout, which will kill all SSO sessions for that browser. After logout the user is redirected to the requested resume url. Read more about logout.
Account domains provide a way to mark authenticators that belong together, i.e. use the same account source. This is used when peforming account linking.
Since most interaction with the authentication service is done using a browser, it is possible to add additional validation of the incoming requests using validation procedures. These are configured on each endpoint for each authenticator when needed.
When a user is presented with more than one choice of authenticators the admin can configure filters to filter out non-relevant authenticators. These can be based on various parameters such as the IP address or custom logic.
Service providers are applications. These are used for direct integration with the authentication profile, when not using the token service.
The protocol plugins are the integration points with other systems. The default integration is the Simple Protocol which is used to comunicate with the Curity Token Service.
The automatic login functionality, available for some authenticators, allows the user to automatically log in after some authentication management operations, without needing to provide additional information.