Authenticator filters are a way to improve user experience when authenticating with the Curity Identity Server. Many different authenticators can be configured for use with the Curity Identity Server, but sometimes you will want to limit the use of some authenticators based on some factors. E.g. you know that the Active Directory login form will work only when a user is connected via a VPN. So why show them the AD form option if they are not using the VPN? Authenticator filters are a way to achieve this goal.
One of the different filters you can use to narrow down the available authenticators is the
geo-country filter. It
enables you to filter out given authenticators based on the country of the user’s location (based on the IP address).
The filter can work in two ways. It can filter out an authenticator if:
- the user is in one of the countries on the list
- the user is not in one of the countries on the list
Let’s say you have a service whose customers are located in different European countries. For your Swedish customers you enable the BankID authenticator which is very popular in that country. It allows customers to authenticate using their bank credentials. But this authentication method might not be known to your customers living outside of the Nordics. So, to improve user experience, you want to hide the BankID authenticator to users who log in from outside of the Nordics area. Since they will not be familiar with this method anyway, so why confuse them?
Authenticator filters are not a security featureRemember that users can still access an authenticator by calling its URL directly, so authenticator filters should only be used as a mean of enhancing user experience.
To set it up:
- Go to the Authentication Profile
- Choose Filters from the main menu
- Click on New Filter, enter a name for the filter and click Create
- Choose the
In the Authenticator box on the right hand side add the authenticators which should be hidden when the conditions of the filter are met. Assuming that you want to hide the BankID authenticator and that the authenticator in your system is named
bankid1, then add that value to the list.
In the box called Filter Countries on the left hand side select the countries which you want to be affected by the filter. You can search for the countries using the ISO country code or the country name.
If you want to hide the authenticator to users which are in the countries you added to the list make sure the Apply Filter When Match option is
on. If you to hide the authenticator from any user who is not in one of the countries on the list turn the switch to
To hide the BankID authenticator to users outside of Nordics use the following settings:
Authenticator filters can be applied either to Service Providers or Oauth Clients. Edit the respective object and select the new filter in the Authenticator Filters field to add to a list of active filters. If you’re adding the filter to a Client you can find the field in Authentication Settings section, the Advanced tab.
Remember to commit the settings once you’re done.
Assuming that you’ve added the filter as shown above and have two other authenticators enabled for a client: “Login with Google” and “Username & Password” (html form) the login screen will look like the one below, if th user was in of the Nordic countries:
Users in other countries will see this login form:
If you want to block access to authenticators based on the user’s location have a look at the different options described in the Using Geo-Location in the Curity Identity Server article.
If you want to learn more about authenticator filters have a look at the documentation.