AuthController

Customisable authentication menu

Introduction

The AuthController authenticator enforces configurable control mechanisms that can be applied at different stages of the authentication flow. It can be positioned either before or after user identification, depending on the defined control logic.

If the configured pipe returns a failure response, the authentication process is immediately terminated and the attempt is marked as failed.

Configuration

Authenticator type: AuthController

Common Authenticator configuration can be found here.

Name

Description

Default

Mandatory

pipe_id

ID of the pipe responsible decision making.

N/A

exec_if

An expression that determines if the authenticator should be executed or not.

N/A

fail_location

Where to send user agent on failed auth validation.

N/A

failed_redirect

User-Agent redirection based on error response from pipe. See advanced redirection.

N/A

new_exec_if

kwk

N/A

{
    "id": "authz",
    "type": "AuthController",
    "config": {
        "base_path": "${globals.default_login_suffix}",
        "pipe_id": "validate",
        "exec_if": "exports.username == 'User123'",
        "fail_location": "https://fortifiedid.se",
        "failed_redirect": [
            {
                "pattern": ".*Missing input param 'idg'.*",
                "target": "https://www.idg.se"
            },
            {
                "pattern": ".*Missing input param 'sunet'.*",
                "target": "https://www.sunet.se"
            }
        ]
    }
}

Advanced redirection

Based on the error response returned from the pipe, the user-agent can be redirected using regex patterns. If no pattern matches, the fail_location parameter is used as a fallback.

The fail_location parameter is defined as an array of fail location objects. Upon a fail-response from the pipe, the array is evaluated in order, and the user-agent is redirected to the first matching location.”

Name

Description

Default

Mandatory

failed_redirect.pattern

Regex expression

N/A

failed_redirect.target

If matched, where to send the user agent

N/A

custom_identifier

Tag used for. event separation

N/A

Logging

WEB_100044("AuthController executed - authorized")

IDENTIFIER (user trace id)
CUSTOMER_IDENTIFIER (if configured)
SOURCE_ADDRESS (ip of the remote session)
AUTHENTICATOR_ID (id + display_name of authenticator)

WEB_100045("AuthController executed - not authorized")

IDENTIFIER (user trace id)
CUSTOMER_IDENTIFIER (if configured)
SOURCE_ADDRESS (ip of the remote session)
AUTHENTICATOR_ID (id + display_name of authenticator)

PreviousFlow control NextEnrichIdentity