Chain

Introduction

The chain authenticator orchestrates one or more authenticators that perform(s) the actual authentication.

The chain is complete when all (required) authenticators in the chain are completed.

A chain authenticator can be nested with Selectors and other chains.

Configuration

Authenticator type: Chain

Common Authenticator configuration can be found here.

Name

Description

Default

base_path

The base path for this authenticator and used to construct paths for chained authenticators. (see Routing)

chain

List of authenticator refs defining the content and order of the chain. An empty chain will block the authentication and therefor at least one ref must be present.

[]

require_subject

Flag controlling if this authenticator requires a subject to be set before completing. Use only for nested chains.

true

proceed_on_error

Flag controlling how chain behaves on authenticator failure. If enabled, all authenticators in chain will be executed before error is raised (stealth behaviour).

true

require_chain

Flag specifying if this authenticator must be executed inside a chain.

false

verbose

Turns on extended trace logging. Use for troubleshooting only.

false

{
    "id" : "chain00",
    "type" : "Chain",
    "config" : {
      "base_path" : "/test/authn",
      "success_location" : "/authn/success.html",
      "failure_location" : "/authn/failure.html",
      "chain" : [ {
        "id" : "confirm00",
        "required" : true
      }, {
        "id" : "select00",
        "required" : true
      } ]
    }
  }

Authenticator refs

An authenticator ref points to an actual authenticator available in the current configuration.

Name

Description

Default

Mandatory

id

Authenticator id

required

Flag controlling if authenticator is required to complete or not. Authentication will fail if a required authenticator does not complete.

true

order

If ALL items has order numbers, these number define the execution order. If NO item has order number, the order of the list defines the execution order.

"chain" : [ 
  {
    "id" : "confirm00",
    "required" : true,
    "order": 0
  }, 
  {
    "id" : "select00",
    "required" : true,
    "order": 1
  }
 ]

Routing

When a chain is executed, the user agent is redirected to each chained authenticator in the specified (configured) order. The path to the authenticator is constructed by combining base_path with the chain authenticator's ID (specified as id in authenticator_ref).

Note that base_path is also used to generate the path for the current authenticator. This is intentional, as all authenticators in a flow must share the same path and session, both of which are managed by the path.

API

API not available.

PreviousExternalFlow NextImpersonate