See a Flow as an app. It defines things like number of steps, path of access and if it is public or protected by authentication. A Flows aims to guide end-users performing a well defined IAM task.
The Flow is defined by a JSON file. Name of the file can be anything, but flow.json is a recommended name. Format of the data inside must be either JSON or JSONC. The flow.json file will be picked up, loaded and exposed by the Forms module.
Last part of the URL how to access the flow. Must be unique within the forms module.
N/A
If flow can be accessed without any authentication (true/false).
false
Array of named roles user must have in order to access the flow, "one of"
Empty array: []
Should progress bar be visible (true/false).
true
Should user menu be visible (true/false).
true
Additional logging options. Note. This can be added to forms module and will then be available in all flows.
Empty array []
Steps to include for the flow. Recommendation is using @include directive for better overview.
Empty array []
Pipe executed before first step.
N/A
Pipe to execute when last step is complete.
N/A
Step used after last regular step is executed with success. Used for user notification etc. Do not out any logic here.
N/A
Step used after last regular step is executed with with failure. Used for user notification etc. Do not out any logic here.
N/A
Should next button be enabled (true/false).
true
Text on "Next" button
Next
Should save button be enabled (true/false).
true
Text on "Save" button
Save
Should restart button be enabled (true/false).
true
Text on "Restart" button
Restart
Sometimes it is necessary to perform some kind of logic before first step is rendered. Typically used for validation and or collecting data reqired in step 1.
For case like this use pre_pipe.
In order to consume data in subsequent steps, make sure the pipe returns one item. Data in this item will be accessible using {{flow.xxx}}
By default accessing a Flow requires authentication. Any authentication is expected to be handled by a trusted SAML IDP. Once authenticated, authorisation is based on the incoming SAML assertion.
In order for authentication to work, a SAML SP authenticator needs to be configured. Also, SAML SP need to share first part of URI in with Forms module.
Forms module has "http_context" configured to "/forms". The SAML must have it's "http_context" set to "/forms/xxx" ("/forms/auth" is a good pattern).
Typically the properties regarding authentication in Forms module will look something like this:
On the SAML SP side configuration will look like this:
Once the user is authenticated data from incoming assertion vill be transfered to the session.
NameID vill be the users login identifier. Other attributes will be put in the session where multivalued attributes is merged into a comma separated list.
Once authenticated all users by default can access a Flow. Restricting is based on roles attribute in the incoming assertion. By using the "requires_role" configuration parameter on the Flow restriction control is performed comparing the incoming "roles" in the assertion and data in "requires_role" for the Flow.
One value of "role" must match "requires_role" in order for user getting access.