Overview using authenticators

Overview - Authenticators

Fortified ID Access can function as a SAML Identity Provider (IdP) and an OpenID Connect OpenID Provider (OIDC OP) to authenticate users. In addition to user authentication, Fortified ID Access provides a flexible framework for controlling and enriching authentication flows.

Authentication in Fortified ID Access is built around authenticators, which are divided into two main categories:

Credential Validators

Credential Validators are responsible for authenticating the user’s identity. Fortified ID Access includes several built-in credential validators, such as:

• Swedish BankID

• Freja eID

• Foreign ID (eIDAS)

• SAML Broker

Flow Controls

Flow Controls are used to apply additional logic to the authentication flow. They can consume data from credential validators or other flow controls to perform validations, enrich user data, or control access decisions.

Common use cases for flow controls include:

• Verifying whether an authenticated user is authorized to access a specific resource, for example by checking group membership or attribute values in a database.

• Retrieving additional user attributes from external data sources such as LDAP, SQL databases, Microsoft Entra ID, or Google, and including them in SAML assertions or OIDC claims.

• Handling scenarios where an authenticated user is associated with multiple accounts by presenting an account selector that allows the user to choose which account to sign in with.

• Invoking external services during the authentication process, for example automatically provision an account for the authenticating user.

• Performing step-up authentication, where additional authentication is required based on context. For example, a user may initially authenticate with a username and password, but is then required to perform a stronger authentication using an eID such as Swedish BankID or Freja eID when accessing a sensitive application or function.

How is data passed between authenticators?

This section describes how data is propagated between authenticators in an authentication flow.

Data can be produced either directly by an authenticator or by a pipe associated to the authenticator. Data generated by an authenticator is stored as state data. Each individual value within the state is referred to as an item. To reference data in local state, you type:

item.<property>

To make data available to subsequent authenticators in the flow, an authenticator can export items to the global state. Once exported, the data can be referenced by other authenticators using the syntax:

exports.<item_property>

Note: Some authenticators, such as EnrichIdentity, automatically export all local state data to the global state.

Data collected from user input via a web interface—for example, when a user enters a username or password—is stored in the request state. This data can be referenced using the syntax:

request.<property>

For detailed information about each authenticator, refer to the Authenticator section of the Fortified ID Access documentation.