Skip to main content
Skip table of contents

Authentication Mechanisms

Definition

An Authentication Mechanism is the implementation of a set of technical AM artifacts in order to provide a fully functional authentication service.

Authentication mechanisms reference authentication modules and contain conditions about user and request.

Before configuring an Authentication Mechanism, authentication modules should have been created.

Configuration

You can access the Authentication mechanisms configuration :

  • by clicking on "Authentication" → “Authentication Mechanisms

  • by clicking on "System" → "Configurations" → "Access Service" and perform an import/export.

Properties

Property name

Type

Mandatory

Description

Values (default value in bold)

identifier

String

YES

The identifier is the unique identifier of each Authentication Mechanism.

It is case sensitive and no special characters (except - or _) are allowed.

-

name

String

YES

The Authentication Mechanism name.

The name may be different from the identifier. Specifying the name first allows to define automatically the identifier.
Must be at least 4 characters long.

-

description

String

NO

The purpose of the Authentication Mechanism.

-

enabled

Boolean

NO

Alow to activate or deactivate the Authentication Mechanism

true, false

honeyPot

Boolean

NO

If enabled, this mechanism will be used as default for users that do not match any other mechanism or if user is unknown.

true, false

authenticationLevel

Integer

YES

Authentication level associated to this Authentication Mechanism.

-

condition

-

NO

Allow to add eligibility criteria to authenticate with this Authentication Mechanism.

-

configuration

-

YES

Indicates the type of Authentication Mechanism

Kerberos : for Kerberos authentication.

Simple : only one authentication module is required to authenticate users.

TwoFactors : two authentication modules are required to authenticate users.

Conditions properties

Property name

Type

Mandatory

Description

Values (default value in bold)

requestCondition

SearchExpression

NO

Restricts the usage of the configured module to certain authentication requests based on the request context (browser, device, …).

-

userCondition

SearchExpression

NO

Restricts the usage of the configured module to certain users based on their attributes.

See Access Attributes.

-

Kerberos configuration properties

Property name

Type

Mandatory

Description

Values (default value in bold)

enableOptIn

Boolean

NO

If enabled, the user might be presented with a Kerberos choice screen depending on the Kerberos choice screen display conditions

true, false

optInCondition

-

NO

Conditions to display the Kerberos choice screen to users to enable Kerberos authentication (only the first time).

If not configured, Kerberos screen will be displayed to users without condition (only the first time).

-

modules

-

YES

Kerberos modules used by this authentication mechanism.

Kerberos modules should have been already created.

-

modules properties

Property name

Type

Mandatory

Description

Values (default value in bold)

module

String

YES

List of Kerberos modules used by the authentication mechanism to authenticate users

-

Simple configuration properties

Property name

Type

Mandatory

Description

Values (default value in bold)

module

String

YES

The authentication module used by the authentication mechanism to authenticate users.

Only one authentication module can be used in simple authentication mechanism.

-

Two Factors configuration properties

Property name

Type

Mandatory

Description

Values (default value in bold)

reportFirstModuleFailure

Boolean

NO

If enabled, the first module failure will be reported to the user and will stop the authentication chain. Despite being more user-friendly, security is increased if an attacker does not know this information.

true, false

firstModule

String

YES

First module used by the authentication mechanism.

-

secondModule

String

YES

Second module used by the authentication mechanism.

-

Example

XML 
<maiaamcp:AuthenticationMechanism id="MyKerberosMecha">
      <name>MyKerberosMecha</name>
      <description></description>
      <enabled>true</enabled>
      <authenticationLevel>0</authenticationLevel>
      <honeyPot>false</honeyPot>
      <condition>
         <requestCondition>
            <search:Prop op="IN" name="USER_AGENT">
               <value script="false">myuseragent</value>
            </search:Prop>
         </requestCondition>
      </condition>
      <configuration xsi:type="maiaamcp:KerberosAuthenticationMechanismConfigurationType">
         <enableOptIn>false</enableOptIn>
         <optInCondition>
            <requestCondition/>
         </optInCondition>
         <modules>
            <module>MyKerberos</module>
         </modules>
      </configuration>
</maiaamcp:AuthenticationMechanism>

Read Next

Authentication Mechanisms — An Authentication Mechanism is the implementation of a set of technical AM artifacts in order to provide a fully functional authentication service.
Authentication Modules — An Authentication Module defines an authentication method and its parameters.
WebAuthn — WebAuthn configuration allows to define which authenticator type will be allowed for WebAuthn authentication.
Authentication customization — Allows to configure options related to authentication.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close