Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Authentication channel

We know next channels:

Request servlet suffixChannel

Default channel is This channel represent GUI, but not have define suffix.


  • Configuration schema for flexible authentication is designed to be mostly complete. However, not all configuration options are currently supported.
  • Flexible authentication is currently supported only for midPoint administration GUI. Only internal password authentication and SAML2 is officially supported. The rest of the functionality is considered to be experimental.
  • OpenID Connect protocol is not supported yet.
  • Social login functionality is not supported yet.
  • It is unlikely that midPoint could be used as a member of identity federation directly. Identity proxy or a similar technology may be needed.
  • Authentication configuration is global. Only global security policy can be used to configure the authentication (i.e. security policy referenced directly from system configuration object). Per-organization security policies or any other security policies cannot be used.
  • Support for authentication module necessity is limited. We support only SUFFICIENT modules in 4.1.
  • Authentication modules for REST and SOAP web services are not supported in midPoint 4.1.because SOAP is deprecated and it will be removed soon.
  • REST service supports HTTP basic authentication only. Distributed authetntication protocols (OpenID Connect, SAML) are not supported yet.
  • Even though the authentication configuration often suggests that there may be more than one instances of credentials (password, nonce), midPoint currently supports only a single password, single nonce and a single set of security questions. Multiple credentials are not supported. The reason for mentioning credential names the configuration schema is to have ability to extend midPoint functionality in the future.