Basic idea of flexible authentication is described on Flexible Authentication page. Before we describe configuration of flexible authentication, we have to become acquainted with a few terms.
Authentication module is basic building unit of flexible authentication. The easiest example of authentication module is classic login form, which we can find on every application. Login form contains field for username or email and password. Login form represent one authentication module, next modules can be authentication by LDAP, HTTP basic authentication, auhentication authentication via Identity Provider server, etc. Every Authentication module contains some configuration properties, which define configuration for this kind of authentication module.
|Request servlet suffix||Channel||Note|
|Default one, represents GUI. No suffix specified.|
Channels Channels for rest and actuator default don't create audit records about session creation or termination. You can turn on it via variable in System Configuration audit->eventRecording->recordSessionlessAccess.
- Configuration schema for flexible authentication is designed to be mostly complete. However, not all configuration options are currently supported.
- Flexible authentication is currently supported only for midPoint administration GUI. Only internal password authentication and SAML2 is officially supported. The rest of the functionality is considered to be experimental.
- OpenID Connect protocol is not supported yet.
- Social login functionality is not supported yet.
- It is unlikely that midPoint could be used as a member of identity federation directly. Identity proxy or a similar technology may be needed.
- Authentication configuration is global. Only global security policy can be used to configure the authentication (i.e. security policy referenced directly from system configuration object). Per-organization security policies or any other security policies cannot be used.
- Support for authentication module necessity is limited. We support only SUFFICIENT modules in 4.1.
- Authentication modules for SOAP web services are not supported because SOAP is deprecated and it will be removed soon.
- REST service supports HTTP basic authentication only. Distributed authetntication authentication protocols (OpenID Connect, SAML) are not supported yet. REST support for flexible authentication is experimental.
- Even though the authentication configuration often suggests that there may be more than one instances of credentials (password, nonce), midPoint currently supports only a single password, single nonce and a single set of security questions. Multiple credentials are not supported. The reason for mentioning credential names the configuration schema is to have ability to extend midPoint functionality in the future.