Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »


This feature is experimental. It means that it is not intended for production use. The feature is not finished. It is not stable. The implementation may contain bugs, the configuration may change at any moment without any warning and it may not work at all. Use at your own risk.

MidPoint 4.1 and later

Basic idea of flexible authentication can see on Flexible Authentication.

Basic configuration

Flexible authentication is configured in Security Policy, which is used as global security policy in System Configuratin. Base tag is <authentication>.  Configuration consists of modules and sequences. Module is basic building element. Each element has a configuration of a particular authentication element instance. Each modules specified in the container must have unique name. Sequence is a sequence of authentication modules. The modules is invoked in order. The purpose of the sequence is to guide user through a complete authentication process.

Module configuration

Now is supported only three modules: formLogin, saml2, httpHeader. Each from contains common attributes:


Unique name of the authentication module. This name is fact a short identifier. It is supposed to give some idea about nature of the module to system administrator. But it is not supposed to be used as a user-friendly label for the module. The name is also used in the url, so it should not contain special characters.

descriptionFree form description of the module (administrator comment).falseString

formLogin module

FormLogin module is used for interactive log-in of a user by using HTML forms. 


Pseudo-authentication for pre-authenticated users. Based on HTTP header values. This module contains specific attributes:

usernameHeaderName of HTTP header that contains username.trueString
logoutUrlUrl for redirect after logout. Default is '/'.falseString


SAML2 authentication module support authentication via Identity provider with SAML2. SAML2 module have little bit complicated configuration. This module contains specific attributes:

serviceProviderBasic configuration of SP.trueAuthenticationModuleSaml2ServiceProviderType
networkNetwork configuration of REST requests.falseAuthenticationModuleSaml2NetworkType


AuthenticationModuleSaml2NetworkType have only two attributes:



AuthenticationModuleSaml2ServiceProviderType contains following configuration attributes:

entityIdUnique identifier of the service provider.trueString
aliasUnique alias used to identify the selected local service provider based on used URL.falseStringBase-on sequence and name of module
defaultSigningAlgorithmDefault signing algorithm. Possible values are RSA_SHA1, RSA_SHA256, RSA_SHA512 and RSA_RIPEMD160.falseenumRSA_SHA256
defaultDigestDefault digest method. possible values are  SHA1, SHA256, SHA512 and RIPEMD160.falseenumSHA256
signMetadataWhen true generated metadata will be signed using XML Signature using certificate with alias of signing key.falsebooleanfalse
signRequestsFlag indicating whether this service signs authentication requests.falsebooleanfalse
wantAssertionsSignedFlag indicating whether this service requires signed assertions.falsebooleanfalse
singleLogoutEnabledFlag indicating whether this service enable single logout.falsebooleantrue
nameIdName identifiers to be included in the metadata. Supported values are: EMAIL, TRANSIENT, PERSISTENT, UNSPECIFIED and X509_SUBJECT. Order of NameIDs in the property determines order of NameIDs in the generated metadata.falseenum
keysKey used by service provider.trueAuthenticationModuleSaml2KeyType
providerPossible identity providers for this service provider.trueAuthenticationModuleSaml2ProviderType
metadataService provider can use prepared metadata.falseAuthenticationModuleSaml2MetadataType


AuthenticationModuleSaml2KeyType contains only two attributes 'active'  and 'standBy', both are type AuthenticationModuleSaml2SimpleKeyType, which contains following attributes:

nameName of key.trueString
privateKeyPrivate key.trueProtectedStringType
certificateCertificate of key.trueProtectedStringType
typeType of key. Possible values are SIGNING, UNSPECIFIED and ENCRYPTION.falseenum
  • No labels