Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »


This feature is experimental. It means that it is not intended for production use. The feature is not finished. It is not stable. The implementation may contain bugs, the configuration may change at any moment without any warning and it may not work at all. Use at your own risk.

MidPoint 4.1 and later

Basic idea of flexible authentication can see on Flexible Authentication.

Basic configuration

Flexible authentication is configured in Security Policy, which is used as global security policy in System Configuratin. Base tag is <authentication>.  Configuration consists of modules and sequences. Module is basic building element. Each element has a configuration of a particular authentication element instance. Each modules specified in the container must have unique name. Sequence is a sequence of authentication modules. The modules is invoked in order. The purpose of the sequence is to guide user through a complete authentication process.

Module configuration

Now is supported only three modules: formLogin, saml2, httpHeader. Each from contains common attributes:


Unique name of the authentication module. This name is fact a short identifier. It is supposed to give some idea about nature of the module to system administrator. But it is not supposed to be used as a user-friendly label for the module. The name is also used in the url, so it should not contain special characters.

descriptionFree form description of the module (administrator comment).falseString

formLogin module

FormLogin module is used for interactive log-in of a user by using HTML forms. 

Example of formLogin module
    <description>Internal username/password authentication, default user password, login form</description>


Pseudo-authentication for pre-authenticated users. Based on HTTP header values. This module contains specific attributes:

usernameHeaderName of HTTP header that contains username.trueString
logoutUrlUrl for redirect after logout. Default is '/'.falseString
Example of httpHeader module


SAML2 authentication module support authentication via Identity provider with SAML2. SAML2 module have little bit complicated configuration. This module contains specific attributes:

serviceProviderBasic configuration of SP.trueAuthenticationModuleSaml2ServiceProviderType
networkNetwork configuration of REST requests.falseAuthenticationModuleSaml2NetworkType


AuthenticationModuleSaml2NetworkType have only two attributes:



AuthenticationModuleSaml2ServiceProviderType contains following configuration attributes:

entityIdUnique identifier of the service provider.trueString
aliasUnique alias used to identify the selected local service provider based on used URL.falseStringBase-on sequence and name of module
defaultSigningAlgorithmDefault signing algorithm. Possible values are RSA_SHA1, RSA_SHA256, RSA_SHA512 and RSA_RIPEMD160.falseenumRSA_SHA256
defaultDigestDefault digest method. possible values are  SHA1, SHA256, SHA512 and RIPEMD160.falseenumSHA256
signMetadataWhen true generated metadata will be signed using XML Signature using certificate with alias of signing key.falsebooleanfalse
signRequestsFlag indicating whether this service signs authentication requests.falsebooleanfalse
wantAssertionsSignedFlag indicating whether this service requires signed assertions.falsebooleanfalse
singleLogoutEnabledFlag indicating whether this service enable single logout.falsebooleantrue
nameIdName identifiers to be included in the metadata. Supported values are: EMAIL, TRANSIENT, PERSISTENT, UNSPECIFIED and X509_SUBJECT. Order of NameIDs in the property determines order of NameIDs in the generated metadata.falseenum
keysKey used by service provider.trueAuthenticationModuleSaml2KeyType
providerPossible identity providers for this service provider.trueAuthenticationModuleSaml2ProviderType
metadataService provider can use prepared metadata.falseAuthenticationModuleSaml2MetadataType


AuthenticationModuleSaml2KeyType contains only two attributes 'active'  and 'standBy', both are type AuthenticationModuleSaml2SimpleKeyType, which contains following attributes:

nameName of key.trueString
privateKeyPrivate key.trueProtectedStringType
certificateCertificate of key.trueProtectedStringType
typeType of key. Possible values are SIGNING, UNSPECIFIED and ENCRYPTION.falseenum


AuthenticationModuleSaml2ProviderType represent one Identity Providers. AuthenticationModuleSaml2ProviderType contains following attributes:

entityIdUnique identifier of the service provider.trueString
aliasUnique alias used to identify the selected local service provider based on used URL.trueString
metadataMetadata of Identity provider.trueAuthenticationModuleSaml2MetadataType
skipSslValidationFlag for skipping of ssl validation.falsebooleanfalse
metadataTrustCheckFlag indicating disabled signature verification.flasebooleanfalse
linkTextUser friendly name of provider.falseString
authenticationRequestBindingSAML2 binding used for authentication request.trueString
nameOfUsernameAttributeName of attribute in response, which value define name of user in Midpoint. For example 'uid'.trueString


AuthenticationModuleSaml2MetadataType represent metada of provider. You can choise from one definition for metadata: metadataUrlxml and pathToFile.

Error rendering macro 'code': Invalid value specified for parameter 'com.atlassian.confluence.ext.code.render.InvalidValueException'
    <description>My internal enterprise SAML-based SSO system.</description>
                    <t:clearValue>"primary key"</t:clearValue>
				<xml>'xml file of metadata encode by base64'</xml>

Sequence configuration

Sequence contains follow attributes: 

nameUnique name of the authentication sequence. This name is fact a short identifier. It is supposed to give some idea about purpose of the sequence to system administrator. But it is not supposed to be used as a user-friendly label. Sequence name must be unique.trueString
descriptionFree form description of the sequence (administrator comment).falseString
channelSpecification of channel for authentication sequence.falseAuthenticationSequenceChannelType
requireAssignmentTargetRequired assignment target. This authentication sequence is applicable only to users that have active assignment with this target (and relation). If the sequence is attempted on a user that does not have this assignment then the authentication will fail.falseObjectReferenceType
moduleSpecification of authentication module in the sequence.trueAuthenticationSequenceModuleType


Channel specification for authentication sequence. It specifies whether this sequence is usable for a specific channel (user/GUI, REST, etc.) AuthenticationSequenceChannelType contains follow attributes:

channelIdName (URI) of the channel.trueString
descriptionFree form description (administrator comment).falseString
defaultSpecifies whether this sequence is the default sequence for a specified channel. The default sequence will be chosen in case that specific sequence was not requested, e.g. by using URL suffix. If this element is not present and only a single sequence is defined for a channel, then such sequence is considered to be the default. If more than one sequence is specified then none of them is considered to be default. In that case this element must be used explicitly.falseboolean
urlSuffixURL suffix that can be used to select this authentication sequence specifically.falseString


Specification of authentication module in the sequence. The authentication modules are evaluated in sequence (or in parallel if possible). At least one authentication module must succeed for authentication to be successful. If there are required or requisite modules in the sequence then all of them must succeed for the sequence to be successful. AuthenticationSequenceModuleType contains follow attributes:

nameReference to the authentication module name. Value of this element must match name of existing authentication module.trueString
descriptionFree form description (administrator comment).falseString
orderOrdering number for the module. The modules are sorted according to those numbers.false100
necessityNecessity, i.e. the level of requirement, whether the module is mandatory or optional. We support only SUFFICIENT modules in 4.1.falseSUFFICIENT
Example of default sequence
    	Default GUI authentication sequence.
        We want to try company SSO, federation and internal. In that order.
        Just one of then need to be successful to let user in.
Example of sequence for administrator login
    	Special GUI authentication sequence that is using just the internal user password.
        It is used only in emergency. It allows to skip SAML authentication cycles, e.g. in case
        that the SAML authentication is redirecting the browser incorrectly.
    <requireAssignmentTarget oid="00000000-0000-0000-0000-000000000004" relation="org:default" type="c:RoleType">
    <!-- Superuser -->
  • No labels