{"type":"doc","content":[{"type":"paragraph","content":[{"text":"Options common to profiles that perform authentication:","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"71827d4c-85ed-4bec-8531-fc5c30f0a90a"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[282.0]},"content":[{"type":"paragraph","content":[{"text":"Name","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[155.0]},"content":[{"type":"paragraph","content":[{"text":"Type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[91.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[790.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[282.0]},"content":[{"type":"paragraph","content":[{"text":"postAuthenticationFlows","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[155.0]},"content":[{"type":"paragraph","content":[{"text":"List","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[91.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[790.0]},"content":[{"type":"paragraph","content":[{"text":"Ordered list of ","type":"text"},{"text":"profile interceptor","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP5/pages/3199509815"}}]},{"text":" flows to run after successful authentication","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[282.0]},"content":[{"type":"paragraph","content":[{"text":"defaultAuthenticationMethods","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[155.0]},"content":[{"type":"paragraph","content":[{"text":"List","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[91.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[790.0]},"content":[{"type":"paragraph","content":[{"text":"Ordered list of Java Principals to be used to select appropriate login flow(s) to attempt, in the event that a relying party does not signal a preference. See ","type":"text"},{"text":"AuthenticationFlowSelection","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP5/pages/3199505253"}}]},{"text":".","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[282.0]},"content":[{"type":"paragraph","content":[{"text":"forceAuthn","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[155.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[91.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[790.0]},"content":[{"type":"paragraph","content":[{"text":"Disallows use (or reuse) of authentication results and login flows that don't provide a real-time proof of user presence in the login process","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[282.0]},"content":[{"type":"paragraph","content":[{"text":"proxyCount","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[155.0]},"content":[{"type":"paragraph","content":[{"text":"Non-Negative Integer","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[91.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[790.0]},"content":[{"type":"paragraph","content":[{"text":"Limits use of proxying either to service providers downstream or when requesting authentication from identity providers upstream. This will generally depend on whether a particular protocol supports the feature.","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Guidance","type":"text"}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"postAuthenticationFlows","type":"text","marks":[{"type":"code"}]},{"text":" property is used to apply special processing to requests, such as ","type":"text"},{"text":"attribute release consent","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP5/pages/3199509862"}}]},{"text":", ","type":"text"},{"text":"password expiration warnings","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP5/pages/3199509968"}}]},{"text":", ","type":"text"},{"text":"authorization checks","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP5/pages/3199509927"}}]},{"text":", or other custom processing.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Examples of postAuthenticationFlows property","type":"text","marks":[{"type":"strong"}]}]},{"type":"expand","attrs":{"title":"Examples of postAuthenticationFlows property"},"content":[{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\n\t\n\t\n\n\t\n\t\n\n\t\n\t\n\n","type":"text"}]}]},{"type":"rule"},{"type":"paragraph","content":[{"text":"With the increased use of multi-factor authentication, it is more common to find RPs that can specify authentication requirements, but there are still many cases, particular with commercial services, in which it becomes necessary to force the use of specific login methods. This can be achieved using the ","type":"text"},{"text":"defaultAuthenticationMethods","type":"text","marks":[{"type":"code"}]},{"text":" property by specifying one or more corresponding Principals to trigger the use of stronger methods.","type":"text"}]},{"type":"paragraph","content":[{"text":"Note that you must also prevent a malicious actor from overriding this preference for a SAML 2.0 SP by manufacturing a request, via one of two means:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"For a SAML 2.0 SP that can sign its requests, its metadata can be modified with the ","type":"text"},{"text":"AuthnRequestsSigned","type":"text","marks":[{"type":"code"}]},{"text":" flag to indicate that its requests must be signed.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Alternatively, the ","type":"text"},{"text":"disallowedFeatures","type":"text","marks":[{"type":"code"}]},{"text":" property may be set with the ","type":"text"},{"text":"SAML2.SSO.FEATURE_AUTHNCONTEXT","type":"text","marks":[{"type":"strong"}]},{"text":" bean to block use of the SAML 2.0 ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" feature.","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"At present, no other authentication profiles support a feature capable of requesting the authentication method.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Examples of defaultAuthenticationMethods property","type":"text","marks":[{"type":"strong"}]}]},{"type":"expand","attrs":{"title":"Examples of defaultAuthenticationMethods property"},"content":[{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\n\n\n\n\n\t\n\t\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\n\n\t\n\t\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\n\n","type":"text"}]}]}],"version":1}

Browser not supported