Internal Authentication in PAS 5.1 and beyond

Since the introduction of protocol agnostic authenticators in PAS 5.1, internal authenticators can also be replaced by the new generation of authenticators via minimal configuration. In the PAS configuration manager, if you click "Advanced", and then "Internal authentication endpoints" you can add authentication endpoints there, following this format:

  "id": "my_internal_endpoint_id",
  "authenticatorId": "my_authenticator_id",
  "successURL": "/selfservice",
  "addRoles":"auth:selfservice_enabled_user" //optional
Click to copy

So you simply configure an ID, an authenticator, a success URL, and optionally, roles that should be added after successful authentication. This internal authentication endpoint is available via the following path: "<base_url>/authentication/internal/<internal_endpoint_id>". Where "base_url" is the base URL of the module you want to authenticate for (this is important as the authentication cookie is unique for the base path). The base_url is often the same as the successURL. Once you have set up your internal authentication endpoint, simply add the URL to your module configuration like such: 

  "id": "my_prism_module",
  "name": "com.phenixidentity~phenix-prism",
  "enabled": "true",
  "config": {
    "base_url": "/selfservice",
    "auth_redirect_url": "/selfservice/authentication/internal/my_internal_endpoint_id",
    "module_refs": "selfservice_module_id"
Click to copy

This will make your /selfservice path redirect to your new internal authentication endpoint (if you are not already authenticated at the module). If the authentication is successful, you are redirected to your successURL, which in this example is a PRISM module that opens SelfService. 

    "name": "com.phenixidentity~phenix-prism-selfservice",
    "enabled": "false",
    "prism_enabled": "true",
    "config": {
      "display_name": "guides.selfservice.title",
      "base_uri": "selfservice",
      "http_configuration_ref": "6fd8f1a7-1f2e-41f0-b91f-24ebcecb53a1",
      "url_prefix": "",
      "resource_ref": "c713cd42-dc6b-492a-9c4f-1c5f00d2b9e3",
      "use_push": "true",
      "requires_role": "auth:selfservice_enabled_user"
    "guide_id": "guides.selfservice",
    "created": "2024-03-06T13:04:57.245Z",
    "id": "9bc6e399-cbe8-4f96-98ac-c93703ce0b5b"
Click to copy

We can see that the configuration of selfservice requires a specific role: "auth:selfservice_enabled_user" which allows us to access the selfservice module. When we configured our internal authentication endpoint we added a property "addRoles" that added this role so that we can access it. Roles can still be added in the authentication pipe as it has been before, this is simply an extra configuration option to make authenticators more reusable.