A highly configurable authenticator that relies on a pipe being run successfully. Can request any number of string inputs from a template, with customizable names and types. Can also be used for certificate based authentication by rerouting through a different host or url suffix.


Name Description Default value Mandatory
pipeID Id of the pipe used to verify the username and password N/A Yes
loginTemplate UI template used for rendering enduser UI dynamicauthenticator.template No
textEntryParameters Which text based parameters are required to run the pipe No
headerTranslationKey Translation key for the header of the template login.messages.header No
descriptionTranslationKey Translation key for the description of the template No
titleTranslationKey Translation key for the title of the template login.messages.title No
signInTranslationKey Translation key for the 'sign in' button of the template login.messages.signin No
errorTranslationKey Translation key for the error message in the template login.messages.generalerror No
userIdentifierAttribute Which attribute in the resulting item should be used as a user identifier? User identifier can also be set from the textEntryParameters as seen in the exaxmple. userName No
headerTranslationKey Translation key for the header of the template login.messages.header No
shouldReroute Whether or not to reroute the request using rerouteUrlBase or rerouteUrlSuffix. Used for certificate based authentication. false No
rerouteUrlBase Base URL for reroute. Example: https://myreroutehost:9075 No
rerouteUrlSuffix URL Suffix for reroute. Will remove the '/login' part of the url path and replace it with '/urls/mysuffix'. No

Example Configuration

The first example configuration is for a Username & Password authenticator. It has two textEntryParameters, one of which is used as a user identifier. The input translation keys need to be explicitly configured like in the example. "type": "password" will make the input a password input. The pipe then typically consists of a combination of LockoutCheckValve, LdapSearchValve and LdapBindValve.

  "id" : "2487e92b-9a76-478a-8337-ae93d5af4588",
  "alias" : "uidpwd",
  "name" : "DynamicAuthenticator",
  "displayName" : "Username & Password",
  "configuration" : {
    "pipeID" : "defd8cce-d3db-4ad4-a9aa-041998a549dd",
    "textEntryParameters" : [ {
      "name" : "username",
      "isUserIdentifier" : "true",
      "inputTranslationKey" : "login.messages.username"
    }, {
      "name" : "password",
      "inputTranslationKey" : "login.messages.password",
      "type" : "password"
    } ]

The second example is a certificate based authentication. It will first redirect to the "rerouteUrlBase" (with the same path as the current request), which is a configured proxy server / load balancer that will perform mutual TLS and request a client certificate and add it to the request, and then send the request forward to the same path as before which should be configured to lead to this authenticator again. This time a "userIdentifierAttribute" is set from the resulting item in the pipe.

A pipe here would normally consist of CertificateExtractorValve, LdapSearchValve, ItemMergeValve,  CertificateValidatorValve, and FlowFailValve.

    "id" : "2487e92b-9112-478a-5500-ae93d5af4588",
    "alias" : "certificate",
    "name" : "DynamicAuthenticator",
    "configuration" : {
      "pipeID" : "certificatepipe",
      "shouldReroute" : "true",
      "rerouteUrlBase" : "https://mydomain.com:9970",
      "userIdentifierAttribute" : "uid"
Click to copy