This authenticator is DEPRECATED. Please setup a SAML Identity Provider with the corresponding authentication method. Connect your OpenID Connect Provider to the SAML IdP using the scenario OIDC->SAML Identity Provider (internal or external).


Used when authenticating using  username, password & OTP (SMS, Token or Mail).


Name Description Default value Mandatory
userValidationPipeID The id of the pipe validating username & passwor N/A Yes
otpValidationPipeID The id of the pipe validating otp N/A Yes
loginTemplate Name of the template file presenting the enduser UI entering credentials login.template No
userNameParamName Parameter containing the username username No
otpParamterName Parameter containing the OTP. This then will be placed in the "password" parameter when sent for validation password No
otp Name of the template file presenting the enduser UI entering OTP otp No
useSessionManagement Whether or not to return session_state false No

Example Configuration

    "alias": "oidcuidpwdotp",
    "name": "OIDCPostUidPasswordAndOTP",
    "configuration": {
        "userValidationPipeID": "authPipe",
        "otpValidationPipeIDidationPipeID": "otpvalidation"

To use consent, two parts needs to be configured. The authenticator in use and the otp validation pipe.

Two consent parameters must be configured on the authenticator.

Secondly an additional valve, OIDCConsentDataValve, must be configured with the data the user will be asked to approve being sent. The format and available rules of the consent data can be found on the documentation page for the OIDCConsentDataValve.


When using consent, a session must be available and the OIDCConsentDataValve must be placed before the SessionPersistValve  in the pipe.

The data must be fetched prior to OIDCConsentDataValve with for example LDAPSearchValve. In the example above, the data is fetched in the authentication pipe and stored on the session.