Used when there are multiple authentication possibilities.  The dispatcher will, based on incoming data, select the appropriate route the user to the correct authentication. 

The first authenticator with a matching expression will be selected.


Name Description Default value Mandatory
mapping An array of mapping rules used to determine which authenticator should handle the incoming request. Matching rules contains of java script expressions. N/A Yes

Available data to dispatch on

The data that is available are:

  • Request (request.getParameter("myparameter", "defaultvalue"))
  • Session ("mysessionproperty", "mydefaultvalue"))
  • Item -- only if used within a SequenceAuthenticator -- (item.getPropertyValue('itemproperty',''))
  • Context ( -- the following properties are available in Context:
    • requestIssuer (In SAML, this will be the EntityID of the Service Provider issuing the AuthnRequest, in OIDC this will be the client_id parameter)
    • protocol (SAML / OIDC / INTERNAL)
    • requestedAuthenticationContext (List of requested authentication contexts from the SAML or OIDC request)
    • loginHint (the OIDC login_hint parameter)
    • bindingIsHok (SAML parameter -- is the holder-of-key binding selected for the request?)
    • signMessage (SAML parameter -- the SignMessage of the AuthnRequest)
    • isSignRequest (shorthand for 'does signMessage have a value)

Example Configuration

    "alias": "dispatch",
    "name": "AgnosticDispatcher",
    "configuration": {
        "mapping": [{
                "expression": "context.bindingIsHok",
                "authenticator": "auth1"
                "expression": "!request.getParameter('remoteAddress').startsWith('192.168.1')",
                "authenticator": "auth2"
                "expression": "context.requestIssuer.equals('myIssuerId')",
                "authenticator": "auth3"
                "expression": "context.requestedAuthenticationContext.contains('myacrvalue1')",
                "authenticator": "auth4"
                "expression": "true",
                "authenticator": "mydefaultauthenticator"


One or more protocol agnostic authenticators configured.