AgnosticDispatcher
Used when there are multiple authentication possibilities. The dispatcher will, based on incoming data, select the appropriate route the user to the correct authentication.
The first authenticator with a matching expression will be selected.
Properties
Available data to dispatch on
The data that is available are:
- Request (request.getParameter("myparameter", "defaultvalue"))
- Session (session.properties().getValueOrDefault("mysessionproperty", "mydefaultvalue"))
- Item -- only if used within a SequenceAuthenticator -- (item.getPropertyValue('itemproperty',''))
- Context (context.property) -- the following properties are available in Context:
- requestIssuer (In SAML, this will be the EntityID of the Service Provider issuing the AuthnRequest, in OIDC this will be the client_id parameter)
- protocol (SAML / OIDC / INTERNAL)
- requestedAuthenticationContext (List of requested authentication contexts from the SAML or OIDC request)
- loginHint (the OIDC login_hint parameter)
- bindingIsHok (SAML parameter -- is the holder-of-key binding selected for the request?)
- signMessage (SAML parameter -- the SignMessage of the AuthnRequest)
- isSignRequest (shorthand for 'does signMessage have a value)
Example Configuration
{
"alias": "dispatch",
"name": "AgnosticDispatcher",
"configuration": {
"mapping": [{
"expression": "context.bindingIsHok",
"authenticator": "auth1"
},{
"expression": "!request.getParameter('remoteAddress').startsWith('192.168.1')",
"authenticator": "auth2"
},
{
"expression": "context.requestIssuer.equals('myIssuerId')",
"authenticator": "auth3"
},
{
"expression": "context.requestedAuthenticationContext.contains('myacrvalue1')",
"authenticator": "auth4"
},
{
"expression": "true",
"authenticator": "mydefaultauthenticator"
}
]
}
}
Requirements
One or more protocol agnostic authenticators configured.