Create authentication flows

View authentication flows

1. Click > Security > Authentication Flows. The Authentication Flows page appears.

a. Click next to the authentication flow to see the flowchart.

b. Click OK to close the flow.

-or-

a. Click the name of the authentication flow (for example, Access Denied).

b. Click Cancel to return to the Authentication Flows list.

When you clone an authentication flow, you can do the following:

● Give it a new name.

● Change the Login Flows.

● Select the First Factor for User Login flow.

● Select and reorder the Second Factor authenticators for the Login Flow.

Note: If you enable Identity Provider as a Login Flow, select the Identity Providers the user can access through the authentication flow as shown in the following figure.

Clone an authentication flow

1. Click > Security > Authentication Flows. The Authentication Flows page appears.

2. Click next to the authentication flow you want to clone.

3. By default the name appears as copy (for example, Password and Second Factor copy).

4. Edit the following, as required:

5. Enter a Name for the authentication flow.

6. Select the applicable Enable Login Flows.

● User Certificate is a passwordless authentication option that allows a user to use a certificate to log in.

● Smart Login and Passkey are authentication options that do not require the user ID to be entered first.

● Identity Provider forwards the user to an external SAML or OIDC Identity Provider to authenticate, for example, Facebook. Identity Provider does not require the user ID to be entered first.

● User Login requires the user to log in with their username and then respond to an authentication challenge presented by IDaaS.

7. If you enable Identity Provider as a Login Flow, complete the following:

a. Select the Identity Providers the user can access through the resource rule as shown in the following sample figure.

In this example, Generic requires access through the conditions of the resource rule. Generic2 cannot be used in this authentication flow.

b. If you want to require second-factor authentication to access an Identity Provider, select Enable Second Factor for Identity Provider.

c. Select the Second Factor authenticators that can be used for authentication.

d. Click and drag the selected Second Factors authenticators so that they are ordered from top to bottom in order of preference.

Note: If you want to configure different second-factor authentication requirements for various Identity Providers, you need to create a unique authentication flow for each one.

For example, if you want Generic to require grid or OTP for second-factor authentication but Generic2 to only require OTP, you need to create separate authentication flows and unique resource rules for each one—an authentication flow for Generic that requires grid and OTP and a second authentication flow for Generic2 that requires only OTP.

8. If you enable User Login flow, complete the following:

a. Select the First Factor from the drop-down list. The type of authenticator selected is the first type of authentication challenge a user must complete to access the application.

b. Select the Second Factor authenticators that can be used for authentication.

c. Click and drag the Second Factor authenticators so that they are ordered from top to bottom in order of preference.

These are the second-factor authentication methods required for authentication. The list of Second Factor authenticators available updates based on the type of first-factor authenticator selected.

9. Review the flow on the flowchart diagram.

10. Click Save.

Create an authentication flow

1. Click > Security > Authentication Flows. The Authentication Flows page appears.

2. Under Custom Authentication Flows, click Add. The Authentication Flows page appears.

Note: You can additionally click and then edit the Custom authentication flow option provided on the page.

3. Enter a Name for the authentication flow.

4. Select the applicable Enable Login Flows.

● User Certificate is a passwordless authentication option that allows a user to use a certificate to log in.

● Smart Login and Passkey are authentication options that do not require the user ID to be entered first.

● Identity Provider forwards the user to an external SAML or OIDC Identity Provider to authenticate, for example, Facebook. Identity Provider does not require the user ID to be entered first.

● User Login requires the user to log in with their username and then respond to an authentication challenge presented by IDaaS.

5. If you enable Identity Provider as a Login Flow, complete the following:

a. Select Use Domain-Based Identity Providers to require users to log in using the Domain-based IDP only. If you select this option, only a domain-based IDP is available (see the figure below). Non-domain-based IDPs cannot be configured with domain-based IDPs in the same authentication flow.

b. If you do not enable Use Domain-Based Identity Providers, select the Identity Providers the user can access through the resource rule as shown in the following sample figure.

In this example, Generic requires access through the conditions of the resource rule. Generic2 cannot be used in this authentication flow.

c. If you want to require second-factor authentication in addition to accessing an Identity Provider, select Enable Second Factor for Identity Provider.

d. Select the Second Factor authenticators that can be used for authentication.

e. Click and drag the selected Second Factors authenticators so that they are ordered from top to bottom in order of preference.

Note: If you want to configure different second-factor authentication requirements for various Identity Providers, you need to create a unique authentication flow for each one.

For example, if you want Generic to require grid or OTP for second-factor authentication but Generic2 to only require OTP, you need to create separate authentication flows and unique resource rules for each one—an authentication flow for Generic that requires grid and OTP and a second authentication flow for Generic2 that requires only OTP.

6. If you enable User Login flow, complete the following:

a. Select the First Factor from the drop-down list. The type of authenticator selected is the first type of authentication challenge a user must complete to access the application.

b. Select the Second Factor authenticators that can be used for authentication.

c. Click and drag the Second Factor authenticators so that they are ordered from top to bottom in order of preference.

These are the second-factor authentication methods required for authentication. The list of Second Factor authenticators available updates based on the type of first-factor authenticator selected.

7. Review the flow on the flowchart diagram.

8. Click Save.

Edit an authentication flow

1. Click > Security > Authentication Flows. The Authentication Flows page appears.

2. Click the name of the authentication flow you want to edit. The Edit Authentication Flow page appears.

3. Edit the authentication flow as required using the instructions that follow.

4. Change the Name for the authentication flow.

5. Select the applicable Enable Login Flows.

● User Certificate is a passwordless authentication option that allows a user to use a certificate to log in.

● Smart Login and Passkey are authentication options that do not require the user ID to be entered first.

● Identity Provider forwards the user to an external SAML or OIDC Identity Provider to authenticate, for example, Facebook. Identity Provider does not require the user ID to be entered first.

● User Login requires the user to log in with their username and then respond to an authentication challenge presented by IDaaS.

6. If you enable Identity Provider as a Login Flow, complete the following:

a. Select the Identity Providers the user can access through the resource rule as shown in the following sample figure.

In this example, Generic requires access through the conditions of the resource rule. Generic2 cannot be used in this authentication flow.

b. If you want to require second-factor authentication in addition to accessing an Identity Provider, select Enable Second Factor for Identity Provider.

c. Select the Second Factor authenticators that can be used for authentication.

d. Click and drag the selected Second Factors authenticators so that they are ordered from top to bottom in order of preference.

Note: If you want to configure different second-factor authentication requirements for various Identity Providers, you need to create a unique authentication flow for each one.

For example, if you want Generic to require grid or OTP for second-factor authentication but Generic2 to only require OTP, you need to create separate authentication flows and unique resource rules for each one—an authentication flow for Generic that requires grid and OTP and a second authentication flow for Generic2 that requires only OTP.

7. If you enable User Login flow, complete the following:

a. Select the First Factor from the drop-down list. The type of authenticator selected is the first type of authentication challenge a user must complete to access the application.

b. Select the Second Factor authenticators that can be used for authentication.

c. Click and drag the Second Factor authenticators so that they are ordered from top to bottom in order of preference.

These are the second-factor authentication methods required for authentication. The list of Second Factor authenticators available updates based on the type of first-factor authenticator selected.

8. Review the flow on the flowchart diagram.

9. Click Save.

Edit an authentication flow

1. Click > Security > Authentication Flows. The Authentication Flows page appears.

2. Click next to the authentication flow you want to delete. The Delete Authentication Flow confirmation prompt appears.

3. Click Delete.

Create authentication flows

Manage Authentication Flows

View authentication flows

Clone an authentication flow

Create a custom authentication flow

Edit an authentication flow