KOBIL Condition - User Role
Overview
The main task of this execution is to verify the roles assigned to the user and based on this role validation, access is either granted or denied.
Protocol | OpenID Connect 1.0 |
---|---|
HTTP method | GET |
Type | Browser Flow |
Endpoint | Authorization Endpoint |
Flow Supported | Authorization code flow Implicit flow Hybrid flow |
Response | ID Token, Access Token, Refresh Token |
Response Mode | query, form_post, fragment |
How to configure
To configure the authenticator, follow these steps
- Navigate to
Authentication
tab - Click Add step
- Select the authenticator to proceed with the next step
- Keep the default
settings
unchanged.
By following these steps, you will be able to successfully configure the authenticator.
Configuration
Parameters involved in KOBIL Condition - User Role
Parameter | Description |
---|---|
Alias | This is the name given to the specific configuration of the authenticator. It helps identify the configuration within the authenticator flow. |
Authenticator Reference | Authenticator Reference Specifies the authentication method used, such as password (pwd), one-time password (OTP). This reference is used to track authentication steps in the authentication flow. |
Authenticator Reference Max Age | Authenticator Reference Max Age specifies the validity period (in seconds) for a completed authentication. Once this time expires, the user must re-authenticate using the specified method. |
Roles To Check | It defines the list of roles that are assigned to the user during authentication. The authenticator will verify that all specified roles are present in the user's role list. |
Role Validation Failure Action | If Role Validation Failure Action is enabled, the authentication flow displays an Invalid credentials error message if the user fails the role validation. When disabled, the login attempt ends immediately. |
Should be assigned all roles | If Should be assigned all roles is enabled, the user must have all the roles specified in the Roles to Check field, which will be mandatory for authentication. Note: If disabled, authentication succeeds if the user has any one of the specified roles. |
Negate output | If Negate Output is enabled, it inverts the result of the role check, i.e, access is denied if the user has any of the specified roles, whereas if the user does not have the roles access is allowed. |
User Flow
- KOBIL Condition - User Role must be preceded by 1FA since it procures a user's identity validation from this precedent Authenticator. For instance: KOBIL Username Password Form.
- KOBIL Condition - User Role authenticator verifies the roles assigned to the user and determines whether access should be granted based on the expected roles.