Tracked as SYNCOPE-160.

For the development of the AM modulew we decided to reuse the concept of Implementation. This allows to extend and customize the various logics without imposing a static structure.
For each realm an AuthenticationPolicy can be configured, where it's possible to specify different parameters (maxAuthenticationAttempts, lockoutAttributeName, ...) and the implementations to be used.

There are three types of authentication:

  • Default Authentication: the current authentication present on Syncope
  • Chain Authentication: is a type of authentication scheme that allows to configure different authentication modules.

    1. Standard set of authentication modules, and API to extend / create new ones:
      1. JAAS
      2. username / password with different back-ends (DBMS, LDAP, ...)
      3. TLS client certificate
      4. Time-based One-time password
      5. SAML 2.0 SP
      6. OpenID Connect 1.0 Client
      7. Radius
      8. Kerberos
      9. U2F
      10. WebAuthn
      11. ...
    2. Authentication chains by combining more authentication modules, similar to Linux's PAM (required, sufficient, requisite, ...)
      1. Step-up authentication (e.g. associate level to authentication modules in a chain, and let 3rd party apps require minimum level to access)
      2. Multi-factor authentication


  • Flowable Authentication: use Flowable to define the authentication process.

Each authentication policy has rules that implement authentication logics through implementations. An AuthenticationPolicyRule is composed by:

  • AuthenticationPolicyConf 
  • java class that implements the authenticate method
  • No labels

Questions? Just send an e-mail to user@syncope.apache.org