Application journeys
You can configure OpenID Connect (OIDC) and SAML 2.0 applications to redirect authentication requests to a specified journey. This lets you customize the authentication experience for users accessing the application, for example, by requiring multi-factor authentication (MFA) or organizational checks.
The redirect contains a transaction condition advice to make sure the journey is always run,
regardless of existing sessions and configured authentication context class reference (acr) values.
Find an example of a journey that enforces application-specific authorization rules in the Authorize application access in journeys use case.
OIDC application journeys
To associate a journey with an OAuth 2.0 / OIDC application, the application must be configured
for the Authorization Code, Implicit, or Device Code grant types.
Journeys that are associated with an application override other authentication settings, including acr claims.
If a relying party (RP) requests an acr claim (voluntary or essential) or
if default acr values are set in the OIDC client profile, the claim is returned in the ID token
regardless of the provider configuration.
To verify that Advanced Identity Cloud uses the associated journey for authentication, check the log messages written to the am-access and am-authentication log files.
|
You can use a script to access information about the incoming OAuth 2.0 request. Configure your journey to include a Scripted Decision node that queries the oauthApplication script binding. |
SAML 2.0 application journeys
Configure your SAML 2.0 application so that a specific authentication journey is always run for users authenticating with your application. The federation flow invokes the associated journey ignoring any existing sessions or authentication context requirements.
|
You can use a script to access information about the SAML request. Configure your journey to include a Scripted Decision node that queries the samlApplication script binding. |
Configure an application journey
To trigger a specific journey every time a user authenticates to your OIDC or SAML 2.0 application, follow these steps:
-
In the Advanced Identity Cloud admin console, go to Applications and select your custom OIDC or SAML 2.0 application.
-
Click the Sign On tab.
-
Find the journey configuration section:
-
For SAML 2.0 applications, after you have set up SSO, go to Settings.
-
For OIDC applications, go to General Settings > Show advanced settings > Authentication.
-
-
Enable the option to
Use a journey to authenticate users to this application. -
Select a journey from the list and save your changes.
|