Introduction
The flow chart below shows an example of the authentication process of the CoreOne Authentication Service. In particular, it shows the following sub-processes:Upon each authentication request, the CoreOne Suite executes various authentication steps. Those steps are depended on the configuration, the user data and the user behavior. The subsequent list gives you an overview of the possible steps. The steps are also executed in the order as shown below.
Subprocess | Description |
|---|
The Level of Authentication (LoA) describes the quality of the authentication. This can be defined per application and forces the user to perform certain login steps, such as multi-factor authentication.
External login / federation
External login or federation allows the user to apply to the application by using a different IdP. This can be, for example, a login through Google or SwissID.
Registration through External Login
Describes the process of what happens when a user logs in using an external login if the user is not yet known in the local meta directory.
Validate client | Validates if the requesting client is authorized to do so. |
Block request | Checks if the current IP has to many invalid logon attempts. |
Resolve user | Checks if the user has already been resolve. This is the case if there is a |
Check application access | Validates if the resolved user is allowed to access the requested application. |
Show login page | Presents the user with the appropriate authentication page. Note that this process contains a lot of sub-steps by itself, such as account merging with federated identities or password policy checks. |
User data missing / Attribute elevation | If additional information is required from the user to access an application, which is not yet available in the local meta directory, this information is retrieved. |
Email Verification
A one-time or periodic verification of the specified email address.
Mobile Number Verification
Privacy policy and terms of use
The user must agree to the privacy and usage terms. These terms may be versioned.
Consent / Consents
Depending on the configuration, the user must give his consent as to what information is transferred to the application.
Step-Up-Authentication
Activate User
Reactivate User
Password Reset
Reauthentication
Authentication Process
The following graphic shows the standard process. In certain places it is abbreviated for readability.
...
Check browser fingerprint | Generates a unique fingerprint of the browser. |
Check verification status | Checks if the user has pending verification steps, such as email verification. |
Terms and conditions | Checks if the user needs to accept the terms and conditions for the requested application. |
Unfinished certifications | Checks if the user has open certification processes. |
User up to date | Validates if the user needs to update any data such as passwords or email addresses. |
Inactive delegations | Checks if the user has inactive delegations for the requested application. |
Consent | Checks if the user has to give consent for the current application. |