By default, the MPASSid authentication discovery page allows the user to search and choose an authentication source from all the supported authentication methods/sources.
If you for some reason want to skip this part of the authentication, for example to provide your own discovery service page, or direct the user to a specific authentication source, you can do so by setting specific parameters to your applications SAML or OpenID Connect authentication requests.
Authentication sources
API
MPASSid provides a list of all the current authentication sources, which is accessible from the API endpoint by using a GET-request.
- API endpoint: https://mpass-proxy.csc.fi/idp/profile/api/authnsources
The authentication source ids provided by the APIs can be referred with the following prefixes:
- urn:mpass.id:authnsource: for authentication sources (for instance urn:mpass.id:authnsource:ShibLdap)
The request (GET) parameters
- lang (optional): two-letter language code, defaults to FI.
- Currently supported codes: FI (Finnish) and SV (Swedish).
The response
- id: the unique identifier for this authentication source
- title: the human-readable title for this authentication source
- tags: the list of authentication tag ids related to this authentication source
- iconUrl: an url for the icon describing this authentication source
- directRegistryConnection (boolean): flag for this source being directly connected to a user registry
- supportsForced (boolean): flag for supporting forced authentication
- supportsPassive (boolean): flag for supporting passive authentication
Example
|
SAML authentication request
The desired authentication source can be referred to in the SAML authentication request via RequestedAuthnContext -element, as defined in 3.4.1 in SAML 2.0 core. Comparison attribute exact (default) is currently supported.
Example
The following authentication request message requests MPASSid to redirect the user to "ShibLdap" -authentication source:
Remember to use the prefix from earlier!
- urn:mpass.id:authnsource:ShibLdap
|
OpenID Connect
When using OpenID Connect you can set the acr_values
parameter to include the preferred authentication method string.
Refer to your OpenID client documentation on how to achieve this.