Setting up authentication context
Authorization Control Plane (ACP) allows you to set attributes defining the ACP-standard authentication context schema.
Access to an ACP authorization server (workspace)
IDPs providing data to be mapped connected and configured
About authentication context in ACP
ACP allows you to standardize user data incoming from IDPs acting on behalf of the user. Different IDPs pass authentication data in a different manner, depending the IDP type and configuration. This data must then be mapped to an ACP-standard schema, that is, the authentication context, in order to create a standardized data set to be used in various scenarios, such as policy validation or claim definitions. ACP comes with a predefined authentication context schema so that you don’t have to create one from scratch. Standard sets of attributes are also defined for each IDP.
Authentication context attributes are used as:
- Validator data in policies (Create a policy)
- The source of data when configuring claims in Cloudentity ACP Workspace Settings (Configuring claims for ID tokens and access tokens).
Define authentication context schema
In the video below, we are adding a new attribute, representing the user’s nickname, to the predefined authentication context schema. As a result, we will be able to map data incoming from IDPs to this attribute. This way, you can create any authentication context schema matching your needs.
Select Authentication Context from the tenant menu.
List of predefined authentication context attributes is displayed.
Select CREATE ATTRIBUTE from the Authentication Context Schema view.
In the Add attribute dialog box, fill in the Name, Data type, and Description fields.
Select Create to save your new attribute.
Your new attribute is visible in the Authentication Context Schema view, meaning that you can now proceed to mapping IDP-specific attributes to it.
Remove an attribute
If you remove an authentication context attribute, all mappings that use this attribute are removed as well.
Select the trash can icon next to the attribute that you want to remove.
Confirm your choice by selecting YES, DELETE in the Delete attribute dialog box.
The attribute is gone from the list of authentication context attributes in the Authentication Context Schema view.
Map IDP attributes to authentication context schema
By mapping your identity attributes, you unify attributes from all IDPs that your users authenticate with into a single authentication context. It allows you to use a set of unified attributes throughout ACP for multiple purposes. In the video below, we’re mapping the email attribute from Sandbox IDP to the My new attribute attribute defined in the authentication schema. This means that the value of My new attribute is taken from the email parameter of the incoming Sandbox authentication requests. Finally, the new attribute is exposed as a claim in the demo application using Data Lineage.
Select Identity Data > Identities from the left sidebar.
Select an identity connection from the list of available IDPs.
Select Mappings from the top menu.
Configure each source-target attributes pair so that a source attribute matches a target one.
Select a source IDP attribute name from the drop-down list.
- If the source attribute is not defined out of the box (for example when the IDP provides
a custom attribute, such as
crm_id), you need to add this attribute to the IDP before you can map it.
- To add an attribute for your identity, go to Identity Data > Identities (left sidebar) > Identity (from the IDP list) > Attributes tab > Add attribute.
- If the source attribute is not defined out of the box (for example when the IDP provides a custom attribute, such as
Select a target authentication context attribute from the drop-down list.
Select Save mappings. Your mappings are added to the list.
Having defined and mapped the authentication context attributes, you can proceed to use them to define claims and validate policies.