KOBIL AST Claims
Overview
The main task of this authenticator is to calculate and store ACR and AMR values in the session to enable secure multi-factor authentication (MFA).
note
For a detailed explanation of ACR, AMR, First Factor, and Second Factor, refer to the ACR and AMR Documentation
Type
| Protocol | OpenID Connect 1.0 |
|---|---|
| HTTP method | GET |
| Type | Browser Flow |
| Endpoint | Authorization Endpoint |
| Flow Supported | Authorization code flow Implicit flow Hybrid flow |
| Response | ID Token, Access Token, Refresh Token |
| Response Mode | query, form_post, fragment |
How to configure
To configure the authenticator, follow these steps:
- Navigate to Authentication tab
- Click
Add step - Select the authenticator to proceed with the next step
- Keep the default
Settingsunchanged.
By following these steps, you will be able to successfully configure the authenticator.
Configuration
Parameters involved in KOBIL AST Claims
| Parameter | Description |
|---|---|
| Alias | Name for the overall configured configurations which occurs in particular authenticator. |
| Authenticator Reference | Authenticator Reference Specifies the authentication method used, such as password (pwd), one-time password (OTP). This reference is used to track authentication steps in the authentication flow. |
| Authenticator Reference Max Age | Authenticator Reference Max Age specifies the validity period (in seconds) for a completed authentication. Once this time expires, the user must re-authenticate using the specified method. |
| First Factor | Enable First Factor to retreive and store the user's First Factor in the current session. IDP stores the first factor as a hidden attribute against the user. |
| ACR | Enable ACR to calculate and store the ACR value based on the user's first and second factors. |
| AMR | Enable AMR to store the AMR value in the session. |
User Flow
- KOBIL AST Claims can be executed after 1FA-based authenticators since it procures a user's identity validation. For instance, KOBIL Username Password Form authenticator.
- To retrieve and compute the ACR and AMR values based on the first and second factors, the KOBIL AST login must be included in the authentication flow.
note
- In case the KOBIL Verify User Identity authenticator is used in the flow as 1FA, it doesn't require the AST flow as it includes a built-in AST login API.