search cancel

Auth Hub Instructions for custom signin UI to handle identity propagation

book

Article ID: 256553

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

In SiteMinder --> Auth Hub identity propagation flow, SiteMinder sends an id_token_hint along with the authorization request after authenticating the user with a 1st factor. AH authZ service will then redirect the user to the signin UI with, for example, flow ID and x-mfa-username-bfs parameters. With the OOB signin UI, it does not prompt the user to input username again as the user has already passed SM authentication. We will need documented instructions on how identity propagation should be handled inside BNYM's custom signin UI.

Environment

Release : Oct.03

Resolution

Custom signin clients are given x-flow-state during initial redirect, and invoke /BrandingSettings as the first step passing it the x-flow-state they received.

Oct.04 release will address the ask by using the following approach:

Response from /BrandingSettings will be updated to include propagated identity, if x-flow-state is present in the request.

This will be returned as part of the response payload:  "x-mfa-username": "mhunter"

Both /auth/v1/BrandingSettings (also /admin/v1/BrandingSettings which is is being replaced by /auth/v1/BrandingSettings) are updated to return x-mfa-username in case the x-flow-state header is passed in. 

Presence of x-mfa-username can be used to detect identity propagation and to skip prompting for the user name. 

In a non identity propagation scenario, x-mfa-username property will either not be returned at all or be returned without a value.