Flexible Authentication Improvements

Last modified 27 Oct 2021 10:53 +02:00
Planned feature
This feature is planned feature. This feature is roughly designed and it was evaluated as feasible. However, there is currently no specific plan when it will be implemented, because there is no funding for this development yet. In case that you are interested in supporting development of this feature, please consider purchasing midPoint Platform subscription.


Since midPoint 4.1 there is Flexible Authentication mechanism. This was a huge step forward. But there are still some missing pieces.


What we need:

  • Support for OpenID Connect protocol (interactive login, e.g. GUI).

  • Support for OpenID Connect protocol (non-interactive, e.g. REST).

  • Authentication that can take advantage of account linking. MidPoint knows that Active Directory account "foo" actually belongs to user X12345. Therefore the user can log in with his Active Directory account foo, but midPoint will display self service for user X12345.

  • Make sure that the old password provided in self-service password reset is checked on the particular resource where authentication is delegated.

  • Authentication module chaining improvements, e.g. better support for module necessity setting.

  • (Optional) There is an authentication function in ConnId connectors. This function might be used. This will avoid duplication of connectors and authentication modules. E.g. Active Directory connector may take care of both identity management and authentication. The same configuration can be reused.

Multi-Factor Authentication Credential Management

Note that that is not strictly a matter of authentication mechanisms, as we will not be using those credentials to authenticate users. This is all a question of credential management. But for the lack of better place we are listing the requirements here.

  • Native support for SSH keys

  • Native support for X.509 certificates/keypairs

  • Native support for other authentication types (HOTP, TOTP, FIDO, yubikeys,…​)