Authentication journey settings
To configure tenant-level settings for authentication journeys, on the OneWelcome Identity Platform console, select Orchestration > Journeys > Settings.
Account enumeration
Account enumeration is a security vulnerability that allows attackers to determine whether a user account exists in a system. To identify user accounts, attackers use various methods, including analyzing error flows and messages. For example, analyzing error messages to find messages that reveal whether a user identifier (such as username, email address, or phone number) is valid.
To prevent this kind of account enumeration, you can ensure that the flow is always the same, regardless of whether the user identifier exists. You can also ensure that the system returns generic error messages for invalid identifiers, which make it hard for attackers to determine whether a user exists in the system.
Account enumeration is often used in conjunction with other attacks, such as brute-forcing. To increase security against brute-force attacks, authentication journeys implement a retry counter, which is set to a maximum of three by default.
On the Authentication Journey Settings page, you choose the type of error messages to use for invalid identifiers:
-
Prevent account enumeration: Error messages do not reveal whether an account exists. This option is more secure, but provides less guidance to users. For example, when a user enters an unknown username, the system still proceeds to the password step. When the user submits any password, the system displays a generic error that does not reveal that the username was incorrect.
-
Provide guidance: Error messages reveal whether an account exists. This option is less secure, but provides more guidance to users. For example, when a user enters an unknown username, the system displays a "User not found" error message.
Login hint handling
A login_hint
is an optional parameter that a relying party application can send. It provides a hint about the login identifier that the user might use to log in. In the authentication journey, the login hint value pre-populates the user identifier, such as username or email.
On the Authentication Journey Settings page, you choose whether to allow the user to edit the pre-populated user identifier:
- Allow the user to edit the user identifier.
- Do not allow the user to edit the user identifier.
Identity provider mapping
Map the external identity providers (IDP) that are configured in the identity broker to the corresponding IDPs in the IDAAS core. This ensures that after a user is authenticated through the identity broker, their identity is correctly matched in the IDAAS core system.
Note
The IDPs in the IDAAS core are not configurable and are added by request to Thales customer support.
On the Authentication Journey Settings page, you configure the mappings:
-
In the ID Broker IDP list, select the IDP that's configured in the identity broker.
-
In the Core IDP list, select the corresponding IDP in the IDAAS core.
-
To add more IDP mappings, select Add IDP and configure the mapping.
-
Select Save.