Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

User journey orchestration

Authentication journey settings

search

Authentication journey settings

To configure tenant-level settings for authentication journeys, on the OneWelcome Identity Platform console, select Orchestration > Journeys > Settings.

Account enumeration

Account enumeration is a security vulnerability that allows attackers to determine whether a user account exists in a system. To identify user accounts, attackers use various methods, including analyzing error flows and messages. For example, analyzing error messages to find messages that reveal whether a user identifier (such as username, email address, or phone number) is valid.

To prevent this kind of account enumeration, you can ensure that the flow is always the same, regardless of whether the user identifier exists. You can also ensure that the system returns generic error messages for invalid identifiers, which make it hard for attackers to determine whether a user exists in the system.

Account enumeration is often used in conjunction with other attacks, such as brute-forcing. To increase security against brute-force attacks, authentication journeys implement a retry counter, which is set to a maximum of three by default.

Authentication journey settings

On the Authentication Journey Settings page, you choose the type of error messages to use for invalid identifiers:

  • Prevent account enumeration: Error messages do not reveal whether an account exists. This option is more secure, but provides less guidance to users. For example, when a user enters an unknown username, the system still proceeds to the password step. When the user submits any password, the system displays a generic error that does not reveal that the username was incorrect.

  • Provide guidance: Error messages reveal whether an account exists. This option is less secure, but provides more guidance to users. For example, when a user enters an unknown username, the system displays a "User not found" error message.

Login hint handling

A login_hint is an optional parameter that a relying party application can send. It provides a hint about the login identifier that the user might use to log in. In the authentication journey, the login hint value pre-populates the user identifier, such as username or email.

Login hint handling

On the Authentication Journey Settings page, you choose whether to allow the user to edit the pre-populated user identifier:

  • Allow the user to edit the user identifier.
  • Do not allow the user to edit the user identifier.

Identity provider mapping

Map the external identity providers (IDP) that are configured in the identity broker to the corresponding IDPs in the IDAAS core. This ensures that after a user is authenticated through the identity broker, their identity is correctly matched in the IDAAS core system.

Identity provider mapping

Note

The IDPs in the IDAAS core are not configurable and are added by request to Thales customer support.

On the Authentication Journey Settings page, you configure the mappings:

  1. In the ID Broker IDP list, select the IDP that's configured in the identity broker.

  2. In the Core IDP list, select the corresponding IDP in the IDAAS core.

  3. To add more IDP mappings, select Add IDP and configure the mapping.

  4. Select Save.

On this page