User journey orchestration
Authentication journeys
- Design your authentication journeys
- Initiate an authentication journey
- Authentication journey settings
User journey orchestration - Access component
- Template customization
- Translations
- Upload templates
- Messaging service
  - Email gateway configuration
  - SMS gateway configuration
  - Outgoing API specification
User journey orchestration - Tulip component
- Workflows
- Form elements
- Backend elements
- Email triggers and templates
- Email templates
- SMS templates
- Workflow API Tutorial
- Workflow API

Was this document helpful? Yes No

Feedback Sent!

If you like, you can provide additional feedback.

OneWelcome Identity Platform
User journey orchestration
Authentication journeys
Initiate an authentication journey

Initiate an authentication journey

There are several ways to initiate an authentication journey:

Default journey: The system uses the default authentication journey, unless the journey ID is provided in the ACR value.
Relying party: The relying party can provide the journey ID as an ACR value, using the following format:

urn:onewelcome:ujo:v1:auth:journey:id:{Journey ID}
Default ACR or Authentication Context Class References value: Set the default ACR value for OIDC web clients or set the Authentication Context Class References value for SAML applications. The default ACR or Authentication Context Class References value specifies the journey ID in the following format:

urn:onewelcome:ujo:v1:auth:journey:id:{Journey ID}

Set the default authentication journey

There can only be one default journey. When you set a journey as default, the previous journey reverts to being a regular, non-default, journey.

You can set a journey as default on the Authentication Journey screen or on the journey editor:

On the Authentication Journey screen, select the menu for the authentication journey and then select Make default.
In the top-right corner of the journey editor, select the menu and then select Make default.

Set the authentication journey for an OIDC web client

To ensure that an OIDC web client uses a specific authentication journey, you can set the default ACR value for the web client. For the ACR value, provide the ID for the journey that you want to use in the following format:

urn:onewelcome:ujo:v1:auth:journey:id:{Journey ID}

The web client uses the specified journey, unless the authentication request specifies a different journey ID in its ACR value.

On the OneWelcome Identity Platform console, on the Authentication Journey page, copy the journey ID that you want to associate with a specific web client.

You can also find the Journey ID on the Journey information side sheet, on the right side of the journey editor.

Note

To easily get to the Access admin console, in the top-right of the OneWelcome Identity Platform console, select Applications > Access admin. The Access admin console opens in a new tab.
On the Access admin console, go to Configuration > Web clients.

The Web clients page lists the clients that are configured for your tenant.
Locate the web client that you want to associate with the authentication journey ID that you copied.
In the Actions column for that web client, select Edit.

The Edit Web client page opens and shows the configuration for the selected client.
Scroll down to the ACRs section.
In the Default ACRs field, select or enter the ACR value with the journey ID in the following format:

urn:onewelcome:ujo:v1:auth:journey:id:{Journey ID}

You can also include an ACR value with the journey ID. The order in which you specify them affects the outcome:
- ACR level + journey ID: The journey is selected and the achieved ACR level is reported back.
- Journey ID + ACR level: The journey is selected and the executed journey is reported back.
- ACR level (only): The default journey is selected and the achieved ACR level is reported back.
- Journey ID (only): The journey is selected and the executed journey is reported back.
Select Save.

Set the authentication journey for a SAML application

To ensure that a SAML application uses a specific authentication journey, set the default Authentication Context Class References value for the application. For the Authentication Context Class References value, provide the ID for the journey that you want to use in the following format:

urn:onewelcome:ujo:v1:auth:journey:id:{Journey ID}

The application uses the specified journey, unless the authentication request specifies a different journey ID in its Authentication Context Class References value.

On the OneWelcome Identity Platform console, select: Core > Applications.
On the Applications page, locate the application that you want to update with an ACR value.
In the application menu, select Edit.

You can also specify the Authentication Context Class References when you add a SAML application.
On the Edit SAML application page, go to the end of the SAML SP configuration section.
In the Default Authentication Context Class References field, select or enter the value with the journey ID in the following format:

urn:onewelcome:ujo:v1:auth:journey:id:{Journey ID}
Select Submit.

Suggest A Change

Initiate an authentication journey

Set the default authentication journey

Set the authentication journey for an OIDC web client

Set the authentication journey for a SAML application

On this page