Skip to main content
Skip table of contents

Defining Access flows

Access Flows define the identification and authentication requirements for accessing applications. They specify which Identity Providers (IdPs) are accepted before a user can access a Service Provider (SP), and in some cases, the order in which authentication must take place.

An Access Flow consists of two key elements:

  • The Authentication Scheme defining how users authenticate to access a Service Provider.
    There are different scheme types:

  • The Authentication Method: This groups one or more Identity Providers that serve as the identity source for users.

IDHub Default Scheme

There is always the pre-defined Access flow (IDHub Default Scheme). It is applied to access the TrustBuilder applications, such as the Administration Portal or Self-Service portal.

This Access Flow is critical for accessing the Administration Portal. If you plan to modify it or link the Administration Portal to another Access Flow proceed with caution to avoid losing access.

Configuring an Access Flow

Authentication level

The Authentication Level scheme determines the authentication methods available based on the required security level.

Methods are ordered from most secure (top) to least secure (bottom). The user will authenticate using only one of the available methods. The available methods depend on whether the Service Provide requires an authentication context and whether a default method is configured in the access flow.

  • If the SP requires an authentication context:
    Only authentication methods or Identity Providers (IdPs) with a matching context (SAML2 or OpenID Connect) will be available for users.

  • If the SP does NOT require an authentication context:
    Available methods depend on the Default Method Comparison and whether a default method is defined.

  1. Login to TrustBuilder Admin Portal.

  2. Go to Access Management > Access Flows.

  3. Click on + Add Access Flow.

  4. Click on Add Authentication Scheme.

    • Enter a name for the Authentication Scheme.

    • Select a Scheme Type: Authentication level.

    • Click Save.

  5. Click on Add Authentication Method.

    • Enter the display name of this authentication method (visible on the access flow interface).

    • If a Service Provider requires context, enter the matching value:

    • Select one or several Identity Providers.

    • Click Save.
      Wait a few seconds for the graphical representation of the Access Flow to appear.

  6. Repeat previous step to add more Authentication methods.

  7. Order authentication methods from most secure to least secure:

    • The method at the top of this list define maximum security, the most secure.

    • The method at the bottom of the list define minimum security, the least secure.

  8. Click on Link Service Provider.

    • Select a Service Provider to be linked to this access flow.

    • Click on Next.

    • Select the Default Method Comparison which determines how the authentication method's strength is evaluated.
      (info) If a default authentication method is defined for the SP, it serves as the reference method for the security level.

    • Default method (Optional): Select an authentication method.

    • Click Save.

  9. Repeat previous step to link more Service Providers to this access flow.

If you select a Service Provider already used in another Access Flow, it will be removed from the previous one and added to the current flow. This change applies immediately and may impact user access.

Known limitation: The OpenID Context field is mandatory, even if no OpenID Context is needed. Enter a value to proceed.

Default method defined

Default Method Comparison

Behavior

✅ Yes

MINIMUM

Allows any method equal to or more secure than the default method.

MAXIMUM

Only the most secure method (top of the list) is allowed.

BETTER

Requires a method more secure than the default method.

EXACT

Requires exactly the default method.

(error) No

MINIMUM

All methods are allowed (no reference defined, so all meet the minimum).

MAXIMUM

Only the most secure method (top of the list) is allowed.

BETTER

Only methods more secure than the least secure method are allowed.

EXACT

Authentication fails (there is no reference method to match)

Multi-factor

Requires users to authenticate with multiple methods.

  1. Login to TrustBuilder Admin Portal.

  2. Go to Access Management > Access Flows.

  3. Click on + Add Access Flow.

  4. Click on Add Authentication Scheme.

    • Enter a name for the Authentication Scheme.

    • Select a Scheme Type: Multi-factor.

    • Click Save.

  5. Click on Add Authentication Method.

    • Enter the display name of this authentication method (visible on the access flow interface).

    • If a Service Provider requires context, enter the matching value:

  6. Select one or several Identity Providers.

  7. Click Save.
    Wait a few seconds for the graphical representation of the Access Flow to appear.

  8. Repeat previous step to link more Identity Providers.

  9. Define the order in which authentication methods will be shown to users:

    • the method at the top of the list will appear first.

    • the one at the bottom will appear last.

  10. Click on Link Service Provider.

    • Select a Service Provider to be linked to this access flow.

    • Click Save.

  11. Repeat previous step to link more Service Providers.

If you select a Service Provider already used in another Access Flow, it will be removed from the previous one and added to the current flow. This change applies immediately and may impact user access.

Known limitation: The OpenID Context field is mandatory, even if no OpenID Context is needed. Enter a value to proceed.

Policy driven

Authentication is based on predefined policies, allowing for more refined rules.

  1. Login to TrustBuilder Admin Portal.

  2. Go to Access Management > Access Flows.

  3. Click on + Add Access Flow.

  4. Click on Add Authentication Scheme.

    • Enter a name for the Authentication Scheme.

    • Select a Scheme Type: Policy Driven.

    • Select the policy to apply to the access flow.

    • Click Save.

  5. Click on Add Authentication Method.

    • Enter the display name of this authentication method (visible on the access flow interface).

    • Enter a context value.
      This should match the requires_acr value in the rule’s obligation.
      (info) Only the most secure authentication method (the one at the top of the list) with a matching OpenID Connect context will be shown to users.

    • Select one or several Identity Providers.

    • Click Save.
      Wait a few seconds for the graphical representation of the Access Flow to appear.

  6. Repeat previous step to link more Identity Providers.

  7. Click on Link Service Provider.

    • Select a Service Provider to be linked to this access flow.

    • Click Save.
      ⚠️ By default, each Service Provider uses the MINIMUM method comparison, which allows the context to override it. Do not change this value to avoid authentication fail.

  8. Repeat previous step to link more Service Providers.

If you select a Service Provider already used in another Access Flow, it will be removed from the previous one and added to the current flow. This change applies immediately and may impact user access.

Managing Access Flows

Editing an access flow

  1. Go to Access Management > Access Flows.
    The list of existing access flows appears.

  2. Click on the Access Flow you want to edit.

  3. Make the necessary changes:

    • Some changes take effect immediately (e.g., reordering authentication candidates).

    • Others require saving to apply (e.g., linking an IdP or SP)

The access flow is successfully edited.

If you select a Service Provider already used in another Access Flow, it will be removed from the previous one and added to the current flow. This change applies immediately and may impact user access.

Deleting an access flow

  1. Go to Access Management > Access Flows.
    The list of existing access flows appears.

  2. Click on the trash icon image-20250221-142955.png of the access flow you want to delete.

  3. Click on Yes, delete to confirm your choice.

    image-20250221-143212.png

The access flow is successfully deleted.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.