Defining Access flows
Access Flows define the identification and authentication requirements for accessing applications. They specify which Identity Providers (IdPs) are accepted before a user can access a Service Provider (SP), and in some cases, the order in which authentication must take place.
An Access Flow consists of two key elements:
The Authentication Scheme defining how users authenticate to access a Service Provider.
There are different scheme types:Authentication level
The authentication methods available are based on the required security level.Multi-factor
Requires users to authenticate with multiple methods.Policy-driven
Authentication is based on predefined policies.
The Authentication Method: This groups one or more Identity Providers that serve as the identity source for users.
IDHub Default Scheme
There is always the pre-defined Access flow (IDHub Default Scheme). It is applied to access the TrustBuilder applications, such as the Administration Portal or Self-Service portal.
This Access Flow is critical for accessing the Administration Portal. If you plan to modify it or link the Administration Portal to another Access Flow proceed with caution to avoid losing access.
Configuring an Access Flow
Authentication level
The Authentication Level scheme determines the authentication methods available based on the required security level.
Methods are ordered from most secure (top) to least secure (bottom). The user will authenticate using only one of the available methods. The available methods depend on whether the Service Provide requires an authentication context and whether a default method is configured in the access flow.
If the SP requires an authentication context:
Only authentication methods or Identity Providers (IdPs) with a matching context (SAML2 or OpenID Connect) will be available for users.If the SP does NOT require an authentication context:
Available methods depend on the Default Method Comparison and whether a default method is defined.
Login to TrustBuilder Admin Portal.
Go to Access Management > Access Flows.
Click on + Add Access Flow.
Click on Add Authentication Scheme.
Enter a name for the Authentication Scheme.
Select a Scheme Type: Authentication level.
Click Save.
Click on Add Authentication Method.
Enter the display name of this authentication method (visible on the access flow interface).
If a Service Provider requires context, enter the matching value:
SAML2 Context (AuthnContextClassRef): an official SAML 2.0 reference.
OpenID Context (Authentication Context Class Reference - ACR): an OpenID Connect (OIDC) concept.
Select one or several Identity Providers.
Click Save.
Wait a few seconds for the graphical representation of the Access Flow to appear.
Repeat previous step to add more Authentication methods.
Order authentication methods from most secure to least secure:
The method at the top of this list define maximum security, the most secure.
The method at the bottom of the list define minimum security, the least secure.
Click on Link Service Provider.
Select a Service Provider to be linked to this access flow.
Click on Next.
Select the Default Method Comparison which determines how the authentication method's strength is evaluated.
If a default authentication method is defined for the SP, it serves as the reference method for the security level.
Default method (Optional): Select an authentication method.
Click Save.
Repeat previous step to link more Service Providers to this access flow.
If you select a Service Provider already used in another Access Flow, it will be removed from the previous one and added to the current flow. This change applies immediately and may impact user access.
Known limitation: The OpenID Context field is mandatory, even if no OpenID Context is needed. Enter a value to proceed.
Default method defined | Default Method Comparison | Behavior |
---|---|---|
✅ Yes | MINIMUM | Allows any method equal to or more secure than the default method. |
MAXIMUM | Only the most secure method (top of the list) is allowed. | |
BETTER | Requires a method more secure than the default method. | |
EXACT | Requires exactly the default method. | |
| MINIMUM | All methods are allowed (no reference defined, so all meet the minimum). |
MAXIMUM | Only the most secure method (top of the list) is allowed. | |
BETTER | Only methods more secure than the least secure method are allowed. | |
EXACT | Authentication fails (there is no reference method to match) |
Multi-factor
Requires users to authenticate with multiple methods.
Login to TrustBuilder Admin Portal.
Go to Access Management > Access Flows.
Click on + Add Access Flow.
Click on Add Authentication Scheme.
Enter a name for the Authentication Scheme.
Select a Scheme Type: Multi-factor.
Click Save.
Click on Add Authentication Method.
Enter the display name of this authentication method (visible on the access flow interface).
If a Service Provider requires context, enter the matching value:
SAML2 Context (AuthnContextClassRef): an official SAML 2.0 reference.
OpenID Context (Authentication Context Class Reference - ACR): an OpenID Connect (OIDC) concept.
Select one or several Identity Providers.
Click Save.
Wait a few seconds for the graphical representation of the Access Flow to appear.Repeat previous step to link more Identity Providers.
Define the order in which authentication methods will be shown to users:
the method at the top of the list will appear first.
the one at the bottom will appear last.
Click on Link Service Provider.
Select a Service Provider to be linked to this access flow.
Click Save.
Repeat previous step to link more Service Providers.
If you select a Service Provider already used in another Access Flow, it will be removed from the previous one and added to the current flow. This change applies immediately and may impact user access.
Known limitation: The OpenID Context field is mandatory, even if no OpenID Context is needed. Enter a value to proceed.
Policy driven
Authentication is based on predefined policies, allowing for more refined rules.
Login to TrustBuilder Admin Portal.
Go to Access Management > Access Flows.
Click on + Add Access Flow.
Click on Add Authentication Scheme.
Enter a name for the Authentication Scheme.
Select a Scheme Type: Policy Driven.
Select the policy to apply to the access flow.
Click Save.
Click on Add Authentication Method.
Enter the display name of this authentication method (visible on the access flow interface).
Enter a context value.
This should match therequires_acr
value in the rule’s obligation.Only the most secure authentication method (the one at the top of the list) with a matching OpenID Connect context will be shown to users.
Select one or several Identity Providers.
Click Save.
Wait a few seconds for the graphical representation of the Access Flow to appear.
Repeat previous step to link more Identity Providers.
Click on Link Service Provider.
Select a Service Provider to be linked to this access flow.
Click Save.
⚠️ By default, each Service Provider uses theMINIMUM
method comparison, which allows the context to override it. Do not change this value to avoid authentication fail.
Repeat previous step to link more Service Providers.
If you select a Service Provider already used in another Access Flow, it will be removed from the previous one and added to the current flow. This change applies immediately and may impact user access.
Managing Access Flows
Editing an access flow
Go to Access Management > Access Flows.
The list of existing access flows appears.Click on the Access Flow you want to edit.
Make the necessary changes:
Some changes take effect immediately (e.g., reordering authentication candidates).
Others require saving to apply (e.g., linking an IdP or SP)
The access flow is successfully edited.
If you select a Service Provider already used in another Access Flow, it will be removed from the previous one and added to the current flow. This change applies immediately and may impact user access.
Deleting an access flow
Go to Access Management > Access Flows.
The list of existing access flows appears.Click on the trash icon
of the access flow you want to delete.
Click on Yes, delete to confirm your choice.
The access flow is successfully deleted.