Authentication flow-related features Authentication flow-related features (JSP-Loginapp migration)

The following table provides information about the availability of JSP-Loginapp features in the Loginapp REST UI and high-level migration hints (where available).

Information about the availability of upcoming releases is indicative and subject to change.

Please note the additional information on discontinued functions (see link below).

Version information about features not yet available will be updated or clarified as soon as known.

Note that the specified release versions are indicative and subject to change.

The following notation is used to indicate release versions (examples):

  • 7.7: planned for IAM 7.7
  • > 7.7: planned for an IAM release after 7.7
  • >= 7.7: planned for IAM 7.7 or later

2-factor authentication (Main and Meta Authenticator)

Description and migration hints
Combination of 1st and second factors
(Main and Meta Authenticator)
Combination of 1st and second authentication factors.

Migration hint

Combine corresponding authentication steps in the authentication flow.


    • Password Authentication Step as the first authentication flow step.
    • Airlock 2FA Step for Authentication as the second authentication flow step.
    • Mandatory Password Change Step as the third authentication flow step.
User selects 2nd factor
If multiple available, the user selects 2nd factor.

Migration hint

Use the Selection Step in the authentication flow.

If more than one selection option is available (depending on the configured conditions) or if the property Auto Select Only Option is disabled, the end-user has to choose the option to use.

Remember last user selection
Remember the option selected by the user and store this information. The stored selected option is checked when the end-user is asked to choose an option the next time.

Migration hint

Use the property Last Selection Repository in the Selection Step.

Auth method selects 2nd factor
The authentication method stored in the user repository chooses the 2nd authentication factor.

Migration hint

Use the Selection Step in combination with the Active Authentication Method condition.

Stealth mode
Do not give away information about which factor failed and protect against user name enumeration.

Migration hint

Use the check box Prevent User Enumeration in the Authentication Flow.

The Loginapp REST UI only supports username enumeration protection.

There is no more simulation of second factors.

Credential-based 2nd-factor selection
By entering a configured keyword (e.g. SMS) instead of an OTP token, the end-user can change the 2nd factor during the login process.

Migration hint

Switching to different authentication steps can be achieved by displaying buttons (with goto-targets in the REST API) in conjunction with selection.

Example with two 2nd factors:

  • Use the Selection Step with multiple 2nd factors.
  • Use the condition Always Selectable for the default 2nd factor.
  • Use the Logical NOT condition with the Always Selectable condition for the other 2nd factor.
  • In the default second factor's first authentication step, configure an Interactive Goto Target pointing to the first authentication step of the other selection option.

Note that both involved authentication steps must have a Step ID configured.

Role-based 2nd-factor selection
The end user's set of roles determines the selection the second factor

Migration hint

Use the Role-Based Tag Acquisition Step to convert roles to tags (if required).

In the Selection Step use the Has Tag condition to select the corresponding 2nd-factor flow.

Display last login timestamp (AI-13510)
Display timestamp of last login after the first authentication step.

Migration hint

Enable the feature in the authentication flow's Default Authentication Processor.

If using the Custom Flow Processors plugin instead, add the plugin Latest Authentication Feedback Processor to enable the feature.


Description and migration hints
Step-up authentication
Ask only for 2nd factor if a previous authentication process already verified the first factor.

Migration hint

Use two separate Authentication Flows (in different Target Applications): one with weak and one with strong authentication.

Issue a tag after successful weak authentication (e.g. PASSWORD_VERIFIED).

In the strong authentication flow, use this tag as a skip condition for the first authentication step.

Risk-based authentication (AI-13514)
Omit 2nd authentication factor based on a risk assessment of the user session.
Remember-me (AI-13101)
Remember-me ("stay logged in") checkbox on login page. The end-user may also choose to log out of all other browsers at the same time.
Fallback Authenticator (AI-13512)
on request only
Fall back to an alternative authentication method if the first method fails.
User-based authentication selection (AI-13513)
on request only
Authenticator plugin is chosen based on the username (pattern matching) at beginning of authentication.