Default URL, Application entry URLs | | Configuration of default URLs and allowed application entry URLs. Migration hint Configured in Loginapp >> UI Settings >> Authentication Flow UI >> Target URI Resolver. |
| | Propagation of identity information using Identity Propagation plugins. Migration hint See property Identity Propagation in Loginapp >> Authentication Flows >> Target Application. |
| | Require one or more roles in target application configuration. Migration hint In the Target Application configuration use the following plugins: - Authorization flow with Required Role step (suitable for one Role only)
- Airlock Gateway (WAF) Mapping Roles (Credentials)
To check for multiple roles, use a Selection Step with the Abort Step in the options. The condition can be simply a Has Matching Role plugin. However, it may also be a combination of several conditions including Has Tag and logical operators. |
Airlock Gateway (WAF) Roles | | Configure what roles (credentials) are used to authenticate the Airlock Gateway (WAF) session. Migration hint Use property Airlock Gateway (WAF) Mapping Roles (Credentials) in Loginapp >> Authentication Flows >> Target Application. |
| | Enforce the acceptance of application-specific terms of services. Migration hint Use the Terms of Service Step in Loginapp >> Authentication Flows >> Target Application. |
URL-triggered step-up roles | | Defines a list of roles that are required when starting application-triggered step-up. If the roles are missing in the session, a step-up is triggered. Migration hint Use two separate Authentication Flows (in different Target Applications): one with weak and one with strong authentication. Issue a tag after successful weak authentication (e.g. PASSWORD_VERIFIED). In the strong authentication flow, use this tag as a skip condition for the first authentication step. Applications calling IAM to trigger a step up (using an URL like /check-login?stepup=true&Location=... must be adapted or reconfigured to use instead the URL starting the intended authentication flow. |
Different username for application | | Instead of propagating the username of the logged-in user, use an application-specific username from the user's context data. Migration hint Configured in the Username Providers property in the REST Identity Propagation plugin used in the Target Application configuration. |
| | Rules to obtain new roles based on other roles and risk tags. Migration hint Use a dedicated authentication flow for the application. Use a combination of steps, selections, and conditions to derive roles and tags from given roles and tags. Example steps: - Role-Based Tag Acquisition Step
- Selection Step with Has Matching Role and Has Tag conditions.
- No Operation Step with corresponding Skip Condition Tags, Pre Condition Tags, and Tags on Success.
There is no 1:1 replacement for the application-specific access policy. Risk-based authentication is not yet supported in the Loginapp REST UI. |
| | Add, delete, and transform roles for identity propagation. Migration hint Configured in the Role Providers property in the REST Identity Propagation plugin used in the Target Application configuration. |
User name transformation for ID propagation | | Transform username before using it in identity propagation. Migration hint Configured in the Username Providers property in the REST Identity Propagation plugin used in the Target Application configuration. Username providers only allow to use of a different username stored in the user's context data. Other transformers like lower and upper case transformers or primary key lookup is not yet available and may be added in a later release (AI-13605). |
Different password for application | | Some Identity Propagator plugins need the user password. This property allows using of a password from either the configuration or the user context data instead of the one the user entered. Migration hint Use features of existing Identity Propagator plugins. Some but not all Identity Propagator plugins support this feature by reading the password to be used from the user's context data. There is no password provider feature. |