Flow selection and conditions

With flow selection one of several sub-flows is selected based on conditions and/or the end-users choice. In other words, it allows creating branches.

The following flow diagram shows an example of an authentication flow with multiple branches:


Flow selection steps

A selection step is a special type of flow step defining a list of the sub-flows and the conditions determining when to use what sub-flow.

  • Selection steps are available for all types of flows:
  • Non-interactive selection – A selection is non-interactive if IAM can decide which of the sub-flows should be executed. This is the case if exactly one condition is met and all others are not met and therefore exactly one sub-flow can be determined by the flow state machine.
  • Interactive selection – If more than one condition is true, the selection interactive and IAM sends a list of selectable options to the REST client. The end-user (or the REST client) must then choose one of the options by sending a corresponding REST request to the server.

The following screenshot is an example from the Loginapp UI displaying the selection options in multi-factor authentication to the end-user:


Flow conditions

A flow condition is a configuration element used for conditional decisions. It may be used in flow selection but also in other flow concepts.

The following table lists some common conditions for illustration:

Flow Condition

Condition fulfilled if ...

Active Authentication Method

... the user has been assigned the specified authentication method.

Has Tag

... the flow session contains the specified tag.

Step activated

... the specified step has been activated (dynamic step activation).

User represented

... the user is being represented by a representer (user representation feature)

Request has SSO Ticket

... the current request contains an SSO ticket.

Has mTAN token

... the user has an mTAN token (can be authenticated with mTAN).

Has Password

... the user has a password.

Has matching role

... the user has been assigned the specified role(s).

First Authentication Usage of Device

...the user is registered for an authentication method* but is using a new, previously unused authentication device.



Logical AND
Logical OR
Logical NOT

Logical conditions are used to combine other conditions into more complex conditions.


Currently only available for Airlock 2FA.

Note that the table only gives some examples. There are many more conditions available in Airlock IAM. Use the Config Editor to get a full list of available conditions.