Initialize follow-up authentication flow after self-service

This article explains how the Initialize Next Auth Flow option can be used in public self-services. If this option is enabled, the authentication flow following the public self-service flow, can be initialized with the user identity and tags from this self-service flow.

Combined with using skip conditions in authentication flows, this feature allows significant improvement of the user experience.

• Example use cases:
• Skip the username or username-password step in the login process following a password reset.
• Directly jump​​ to a 2nd-factor authentication step after a successful unlock self-service.
• Any other use case where the user is already authenticated or has an authentication tag within a public self-service flow, as this allows securely skipping an initial re-authentication and proceeding with a follow-up authentication step.

The Initialize Next Auth Flow option allows skipping a re-authentication step for users' convenience. Self-services like password resets typically provide little evidence of the end user's identity. Therefore, access to applications or services should only be possible after additional strong authentication.

Airlock IAM​ requires the user to complete the corresponding authentication flow to access a target application or service. The Initialize Next Auth Flow option allows using the acquired tags and user ID from a public self-service to skip an authentication step.

• To make use of the user ID and tags from the public self-service flow in an authentication flow, the following is required:
• Enable the Initialize Next Auth Flow option in the public self-service flow.
• Ensure the desired tags for the following authentication flow are granted in the public self-service flow.
• Define skip conditions in the desired authentication flow(s).

The next executed authentication flow is chosen by the REST client. In the Loginapp UI it is determined by UI configuration – see Loginapp >> UI Settings >> Public Self-Service UIs >> select a flow >> Completion Target.

The Initialize Next Auth Flow feature relies on the fact that a public self-service flow authenticates the user in some way. This may be, e.g., by sending an email or SMS to the user and verify a token or link.

0. Example configuration:
1. Go to:
   Loginapp >> Public Self-Services >> affected flow >> Steps.
2. In section Advanced Settings, enable property Initialize Next Auth Flow.
3. In the one or more flow steps grant one or more tags in property Tags on Success. In this example, we choose Weak Authentication Tag. Make sure to do so in a step that cannot be skipped, e.g., the Password Reset Step.
4. Change to:
   Loginapp >> Application and Authentication >> affected application >> Authentication Flow
5. Open the authentication step to be skipped, e.g., the Username Password Authentication Step, for editing.
6. In property Skip Condition, add a Has Tag condition with the tag granted in the public self-service flow. In our example, this would be the Weak Authentication Tag.
7. With this configuration, the user gains a weak authentication tag in public self-service and, with it, the user can skip condition the Username Password Authentication Step.

• Internal links:
• Flow-based authentication
• Flow tags and red flags