Flow selection and conditions
With flow selection one of several sub-flows is selected based on conditions and/or the end-users choice. In other words, it allows creating branches.
The following flow diagram shows an example of an authentication flow with multiple branches:
Flow selection steps
A selection step is a special type of flow step defining a list of the sub-flows and the conditions determining when to use what sub-flow.
Selection steps are available for all types of flows:
- Non-interactive selection – A selection is non-interactive if IAM can decide which of the sub-flows should be executed. This is the case if exactly one condition is met and all others are not met and therefore exactly one sub-flow can be determined by the flow state machine.
- Interactive selection – If more than one condition is true, the selection interactive and IAM sends a list of selectable options to the REST client. The end-user (or the REST client) must then choose one of the options by sending a corresponding REST request to the server.
The following screenshot is an example from the Loginapp UI displaying the selection options in multi-factor authentication to the end-user:
Flow conditions
A flow condition is a configuration element used for conditional decisions. It may be used in flow selection but also in other flow concepts.
The following table lists some common conditions for illustration:
Flow Condition | Condition fulfilled if ... |
|---|---|
Active Authentication Method | ... the user has been assigned the specified authentication method. |
Has Tag | ... the flow session contains the specified tag. |
Step activated | ... the specified step has been activated (dynamic step activation). |
User represented | ... the user is being represented by a representer (user representation feature) |
Request has SSO Ticket | ... the current request contains an SSO ticket. |
Has mTAN token | ... the user has an mTAN token (can be authenticated with mTAN). |
Has Password | ... the user has a password. |
Has matching role | ... the user has been assigned the specified role(s). |
First Authentication Usage of Device | ...the user is registered for an authentication method* but is using a new, previously unused authentication device. |
... | ... |
Logical AND | Logical conditions are used to combine other conditions into more complex conditions. |
- *
Currently only available for Airlock 2FA.
Note that the table only gives some examples. There are many more conditions available in Airlock IAM. Use the Config Editor to get a full list of available conditions.
Further information and links
Internal links:
- Flow conditions on first device usage
- The HTTP Request Header Value Provider is a value provider that extracts information from client requests that may be used in conditions.