On-failure Goto (flow concept)
The on-failure goto flow concept allows reacting to a flow failure by jumping to another step. A typical application of this feature is switching to an alternative authentication factor step if an external service is unavailable.
Usage and security implications
This on-failure goto feature can route a flow from a failure situation to a successful completion. It works with a configurable mapping that tells IAM where in the flow to continue if a certain error type occurs in a step.
The feature is useful in the following cases:
- Provide the end user an alternative sub-flow if a flow step cannot be used (e.g. due to a non-functioning external system). For example, an alternative authentication factor can be used if the primary factor cannot be used during login.
- Reroute the end user to an alternative sub-flow after canceling a flow. For example, the user may realize using a specific authentication factor is impossible in the current situation and may want to choose a different way to log in.
The feature is very general in that a goto target can be defined for any error type in all flow types.
Using on-failure gotos can impose a security risk: A flow may have been aborted with an error for a legitimate reason.
Ensure the intended outcome of the flow, e.g. an authenticated user, if using on-failure gotos.
Using preconditions (e.g. the Has Tag condition) as “guards” in steps is advisable. See also Flow tags and red flags.
Configuration
On-failure gotos are configured on flow steps.
- Go to the flow step to configure an on-failure goto for.
- In property On Failure Gotos, add a new map entry
- As Key, use the error code of the error situation to trigger the goto. Example:
EXTERNAL_SERVICE_UNAVAILABLE - As Plugin, use the Step ID of the target step. If it does not exist, create a step ID on the target step first.
- As Key, use the error code of the error situation to trigger the goto. Example:
Error codes can be found in the IAM REST documentation, in the general Error Codes section, and in the documentation of specific endpoints. For selected steps, the error codes are documented in the On Failure Gotos property in the Config Editor.