d9b271c22a
Closes #20007
88 lines
No EOL
3.7 KiB
Text
88 lines
No EOL
3.7 KiB
Text
=== Conditions in conditional flows
|
|
|
|
As was mentioned in <<_execution-requirements, Execution requirements>>, _Condition_ executions can be only contained in _Conditional_ subflow.
|
|
If all _Condition_ executions evaluate as true, then the _Conditional_ sub-flow acts as _Required_.
|
|
You can process the next execution in the _Conditional_ sub-flow.
|
|
If some executions included in the _Conditional_ sub-flow evaluate as false, then the whole sub-flow is considered as _Disabled_.
|
|
|
|
==== Available conditions
|
|
|
|
`Condition - User Role`::
|
|
This execution has the ability to determine if the user has a role defined by _User role_ field.
|
|
If the user has the required role, the execution is considered as true and other executions are evaluated.
|
|
The administrator has to define the following fields:
|
|
|
|
Alias:::
|
|
Describes a name of the execution, which will be shown in the authentication flow.
|
|
|
|
User role:::
|
|
Role the user should have to execute this flow.
|
|
To specify an application role the syntax is `appname.approle` (for example `myapp.myrole`).
|
|
|
|
`Condition - User Configured`::
|
|
This checks if the other executions in the flow are configured for the user.
|
|
The Execution requirements section includes an example of the OTP form.
|
|
|
|
`Condition - User Attribute`::
|
|
This checks if the user has set up the required attribute: optionally, the check can also evaluate the group attributes.
|
|
There is a possibility to negate output, which means the user should not have the attribute.
|
|
The xref:proc-configuring-user-attributes_{context}[User Attributes] section shows how to add a custom attribute.
|
|
You can provide these fields:
|
|
|
|
Alias:::
|
|
Describes a name of the execution, which will be shown in the authentication flow.
|
|
|
|
Attribute name:::
|
|
Name of the attribute to check.
|
|
|
|
Expected attribute value:::
|
|
Expected value in the attribute.
|
|
|
|
Include group attributes:::
|
|
If On, the condition checks if any of the joined group has one attribute matching the configured name and value: this option can affect performance
|
|
|
|
Negate output:::
|
|
You can negate the output.
|
|
In other words, the attribute should not be present.
|
|
|
|
==== Explicitly deny/allow access in conditional flows
|
|
|
|
You can allow or deny access to resources in a conditional flow.
|
|
The two authenticators `Deny Access` and `Allow Access` control access to the resources by conditions.
|
|
|
|
`Allow Access`::
|
|
Authenticator will always successfully authenticate.
|
|
This authenticator is not configurable.
|
|
|
|
`Deny Access`::
|
|
Access will always be denied.
|
|
You can define an error message, which will be shown to the user.
|
|
You can provide these fields:
|
|
|
|
Alias:::
|
|
Describes a name of the execution, which will be shown in the authentication flow.
|
|
|
|
Error message:::
|
|
Error message which will be shown to the user.
|
|
The error message could be provided as a particular message or as a property in order to use it with localization.
|
|
(i.e. "_You do not have the role 'admin'._", _my-property-deny_ in messages properties)
|
|
Leave blank for the default message defined as property `access-denied`.
|
|
|
|
Here is an example how to deny access to all users who do not have the role `role1` and show an error message defined by a property `deny-role1`.
|
|
This example includes `Condition - User Role` and `Deny Access` executions.
|
|
|
|
.Browser flow
|
|
image:images/deny-access-flow.png[Deny access flow]
|
|
|
|
.Condition - user role configuration
|
|
image:images/deny-access-role-condition.png[Deny access role settings]
|
|
|
|
.Configuration of the `Deny Access` is really easy. You can specify an arbitrary Alias and required message like this:
|
|
image:images/deny-access-execution-cond.png[Deny access execution settings]
|
|
|
|
The last thing is defining the property with an error message in the login theme `messages_en.properties` (for English):
|
|
|
|
[source]
|
|
----
|
|
deny-role1 = You do not have required role!
|
|
---- |