Authenticator Filters

Authenticator Filters are used to restrict the authenticators available for a client.

They can be configured to be used on Service Providers or on OAuth Client Configuration.

The base path for all authenticator-filters is the following:

  • /profiles/profile/settings/authentication-service/authenticator-filters/authenticator-filter

All authenticator-filters have a common base, but different types provide further settings.

The basic parameters for all authenticator-filters are as follows (see the configuration reference for the complete definition):

Parameter name Mandatory Description
id Yes The unique identifier of the authenticator-filter
filter-type Yes The type of the authenticator-filter. Values can be user-agent, cidr or script-filter.

The following sections explain how you can configure each type of authenticator-filter.

User-Agent Authenticator Filter

The User-Agent Authenticator Filter can be used to filter authenticators based on the Request User-Agent header.

Note

The filter-type for User-Agent authenticator filters is user-agent.

The following parameters can be configured (see the configuration reference for the complete definition):

Parameter name Mandatory Description
user-agent-regex Yes Regular expression to match against a Request’s User-Agent
exclusions Yes Container of authenticators to exclude
exclusions/authenticator 1 or more Reference to an existing authenticator (by ID)

Example configuration:

<authenticator-filter>
    <id>curl-no-html</id>
    <user-agent xmlns="https://curity.se/ns/conf/authenticator-filters/user-agent">
        <user-agent-regex>.*curl.*</user-agent-regex>
        <exclusions>
            <authenticator>htmlSql</authenticator>
            <authenticator>htmlScimMock</authenticator>
            <authenticator>htmlLdap</authenticator>
            <authenticator>htmlFormJson</authenticator>
        </exclusions>
    </user-agent>
</authenticator-filter>

CIDR Authenticator Filter

Note

CIDR (Classless Inter-Domain Routing) is defined in the REF-1519 specification

The CIDR authenticator-filter allows authenticators to be restricted based on the origin of the Request.

IPV4 and IPv6 CIDRs are supported.

Caution

Only quad-dotted decimal notation is supported for IPv4 (eg. 10.77.12.11), and the standard 8-group hexadecimal notation for IPv6 addresses (may be abbreviated, eg. 0A:0B:1F:2A:82:1:55:6666, 1::FFFF:ABCD) .

Valid CIDRs include 10.77.12.11/18 and 0A:0B:1F:2A:82:1:55:6666/2, for example.

Note

The filter-type for CIDR authenticator filters is cidr.

The following parameters can be configured (see the configuration reference for the complete definition):

Parameter name Mandatory Description
filter-cidr Yes CIDR describing the origins to which this filter applies
exclusions Yes Container of authenticators to exclude
exclusions/authenticator 1 or more Reference to an existing authenticator (by ID)

Example configuration:

<authenticator-filter>
    <id>ip-address-authenticator-filter</id>
    <cidr xmlns="https://curity.se/ns/conf/authenticator-filters/cidr">
        <filter-cidr>192.168.10.0/24</filter-cidr>
        <exclusions>
            <authenticator>htmlSql</authenticator>
            <authenticator>ping1</authenticator>
        </exclusions>
    </cidr>
</authenticator-filter>

Script Authenticator Filter

The Script authenticator-filter can be configured to use existing filter-procedures to perform filtering.

Important

The filter-procedure must be of type authenticator for it to be acceptable by a script-authenticator-filter.

Note

The filter-type for Script authenticator filters is script-filter.

The following parameters can be configured (see the configuration reference for the complete definition):

Parameter name Mandatory Description
authenticator-filter-procedure Yes Reference to an existing filter-procedure

Example configuration:

<authenticator-filters>
    <authenticator-filter>
        <id>check-header-authenticator-filter</id>
        <script-filter xmlns="https://curity.se/ns/conf/authenticator-filters/script">
            <authenticator-filter-procedure>check-header-authenticator-filter</authenticator-filter-procedure>
        </script-filter>
    </authenticator-filter>
</authenticator-filters>