Authentication flow
One of the Cloud Identity JavaScript mapping rules provided out of the box is the Authentication rule, which operates at a high level as follows.
| Action | Result |
|---|---|
| Empty or "initiate" | Produce a landing page with all authentication methods listed such that the user can choose which method they would like to perform authentication with. |
| "chooseMethod" | Create a transaction (if required) and return a page relevant to the chosen method. Waiting page for IBM Verify, OTP input page for SMS/Email/Time-Based OTP, and OTP delivery detail input page for Transient Email/SMS. |
| "submitTransient" | Create a transient transaction with the given OTP delivery detail. Returns a OTP input page. |
| "verifyOTP" | Send the OTP to Cloud Identity for verification. If the verification succeeds, progress to the next step in the policy. If verification fails, display an error to the user. |
| "poll" | Check the status of the IBM Verify transaction. If the transaction was successful progress to the next step in the policy, otherwise display an error to the user. |
| "register" | When jitEnrollment is enabled, users may just-in-time enroll if they have no enrollments when prompted for authentication. This action is then used to perform that enrollment. |
| "pollEnrollment" | Used to poll an in-progress authenticator enrollment to check if it is completed successfully yet. |
| "validateOTP" | In some cases, new enrollments must be validated before they can be used at runtime for authentication/verification. This action validates the given OTP. |
Several parameters can be modified at the beginning of the mapping rule to control different behavior:
| Variable | Affect | Default |
|---|---|---|
| otpCorrelation | The correlation to use in SMS and Email OTP transactions. | "Verify Access verification" |
| enabledMethods | The type of methods to display to a user, if enrolled. | ["Verify", "SMSOTP" "EmailOTP", "TOTP", "TransientEmail", "TransientSMS"] |
| verifyTransactionMessage | The transaction message to send when creating Verify transactions. | "You have a pending authentication challenge." |
| expandVerifyMethods | A boolean indicating whether all available Verify methods should be displayed to the user, or only one (which is the highest priority in verifyMethodPriority). | false |
| verifyMethodPriority | The priority of Verify methods to display if expandVerifyMethods is false. | ["face", "iris", "retina", "eye", "fingerprint", "userpresence"] |
| jitEnrollment | A boolean indicating whether to redirect to the USC flow if no enrollments are found. | false |
| hideTransientIfEnrolled | A boolean indicating if transient factors should be hidden if the corresponding factor is fully enrolled. For example, hide transient email if there is a validated email OTP enrollment that can be used for verification. | true |