docs(jans-auth-server): documented acr mappings and prefixed acr - "a…

…gama_<flow name>" #8216 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
JanssenProject · Apr 18, 2024 · cfcb123 · cfcb123
1 parent 80dffaa
commit cfcb123
Showing 1 changed file with 15 additions and 1 deletion.
diff --git a/docs/admin/auth-server/openid-features/acrs.md b/docs/admin/auth-server/openid-features/acrs.md
@@ -35,7 +35,7 @@ understanding.
 ### 1. Internal Janssen Server ACR
 
 Janssen server will use internal ACR only if no other authentication method is set or could be invoked.
-This internal ACR, `default_password_auth`, is set to level -1. This means that it has lower
+This internal ACR, `simple_password_auth`, is set to level -1. This means that it has lower
 priority than any other script. This ACR is always available and enabled on any Janssen Server deployment.
 
 This ACR is a simple user-id and password-based authentication mechanism. It authenticates the end-user
@@ -55,6 +55,11 @@ To offer highly flexible and pluggable authentication flows, Janssen Server uses
 associated with a corresponding [person authentication script](../../developer/scripts/person-authentication.md). To use these ACRs
 in the authentication flow, the associated [script should be enabled](../../developer/scripts/person-authentication.md#enabling-an-authentication-mechanism).
 
+### 4. Agama ACRs
+
+Agama acrs starts from `agama_` prefix. All of them invoke underlying agama bridge script called `agama`.
+General pattern is `agama_<flow name>`.
+
 ## Configuring ACRs in the JANS AS:
 
 ACRs can be configured on two levels:
@@ -95,6 +100,15 @@ ACR's level, nothing is changed and the usual SSO behavior is observed. If the n
 method is requested), and it's not possible to serve such a request using the existing session's context, then the user
 must re-authenticate to continue. If the user succeeds, a new session with a new ACR gets associated.
 
+## ACR mappings (aliases)
+
+There is `acrMappings` AS configuration property which allows to specify aliases for acrs.
+`acrMappings` contains simply map in key-value form.
+
+Lets say RP sends request with `acr_values=loginWithOtpCheck`. If `acrMappings` contains mapping "loginWithOtpCheck":"otp" then
+AS will map `loginWithOtpCheck` to `otp` and will use `acr_values=otp`. 
+It means that script must be called `otp` in this case and not `loginWithOtpCheck`. 
+
 ## Flowchart - How the Jans AS derives an ACR value for a user session :
 
 ```mermaid