It is possible to configure federation scenarios so that only a username is required during authentication and not a password. This is done by editing the scenario after it is set up in the WebUI.

It should be noted that other forms of multi-factor authentication might still be used with such scenarios, such as OTP or Onetouch, even though a password is not required.

Passwordless Federation Scenario Setup

With a federation scenario, the SAML authenticator first needs to have its name changed using the advanced editor. In this description, a federation Username, Password and OneTouch scenario will be taken as the example scenario. Setting up federation scenarios is discussed in Section 6.1, Basic Federation Scenario Setup and it may be useful to review that section before continuing.

After the federation scenario is created, the authenticator name first needs to be changed from SAMLUidPasswordOneTouch to SAMLUidOneTouch. To do this, select the Advanced tab to display the advanced editor and select the pen icon next to Authentication - HTTP.

Find the SAML authenticator with the "name" parameter value of SAMLUidPasswordOneTouch.

Change the "name" parameter to SAMLUidOneTouch.

Next, some valves now need to be removed from the relevant federation Username, Password and OneTouch scenario.

Select Scenarios > Federation > Username, Password and OneTouch in the WebUI and open the scenario. Select the Execution Flow tab and remove the two valves called InputParameterExistsValidatorValve (this requires that a password be entered) and LDAPBindValve (this requires that the entered password matches the user's LDAP entry).

When the user now tries to authenticate, the password field will be removed from the dialog presented. Below is an example of this (the Swedish language version is shown).