Decision

The underlying implementation of the Decision is achieved through an Authentication Mechanism similar to the InfoMap mechanism, Decision JavaScript.

However the mapping rule and template configuration is not associated with the mechanism, but rather at the policy level. Another differentiator is the Decision JavaScript mechanism cannot be added as a Step in the policy workflow.

In the policy workflow configuration screen, the Mapping Rule field is a drop-down that is populated with mapping rules in the new category Decision. Several out-of-the-box mapping rules exist in the new category.

Completing a Decision

To complete a decision, set the decision attribute in the mapping rule state variable to the name of the branch that has been chosen.

state.put("decision", "BranchName");

Example:

A decision has been configured with one branch named TOTP Branch which contains one step TOTP One-time Password. Mapping rule:

var totpEnrolled = 
MechanismRegistrationHelper.isTotpEnrolled(username, 
getLocale());
if(totpEnrolled) {
    // TOTP is enrolled, set the decision to the
    // TOTP branch name
state.put("decision", "TOTP Branch");
    // Since we have decided this is optional step up,
    // set skip decision
    state.put("skipDecision", "true");
}result = true;

A decision can be skipped entirely with the “skipDecision” state variable. This action should always be server controlled, and never based off user input. The policy continues as if the decision was completed successfully.

Returning to the Decision

The policy flow can be returned to the Decision if “Allow return to decision” is configured on the policy. This enables backward progression through the policy based off user input. To trigger the return during runtime policy flow, use the operation returnToDecision.

POST/PUT
{"operation": "returnToDecision"
} 

This operation only takes effect if “Allow return to decision” is true, and the currently running mechanism is in a branch.

If all the steps within a branch have been completed, the decision is considered to be completed and the policy flow can not return to the decision point.

The mapping rule state variable wasReset is populated after returnToDecision is performed. The variable can be fetched with state.get("wasReset").

Example:

A decision was configured with two branches, FIDO2 Branch and Username Password Branch. The FIDO2 Branch contains one step, FIDO2 WebAuthn Authenticator. The Username Password branch contains one step, Username Password. Mapping Rule:

// Has the flow returned to this decision from a branch?
var decisionWasReturned = state.get("wasReset");
if(decisionWasReturned) {
    // User has chosen to fallback to
    // username/password
    state.put("decision", "Username Password Branch");
} else {
    // Make user try FIDO2 first
    state.put("decision", "FIDO2 Branch");
}result = true;

HTML page:

<form id="operationForm" method="POST" action="@ACTION@">
             <input type="hidden" name="operation" 
value="returnToDecision">
</form>

Parent topic: Branching Authentication Policies