Currently the only "official" authentication in midPoint is authentication based on internal midPoint passwords. MidPoint can in fact be configured to perform authentication based on external LDAP server, Active Directory, CAS or variety of other systems. But this is not an official functionality and the support is limited only to a couple of special cases and it requires a special subscription.
What we need:
Authentication mechanism that would be better integrated with midPoint configuration. E.g. authentication that can be configured in the same way as midPoint password policies are configured (in midPoint objects).
Flexible authentication, e.g. different authentication requirements for self-service and administration parts of midPoint user interface.
Common processing code for all authentication options. So last login times will be recorded, policies will be properly enforced and so on.
Authentication that can take advantage of account linking. MidPoint knows that Active Directory account "foo" actually belongs to user X12345. Therefore the user can log in with his Active Directory account foo, but midPoint will display self service for user X12345.
(Optional) There is an authentication function in ConnId connectors. This function might be used. This will avoid duplication of connectors and authentication modules. E.g. Active Directory connector may take care of both identity management and authentication. The same configuration can be reused.
(Optional) Authentication module chaining. More than one module may be needed to perform an authentication.