The authentication service provides operations to authenticate a user using a variety of operations which are shown in the table below.. The service also provides ability to execute a global logout.
AuthenticationService Operations
|
Endpoint address: |
The authentication service is governed by the parameters of an authentication policy. An authentication policy can be defined for each security domain. An authentication policy can also be defined for a resource or a node in a resource tree. The hierarchy of the policy associations is shown below:
- Security Domain
- Resource Tree Node - If no policy is defined for a resource, then the policy associated with a security will be used.
An authentication policy can consist of the parameters shown in the table below:
Parameter |
Description |
|---|---|
DOMAIN_ID |
Security domain associated with the policy |
FAILED_AUTH_COUNT |
Number of failed authentication attempts before an account is locked. |
AUTO_UNLOCK_TIME |
Amount of time before a locked account is automatically unlocked |
TOKEN_TYPE |
SSO Token Type - Valid values include:
|
TOKEN_LIFE |
Amount of time in minutes that a token is valid. Default is 30 minutes. |
LOGIN_MODULE_SEL_POLCY |
Policy to select the login module |
SUCCESS_URL |
URL to forward on authn success |
FAIL_URL |
URL to forward on authn fail |
ACCESS_POLICY |
Rules that govern access to the system. |
VALID_ACCESS_TIME |
Times ranges when access to the system is allowed. |
IP_BLACKLIST |
List of IP addresses that have been black listed. |
DEFAULT_LOGIN_MOD |
Default Login Module. Valid values include:
|
Authentication Result Codes
Code |
Value |
Description |
|---|---|---|
SUCCESS |
1 |
Successful login |
SUCCESS_PASSWORD_EXP |
2 |
Successful login, but the password is expiring soon. |
SUCCESS_FIRST_TIME |
3 |
Successful login, but it's a first time login. |
INVALID_LOGIN |
100 |
Invalid login id |
INVALID_PASSWORD |
101 |
Invalid password. |
PASSWORD_EXPIRED |
102 |
Password has expired |
LOGIN_LOCKED |
103 |
Login is locked |
INVALID_USER_STATUS |
104 |
User is not in a valid status. |
SERVICE_UNAVAILABLE |
105 |
Service is unavailable |
SERVICE_NOT_FOUND |
107 |
Service id does not exist in the system. |
RESULT_INVALID_TOKEN |
108 |
Security token is not valid |
RESULT_INVALID_DOMAIN |
109 |
Security domain is not valid |
RESULT_LOGIN_DISABLED |
110 |
Login has been disabled. |
INTERNAL_ERROR |
-1 |
|
|
Service Operations
Operation Name: authenticate(AuthenticationContext ctx)
Parameters:
- AuthenticationContext ctx
Return:
- Subject
Authenticate method provides a single interface to carry out authentication using a variety of service providers. These service provides are usually linked to a resource ID. When authentication is requested for a particular resource, the authentication service will check the authentication provider associated with that resource and invoke it.
Operation Name: authenticateByToken(String userId, String token, String tokenType)
Parameters:
- String userId
- String token
- String tokenType
Return:
- Subject
authenticateByToken method is usually called in a single sign on situation where the application has received a token, but would like to retrieve the underlying Subject.
Operation Name: validateTokenByUser(String userId, String token, String tokenType)
Parameters:
- String userId - This is the unique identifier with OpenIAM that used to identify a user. This is different from the User Principal value.
- String token - The string containing a previously generated token.
- String tokenType - String containing the type of token that is to be used. Valid values include: OPENIAM_TOKEN, SAML1, SAML2.
Return:
- boolean
The validateTokenByUser operation is used to check the validity of a security token using the userId. Security tokens have a life and are associated with a user. Using this method prevents hackers from reusing a token that may have been generated earlier.
Operation Name: passwordAuth(String domainId, String principal, String password)
Parameters:
- String domainId - Security domain that is being used.
- String principal - User principal value.
- String password - Password that is to be used for authentication.
Return:
- Subject
The passwordAuth operation provides a simple interface to carry out authentication. The authentication through this operation is limited to password based authentication.
Sample Request:
Sample Response with SAML 2 Assertion
Operation Name: renewToken(String principal, String token, String tokenType)
Parameters:
- String principal- loginId or userPrincipal that is being authenticated.
- String token - String containing a valid, previously generated token.
- String tokenType - String containing the type of token that is to be used. The valid token types are listed above.
Return:
- boolean
The renew operation is used to update a token such that its valid time and other components are updated. A common use of this operation is to extend the life of a particular security token / assertion.
Sample Request:
Sample Response
Operation Name: validateToken(String loginId, String token, String tokenType)
Parameters:
- String loginId - loginId or userPrincipal that is being authenticated.
- String token - String containing a previously generated token.
- String tokenType - String containing the type of token that is to be used. Valid values include: OPENIAM_TOKEN, SAML1, SAML2.
Return:
- boolean
The validateToken operation is used to check the validity of a security token. Security tokens have a life and are associated with a user. Using this method prevents hackers from reusing a token that may have been generated earlier. XML tokens such as SAML 1 and 2 should be signed allow for a high level of security.
Sample Request:
Sample Response: Indicates Successful validation of the Token
Operation Name: globalLogout (String userId)
Parameters:
- String userId - ID of the user that is to be logged out.
Return:
- void
Executes a global logout so that the user is logged out of all the applications they have logged into.
Operation Name: updateAppStatus(String managedSysId, String loginId, String status, String sessionId, String token)
Parameters:
- String managedSysId - ID of the application or managed system.
- String principalName - loginId or userPrincipal that is associated with this application or managed system.
- String status - Status of the application.
- APPLICATION_ERROR
- INVALID_BROWSER
- IDLE_TIME_OUT
- SUSPECT_USAGE
- APPLICATION_LOGOUT
- String sessionId - Unique Id of this session.
- String token - OpenIAM token that is being used. Token must be valid.
Return:
- void
Updates OpenIAM with a status of the application or managed system for the user specified by the loginId.
Referenced Object
AUTHENTICATIONCONTEXT
String authenticationType |
Type of authentication that is to be carried out. Only used if no value is specified for a resource. |
String resourceId |
Resource for which authentication is requested. |
String domainId |
Security domain that is to be used. |
String principal |
Principal name to be authenticated. |
String password |
Password used for authentication. |
Map<String, Object>authParamList |
Map of parameters that are needed for authentication. This is used when using authentication methods other than password. |
SUBJECT
String expirationTime |
Time when this token expires. |
String resultCode |
Code representing the result of this authentication attempt. Valid values are listed above. |
SAML |
SAML Assertion |
SAML Type |
SSO Token Type - Valid values include:
|
String domainId |
Security domain that is to be used. |
String principal |
Principal name to be authenticated. |
String userId |
OpenIAM uniqueId for a user. |
SSOToken ssoToken |
Object representing the security token. |
List groups |
List of groups this user belongs to. |
List roles |
List of roles this user belongs to. |
List principals |
List of principal names that are associated with this user. |