nevisadmin-plugin-authcloud

Connects to the Nevis Authentication Cloud.

This step adds mobile authentication to your authentication flow.

You need an access app use this step.

The user must be registered in your Authentication Cloud instance. You can use the Authentication Cloud Onboarding pattern for that.

When the user exists, login confirmation is requested. By default, a push notification is sent to trigger the Nevis Access App.

However, you can also show a QR code instead (see Authentication Type).

If the user is not registered or has no active authenticator, the On User Not Exists exit will be taken and no screen will be shown.

Your authentication flow should include any of the following patterns in front of this pattern:

nevisIDM Password Login: use when mobile authentication shall be a second factor
nevisIDM User Lookup: use for passwordless login

nevisAuth will connect to your Authentication Cloud instance using TLS, so the CA certificate of the endpoint needs to be trusted.

If you get an unable to find valid certification path to requested target error in the nevisAuth log, then you have to import the CA certificate of the Authentication Cloud endpoint into the Default Backend Trust Store of the nevisAuth Instance.

Authentication Type

Choose between:

QR code / deep link: renders a QR code which should be scanned or shows a deep link
push / deep link: sends a push notification to the user which tells them to check the access app or shows a deep link.

The first option is used for non-mobile browsers. The deep link is shown when using a browser on a mobile.

On Success

Assign a step to execute after successful authentication.

If no step is configured, the flow ends and an authenticated session will be established.

This requires that the session contains an authenticated user.

A simple way to ensure that is to include nevisIDM User Lookup or nevisIDM Password Login steps in your flow.

On User Not Exists

Assign an authentication step to continue with when the user does not exist or has no active authenticator.

If no step is assigned here the authentication flow will fail for such users.

On Abort

Assign a step to continue with when the user has aborted in the mobile app or a timeout occurred.

On Failure

Assign a step to continue with when the operation has failed due to unknown reasons.

For instance, you may assign the following steps:

User Information: show an error message and terminate the authentication flow.
nevisIDM Second Factor Selection: select an alternative second factor for authentication.

Instance

Instead of uploading an access-key.json, you can enter the name of your Authentication Cloud instance here.

Access Key

Instead of uploading an access-key.json, you can enter the access key of your Authentication Cloud instance here.

Access Key File

Upload the access-keys.json of your Authentication Cloud instance.

The file contains the instance name and an access key.

You can download this file from the NEVIS Authentication Cloud Console.

Check Integrate Authentication Cloud with nevisAdmin 4 for setup instructions.

On Skip

Assign a step to continue with when the user clicks the skip button.

A skip button will be added to the authentication screen.

Skip Element Type

The type of element which allows the user to skip this step.

The element is usually a button but may also be changed to an info text. As info elements may contain HTML you can display a link that behaves like a button.

Skip Label

Label to display on the element which allows the user to skip.

The element is usually a button but this can be changed by setting Skip Type.

Title

Enter a label to use for the title.

You can use a different standard label (e.g. title.login) or invent your own.

Translations for custom labels can be defined in the Authentication Realm / GUI Rendering / Translations.

The default label title.authcloud has the following translations:

en: Authenticate with Access App
de: Mit Access-App anmelden
fr: S'authentifier avec l'application Access
it: Autenticazione con l'app Access

Deep Link Label

Label to display on the element which allows the user to use the deep link to log in.

The element is usually a button.

Username Prefix

Optional prefix which will be added to the Authentication Cloud username.

WARNING: Changing this option means that all existing users will have to register their Access Apps again.

The Authentication Cloud username consists of the user ID and the optional Username Prefix.

The user ID is looked up from the following sources:

session variable ch.adnovum.nevisidm.user.extId
request field userId

Hash Username

Enable to use a hash (MD5) for the Authentication Cloud username.

WARNING: Changing this option means that all existing users will have to register their Access Apps again.

There are 2 motivations for enabling this feature:

the Authentication Cloud username is limited to 50 characters. Hashing makes it shorter.
you avoid storing sensitive user information in the Authentication Cloud instance.

Proxy Server

If you have to go through a forward proxy for the outbound connection to firebase enter the hostname:port here.

At the moment only HTTP proxy is supported.

Authentication Cloud Lookup

Connects to the Nevis Authentication Cloud.

Use this step to check if the user is active in your Authentication Cloud instance.

When the user exists and has an active authenticator, the On User Exists exit will be taken.

On User Exists

Assign an authentication step to continue with when the user exists and has an active authenticator.

On User Not Exists

Assign an authentication step to continue with when the user does not exist or has no active authenticator.

On Failure

Assign a step to continue with when the operation has failed due to unknown reasons.

For instance, you may assign the following steps:

User Information: show an error message and terminate the authentication flow.
nevisIDM Second Factor Selection: select an alternative second factor for authentication.

Instance

Instead of uploading an access-key.json, you can enter the name of your Authentication Cloud instance here.

Access Key

Instead of uploading an access-key.json, you can enter the access key of your Authentication Cloud instance here.

Access Key File

Upload the access-keys.json of your Authentication Cloud instance.

The file contains the instance name and an access key.

You can download this file from the NEVIS Authentication Cloud Console.

Check Integrate Authentication Cloud with nevisAdmin 4 for setup instructions.

Username Prefix

Optional prefix which will be added to the Authentication Cloud username.

WARNING: Changing this option means that all existing users will have to register their Access Apps again.

The Authentication Cloud username consists of the user ID and the optional Username Prefix.

The user ID is looked up from the following sources:

session variable ch.adnovum.nevisidm.user.extId
request field userId

Hash Username

Enable to use a hash (MD5) for the Authentication Cloud username.

WARNING: Changing this option means that all existing users will have to register their Access Apps again.

There are 2 motivations for enabling this feature:

the Authentication Cloud username is limited to 50 characters. Hashing makes it shorter.
you avoid storing sensitive user information in the Authentication Cloud instance.

Proxy Server

If you have to go through a forward proxy for the outbound connection to firebase enter the hostname:port here.

At the moment only HTTP proxy is supported.

Authentication Cloud Onboarding

Connects to the Nevis Authentication Cloud.

This step can be used to enroll users.

You need an access app use this step.

A QR code is shown which has be scanned with the app.

If the user is already registered and has an active authenticator, the On User Exists exit will be taken and no screen will be shown.

Your flow should include any of the following patterns in front of this pattern:

nevisIDM Password Login: use when Auth Cloud shall be used as second factor
nevisIDM User Lookup: use for passwordless login

nevisAuth will connect to your Authentication Cloud instance using TLS and thus the CA certificate of the endpoint needs to be trusted.

On Success

Assign a step to execute after successful onboarding.

If no step is configured, the flow ends and an authenticated session will be established.

This requires that the session contains an authenticated user.

A simple way to ensure that is to include nevisIDM User Lookup or nevisIDM Password Login steps in your flow.

On User Exists

Assign an authentication step to continue with when the user exists and has an active authenticator.

If no step is assigned here the authentication flow will fail for such users.

On Abort

Assign a step to continue with when the user has aborted in the mobile app or a timeout occurred.

On Failure

Assign a step to continue with when the operation has failed due to unknown reasons.

For instance, you may assign the following steps:

User Information: show an error message and terminate the authentication flow.
nevisIDM Second Factor Selection: select an alternative second factor for authentication.

Instance

Instead of uploading an access-key.json, you can enter the name of your Authentication Cloud instance here.

Access Key

Instead of uploading an access-key.json, you can enter the access key of your Authentication Cloud instance here.

Access Key File

Upload the access-keys.json of your Authentication Cloud instance.

The file contains the instance name and an access key.

You can download this file from the NEVIS Authentication Cloud Console.

Check Integrate Authentication Cloud with nevisAdmin 4 for setup instructions.

On Skip

Assign a step to continue with when the user clicks the skip button.

A skip button will be added to the authentication screen.

Skip Element Type

The type of element which allows the user to skip this step.

The element is usually a button but may also be changed to an info text. As info elements may contain HTML you can display a link that behaves like a button.

Skip Label

Label to display on the element which allows the user to skip.

The element is usually a button but this can be changed by setting Skip Type.

Title

Enter a label to use for the title.

You can use a different standard label (e.g. title.login) or invent your own.

Translations for custom labels can be defined in the Authentication Realm / GUI Rendering / Translations.

The default label title.authcloud has the following translations:

en: Authenticate with Access App
de: Mit Access-App anmelden
fr: S'authentifier avec l'application Access
it: Autenticazione con l'app Access

Deep Link Label

Label to display on the element which allows the user to use the deep link to onboard.

The element is usually a button.

Username Prefix

Optional prefix which will be added to the Authentication Cloud username.

WARNING: Changing this option means that all existing users will have to register their Access Apps again.

The Authentication Cloud username consists of the user ID and the optional Username Prefix.

The user ID is looked up from the following sources:

session variable ch.adnovum.nevisidm.user.extId
request field userId

Hash Username

Enable to use a hash (MD5) for the Authentication Cloud username.

WARNING: Changing this option means that all existing users will have to register their Access Apps again.

There are 2 motivations for enabling this feature:

the Authentication Cloud username is limited to 50 characters. Hashing makes it shorter.
you avoid storing sensitive user information in the Authentication Cloud instance.

Proxy Server

If you have to go through a forward proxy for the outbound connection to firebase enter the hostname:port here.

At the moment only HTTP proxy is supported.

Onboarding Screen Button

Adds another button to the onboarding screen.

The button may have a special Button Name set to render it in a nice way using a customized Login Template.

For instance, Identity Cloud uses this mechanism to add a button which looks like a back arrow. This button takes the user to a previous step.

This is an advanced setting. Use only when you understand the concept.

nevisadmin-plugin-authcloud

Authentication Cloud Login​

Authentication Type​

On Success​

On User Not Exists​

On Abort​

On Failure​

Instance​

Access Key​

Access Key File​

On Skip​

Skip Element Type​

Skip Label​

Title​

Deep Link Label​

Username Prefix​

Hash Username​

Proxy Server​

Authentication Cloud Lookup​

On User Exists​

On User Not Exists​

On Failure​

Instance​

Access Key​

Access Key File​

Username Prefix​

Hash Username​

Proxy Server​

Authentication Cloud Onboarding​

On Success​

On User Exists​

On Abort​

On Failure​

Instance​

Access Key​

Access Key File​

On Skip​

Skip Element Type​

Skip Label​

Title​

Deep Link Label​

Username Prefix​

Hash Username​

Proxy Server​

Onboarding Screen Button​

Authentication Cloud Login

Authentication Type

On Success

On User Not Exists

On Abort

On Failure

Instance

Access Key

Access Key File

On Skip

Skip Element Type

Skip Label

Title

Deep Link Label

Username Prefix

Hash Username

Proxy Server

Authentication Cloud Lookup

On User Exists

On User Not Exists

On Failure

Instance

Access Key

Access Key File

Username Prefix

Hash Username

Proxy Server

Authentication Cloud Onboarding

On Success

On User Exists

On Abort

On Failure

Instance

Access Key

Access Key File

On Skip

Skip Element Type

Skip Label

Title

Deep Link Label

Username Prefix

Hash Username

Proxy Server

Onboarding Screen Button