nevisAuth
The nevisDetect AuthState sends authentication data to nevisDetect during the login process, as shown in Technical architecture. The following figures illustrates this.
The next figure shows the typical workflow of a login process:
It is possible to influence the above login workflow with nevisDetect. The integration of nevisDetect in such a login workflow takes place by invoking a nevisDetect AuthState before the LoginDoneState AuthState. This ensures that only data of an authenticated user is passed on to nevisDetect. The next figure shows the above workflow enhanced by the nevisDetect AuthState ch.nevis.detect.authstate.CollectAndSendAuthState or, shorter, CollectAndSendAuthState.
The CollectAndSendAuthState AuthState returns a result condition (ResultCondition) based on the response from nevisDetect.
The result condition influences how the login workflow will proceed. The next table shows the various possible result conditions:
| ResultCondition | Response received | Policy matched | Description |
|---|---|---|---|
| timeoutReadingResponse | no | NA | The AuthState has stopped waiting for a response from nevisDetect. |
| error | no/yes | An error has happened either during the request processing within nevisDetect or within the nevisDetect AuthState. | |
| noDataFound | yes | no | nevisDetect could not determine any risk score, due to an untrained user or missing data. |
| ok | yes | no | No policy has matched. |
| additionalAuthRequired | yes | yes (see Action plug-ins for details) | A policy with the action STEPUP has matched. |
| block | yes | yes (see Action plug-ins for details) | A policy with the action DENY has matched. |
If you set the configuration property validateResponse of the CollectAndSendAuthState AuthState to "false", the AuthState does not wait for any response from nevisDetect but immediately returns the result condition "ok".
This behavior is similar to the asynchronous communication mode for HTTP requests. Section Communication mode explains this communication mode and its counterpart, the synchronous communication mode.
The following table lists all configuration properties of the CollectAndSendAuthState AuthState:
| Name | Type/unit | Default | Example | Description |
|---|---|---|---|---|
| validateResponse | boolean | false | true | If set to "false", the AuthState does not wait for any response from nevisDetect but immediately returns the result condition "ok". "false" is the default setting. |
| brokerUri | string | failover: ssl://nevisrdf1.zh. adnovum.ch:8282 | The JMS broker URL.Configuring the prefix failover is recommended to enable re-connecting to the broker. | |
| keyStoreRef | file | /var/opt/nevisauth/ default/nevisdetect/certs/ nevisdetect_keystore.jks | The Java keystore file used for establishing the TLS connection to the JMS broker. | |
| keyStorePassword | string | The passphrase for the keystore. | ||
| trustStoreRef | file | /var/opt/nevisauth/ default/nevisdetect/certs/ nevisdetect_truststore.jks | The Java truststore file used for establishing the TLS connection to the JMS broker. | |
| trustStorePassword | string | The passphrase for the truststore. |