Skip to main content
Version: 8.2411.x.x RR

IdmCreateCredentialState

This AuthState is a processing AuthState.

This plug-in provides credential creation functionality for an already authenticated user. Currently supported credential types are ticket, mTAN, password, context password, device password, Kerberos, URL ticket, generic credential, security question, OTP, OATH, SAML federation and mobile signature. Creating credentials with property values is supported for the credential types generic credential, security question, SAML federation and mobile signature.

If the creation of the credential involves user notifications, e.g., sending the ticket via e-mail, then the notification is triggered synchronously. Therefore, if the sending failed, the result condition of the state will be "failed".

In case of security question credential, an empty credential (without answers) will be created. To create answers, use the IdmSecurityQuestionManagementState.

When the credential exists, there is the possibility to recreate (refresh) it, but this is only valid for credential types ticket, URL ticket and mTAN.

If the user already has an OTP credential, it is possible to add a second OTP card or to replace or renew the existing card. A user can have maximum two OTP cards. Therefore, if the user already has two cards, only replacing and renewing is possible. In case of renewal, a new OTP card is created and if the user already had two OTP cards, the older one will be deleted. In case of replacement, the user's OTP cards are deleted and a new one is created.

The user in question must be authenticated with a preceding Idm*-AuthState, i.e., the credential's user must be in the session.

A credential created by this AuthState is added to the credentials of the user in the session.

TopicDescription
Classch.nevis.idm.authstate.IdmCreateCredentialState
LoggingIdmAuth
Auditingnone
MarkerNevisIDM:mutation
Propertiescred.type (String, -)
Mandatory. Defines the credential type. Allowed values: ticket, mTan, password, context_password, kerberos, generic, url_ticket, saml_federation, security_questions, otp, oath.
cred.state (String, INITIAL)
Optional. State of credential, e.g., INITIAL, ACTIVE, DISABLED. The default should be okay for most use cases.
cred.value (String, -)
Optional. The value of the credential. For tickets and OTP cards, the value is generated by nevisIDM. For password and context password, the value is only generated by nevisIDM if this field is not configured; otherwise, the configured value is used. For device password, it is mandatory to set. mTAN credentials do not have any value.
cred.policyName (String, -)
Optional. The policy to be used for the credential. If the policy is not given, the default policy of the underlying credential type will be used.
cred.stateChangeReasonCd (Integer, -)
Optional. Defines the state change reason code. In case of OTP card replacement or renewal, setting the stateChangeReasonCd is not supported.
cred.stateChangeReasonDetail (String, -)
Optional. Detail information for the state change.
cred.name (String, -)
Optional. The name of the credential. This attribute is usually not used and can be left empty. For OTP cards, the name cannot be set because it will be generated.
cred.context (String, -)
Optional. It is mandatory for context password and OATH credentials. For the other credential types, it must be empty.
cred.modificationComment (String, -)
Optional. The modification comment that will be used upon the creation or update of the credential.
cred.urlPrefix (String, -)
Optional. The urlPrefix is used to create URL ticket credentials. It defines the prefix of the "personalized link" that will be sent to the user. If the parameter is not set, the urlPrefix defined in the URL ticket policy will be taken.
cred.msisdn (String, -)
Optional. The MSISDN is the mobile number attribute needed to create a mobile signature credential.
cred.identificator (String, -)
Optional. The identificator is the technical identification of a mobile signature credential. The attribute is needed to create a mobile signature credential.
cred.msspIdentifier (String, -)
Optional. The msspIdentifier is the mobile signature service provider's URL, to be stored in the mobile signature credential. If nothing is specified, the default from the corresponding mobile signature policy will be applied.
cred.signerCert (String, -)
Optional. When creating a mobile signature credential, the optional "signerCert" can be supplied. This is especially useful for the case when we do not trust the validation executed by the mobile signature service provider.
cred.issuerNameId (String, -)
Optional. Issuer Name ID of a SAML federation credential. The attribute is mandatory to create a SAML federation credential.
cred.subjectNameId (String, -)
Optional. Subject Name ID of a SAML federation credential. The attribute is mandatory to create a SAML federation credential.
cred.issuerNameIdFormat (String, -)
Optional. URI of the Issuer Name ID format of a SAML federation credential. If the attribute is not set, the default value set in the SAML federation policy will be used.
cred.subjectNameIdFormat (String, -)
Optional. URI of the Subject Name ID format of a SAML federation credential. If the attribute is not set, the default value set in the SAML federation policy will be used. SAML federation credential.
cred.property.* (String, -)
Define credential properties. After the prefix, the name of the property should be set. Properties with the scopes onCredentialGenericGlobal, onMobileSignatureGlobal and onSamlFederationGlobal are supported.
Example: cred.property.CREDENTIAL_PROPERTY
cred.property.mandatory (String, -)
Comma-separated list of mandatory credential properties. If the input field remains empty, inputMissing transition will be generated. Only properties that have been defined explicitly with cred.property.* can be classified as mandatory.
cred.property.optional (String, -)
Comma-separated list of optional credential properties. Only properties that have been defined explicitly with cred.property.* can be classified as optional.
recreateIfExists (boolean, false)
Optional. If "true", IdmCreateCredentialState overwrites the existing credential of the same type. The parameter can only be used in combination with the credential types mTAN, URL ticket and ticket.
operationIfExists (enum(ADD,REPLACE,FAIL), FAIL)
ADD: adds a new credential of this type. Currently only supported for generic credential, context password, device password and SAML federation credentials;
REPLACE: corresponds to legacy recreateIfExists=true;
FAIL: corresponds to legacy recreateIfExists=false
RENEW: initiate OTP card renewal. Only supported for OTP credentials. The default is operationIfExists=FAIL, which corresponds to recreateIfExists=false
addPolicyViolationsToNotes (boolean, false)* If "true" and the to-be-created credential's type is "PASSWORD", adds policyViolations to AuthState outgoing notes.
Inputnone
Transitionsok: if credential successfully created or recreated.
failed: if error occurred or credential exists while recreateIfExists was false and credentialExists transition was not configured. Or if the notification event, e.g., sending an e-mail to the user with the ticket, failed.
credentialExists: credential exists while recreateIfExists was false.
clientNotFound: User uses an unsupported client ID or the "default" client ID (see input above) is not available.
inputMissing: If the value of a mandatory property is not set, inputMissing transition will be generated.
Outputcredential.id: External ID of the created credential
Errorsnone
Notesnone

Example

<AuthState name="SampleCreateCred"
class="ch.nevis.idm.authstate.IdmCreateCredentialState" final="false">
<ResultCond name="ok" next="IdmPostProcessing"/>
<ResultCond name="failed" next="IdmUserIdPasswordLogin"/>
<ResultCond name="credentialExists"
next="IdmUserIdPasswordLogin"/>
<Response value="AUTH_CONTINUE">
<Gui name="NoName"/>
</Response>
<property name="cred.type" value="ticket"/>
<property name="cred.modificationComment" value="ticket blabla"/>
<property name="recreateIfExists" value="false"/>
</AuthState>