IdmCredStatusCheckState
Overview
The IdmCredStatusCheckState AuthState is a processing AuthState.
This plug-in can update the login information for a credential or just check the status of this credential without updating anything.
If the AuthState only checks the credentials, the check will be successful if the "singleCredential" parameter is true or the user has only one credential with the configured type, and the state of the credential is ACTIVE or INITIAL. If the "singleCredential" parameter is false and the user has more credentials with the configured type, the check will be successful depending on the state of the credentials and whether the AuthState is in strict mode or not. In not-strict mode, the check will be passed if at least one of the credentials is active.
If the credential check fails, the AuthState will return the transition corresponding to the "lowest" non-active state: tmpLocked < locked < expired < disabled < archived.
Examples:
- if the user has three credentials with the states "temporarily locked", "locked" and "disabled", respectively, the AuthState will return the transition corresponding to the state "temporarily locked".
- if the user has two credentials with the states "locked" and "archived", respectively, the AuthState will return the transition corresponding to the state "locked".
- if the user has three credentials with the states "active", "locked" and "disabled", respectively, in strict mode, the AuthState will return the transition corresponding to the state "locked". In not-strict mode, the AuthState will return the transition "ok".
Before the AuthState updates the login info of the credentials, it always performs the check described above. If the check fails, the login info of the credentials will not be updated and the AuthState returns the result of the check. If the check was successful, the update can happen in two ways: update on success and update on failure.
Update on success
If the "singleCredential" parameter is true or the user has only active credentials with the configured type, the login info of the credentials will be updated.
If the user has active as well as non-active credentials, in strict mode, the credential check will fail and the login info of the credentials will not be updated. In not-strict mode, the login info of the active credentials will be updated. The non-active credentials will be ignored.
If the user has only non-active credentials, the login info of the credentials will not be updated. The AuthState will return the result of the credential check.
Update on failure
If the "singleCredential" parameter is true or the user has only active credentials with the configured type, the login info of the credentials will be updated. The returned transition depends on the credential's state after the update. If the credentials are still active, the state returns transition "loginFailure". If any of the credentials got locked or temporarily locked after the update, the AuthState will return the transition corresponding to the credential's state.
If the user has active as well as non-active credentials, in strict mode, the credential check will fail and the login info of the credentials will not be updated. In not-strict mode, the login info of the active credentials will be updated. The non-active credentials will be ignored. The returned transition depends on the state of the updated credentials after the update.
If the user has only non-active credentials, the login info of the credentials will not be updated. The AuthState will return the result of the credential check.
FIDO UAF Credential
You can also use the IdmCredStatusCheckState to check if the user has any active FIDO credential. If so, the user is redirected to trigger a Mobile Authentication flow.
The recommended setting in this scenario is to set all the following properties to "false":
- updateLoginState,
- incrementFailureCounter,
- singleCredential,
- strictMode, and
- initialAllowed.
For more details and a complete configuration example, see the Nevis Mobile Authentication: Concept and Integration Guide ❯ Nevis Component Configuration Examples.
Description
The next table describes the IdmCredStatusCheckState AuthState,
| Topic | Description |
|---|---|
| Class | ch.nevis.idm.authstate.IdmCredStatusCheckState |
| Logging | IdmAuth |
| Auditing | none |
| Properties | credentialType (String, -) Mandatory. Defines the credential type. Supported values are: GENERIC, KERBEROS, MTAN, URL_TICKET, TICKET, PASSWORD, CONTEXT_PASSWORD, TEMP_STRONG_PASSWORD, PUK, MOBILE_SIGNATURE, FIDO_UAF, SAML_FEDERATION, SECURITY_QUESTIONS,SAFEWORD_ACCOUNT* and SECURID_ACCOUNT*. |
| loginFailureCondition (String, -) Expression, like in ConditionalDispatcherState | |
| loginSuccessCondition (String, -) Expression, like in ConditionalDispatcherState | |
| updateLoginState (boolean, true) If false, plug-in will only check the status of the configured credential | |
| incrementFailureCounter (boolean, true) It affects only the behavior of an update on failure. The failure counter of the credential will be incremented if set. | |
| singleCredential (boolean, true) When false, it updates all credentials of configured type of the user in session | |
| strictMode (boolean, true) Determines if the auth state is in strict mode. The auth state behaves differently in strict mode only if the user has multiple credentials with the configured type and not all of the credentials are active. If the user has only one or only active credentials, there is no difference between strict and not-strict mode. | |
| initialAllowed (boolean, true) When false, it will not consider the credential as an active one and will result a failed transition. | |
| Methods | process (all events) |
| Input | none |
| Transitions | ok: if updateLoginState is false and the credential check is passed |
| failed: If the credential check fails and the state of the non-active credential or credentials is disabled or archived. Also a failed transition will be the result if the initialAllowed property is set to false and if the credential check fails and the state of the credential or credentials is initial. | |
| noCredential: User does not have a credential of the configured credential type. | |
| tmpLocked: If the credential check fails and the user has at least one temporarily locked credential, or if the credentials were updated for failure and at least one of the updated credentials got temporarily locked. | |
| locked: If the credential check fails and the user has at least one locked or expired credential, but he does not have any temporarily locked credentials, or if the credentials were updated for failure and at least one of the updated credentials got locked, but none of them got temporarily locked. | |
loginSuccess: Credential login info update succeed after a <successful> transition (loginSuccessCondition matched) | |
loginFailure: Credential login info update succeed after a <failed> transition (loginFailureCondition matched) | |
| clientNotFound: User uses an unsupported client ID or the "default" client ID (see input above) is not available. | |
| Output | none |
| Errors | none |
| Notes | none |
Example
<AuthState name="UpdateCredential"
class="ch.nevis.idm.authstate.IdmCredStatusCheckState" final="false">
<ResultCond name="loginSuccess"
next="CheckParticipantActivatedRole"/>
<ResultCond name="loginFailure"
next="CheckPARoleBeforeActivation"/>
<ResultCond name="noCredential" next="LockedActivationInfoFinal"/>
<ResultCond name="failed" next="LockedActivationInfoFinal"/>
<ResultCond name="locked" next="LockedActivationInfoFinal"/>
<ResultCond name="tmpLocked" next="LockedActivationInfoFinal" />
<Response value="AUTH_ERROR" />
<property name="credentialType" value="GENERIC"/>
<property name="loginFailureCondition"
value="${sess:loginState:failed}"/>
<property name="loginSuccessCondition"
value="${sess:loginState:ok}"/>
<property name="singleCredential" value="false"/>
<property name="incrementFailureCounter" value="true"/>
</AuthState>