Skip to main content
Version: 8.2411.x.x RR

IdmGetPropertiesState

This AuthState is a processing AuthState.

This plug-in is used as post-processing after other nevisIDM login steps to retrieve the user's profile information and roles from nevisIDM and return them as delegation and security role information to the caller (access proxy).

TopicDescription
Classch.nevis.idm.authstate.IdmGetPropertiesState
LoggingIdmAuth
AuditingNone
MarkerNevisIDM:selection
Propertiesuser.attributes (string, -) Comma-separated list of user attributes to fetch, where attributes can be (sorted by required user detail level):
  • detail level LOW: loginId, extId, state, clientExtId, clientName, validFrom, validTo
  • detail level MEDIUM: lastLogin, lastLoginFailure, firstName, name, remarks, sex, gender, birthDate, title, telephone, email, telefax, mobile, addressLine1, addressLine2, postalCode, city, country, street, houseNumber, dwellingNumber, postOfficeBoxNumber, postOfficeBoxText, locality, language
  • detail level HIGH: ctlCreDat, ctlCreUid, ctlModDat, ctlModUid
user.properties (string, -) Comma-separated list of user properties (scope onUserGlobal) to fetch. The property name must be defined exactly as in nevisIDM. Otherwise, the property value will never be written into the session. The required minimum detail levels for properties are detaillevel.user MEDIUM and detaillevel.property MEDIUM.
user.cred.<credentialtype>.attributename (boolean, -) Defines which credential attributes to fetch.
The following attributes are supported: value, state, extId, validFrom, validTo, lastLogin, name, policyName
And these credential types are supported: password, securid_account, ticket, safeword_account, otp, temp_string_password, kerberos, mtan, mobile_signature, saml_federation
user.cred.certificateN.attributename (boolean, -) Define which certificate attribute to fetch, where N is the number of the certificate (1, 2, …).
The attribute name can be: value, state, extId, validFrom, validTo, lastLogin, name
user.cred.genericN.attributename (boolean, -) Define which generic credential attribute to fetch, where N is the number of the generic credential (1, 2, …).
The attributename can be: value, state, extId, validFrom, validTo
user.cred.context_passwordN.attributename (boolean, -) Define which context password credential attribute to fetch, where N is the number of the context password (1, 2, …).
The attributename can be: context, value, state, extId, validFrom, validTo
user.cred.mobile_signature.<attributename> (boolean, -) Define which mobile signature credential attribute to fetch, where attributename can be: msspIdentifier, identificator, signerCert
user.cred.saml_federationN.<attributename> (boolean, -) Define which SAML federation credential attribute to fetch, where N is the number of the SAML federation credential (1, 2, …).
The attribute name can be: issuerNameId, subjectNameId, issuerNameIdFormat, subjectNameIdFormat, value, state, extId, validFrom, validTo
unit.attributes (string, -) Comma-separated list of unit attributes to fetch, where attributes can be (sorted by required unit detail level):
  • detail level LOW: extId, state, name
  • detail level MEDIUM: displayName, displayAbbreviation, location, description, hname, localizedHname
  • detail level HIGH: ctlCreDat, ctlCreUid, ctlModDat, ctlModUid
unit.properties (string, -) Comma-separated list of unit properties (scope onUnitGlobal) to fetch. The property name must be exactly as defined in nevisIDM. Otherwise, the property value will never be written into the session. The required minimum detail levels for properties are detaillevel.unit MEDIUM and detaillevel.property MEDIUM.
chooseProfileFromSession (string, "ch.adnovum.nevisidm.profileId") Gets the profile ID from the session. If it is not set, the ID will be extracted from the inArgs with the following key: ch.nevis.idm.auth.chosenProfileId
applRoleGlobalPostfix (string, "") Used for backward compatibility by modifying global roles.
forceDataReload (boolean, false) If set to "true", IdmGetPropertiesState will reload the complete user object including its sub-objects from nevisIDM before writing user data into the session.
chooseDefaultProfile (boolean, false) If set to "true", IdmGetPropertiesState automatically chooses the user's default profile instead of showing the profile selection GUI.
detaillevel.{*}: as specified in the chapter Transitions shared among all nevisIDM AuthStates
Properties
impersonation
If any of the impersonated properties are set, IdmGetPropertiesState operates in "impersonation mode". The current user on the session is the impersonator who will act on behalf of the impersonated user. After this state, the impersonated user is the one logged in on the current session.
Using impersonation mode forces forceDataReload to be true. See the nevisIDM reference guide for the specification of technical users and role impersonation.
Impersonated properties:
  • impersonatedUserId (string, -): Unique identifier of the impersonated end user.
  • impersonatedLoginId (string, -): LoginId of the impersonated end user.
  • impersonatedClientName (string, -): Mandatory name of the impersonated user. Specify either this property or the impersonatedClientId property.
  • impersonatedClientId (string, -): Unique identifier of the client of the impersonated user.
InputNone
Transitionsok: Profile extracted, transition to AuthDone expected.
default: No user authenticated, ignore profile extraction.
clientNotFound: User uses an unsupported client ID or the "default" client ID (see input above) is not available.
showGui: Profile could not be extracted because the user has multiple active profiles and chooseProfileFromSession, chooseDefaultProfile are not set. Therefore a dialog to select a profile is shown.
Outputch.adnovum.nevisidm.userDto: Will be updated if IdmGetPropertiesStates has to retrieve the data from nevisIDM again. Possible reasons for re-retrieval of data: property "forceDataReload=true", impersonation use case, or if IdmGetPropertiesState detects that the current DTO data in the session was retrieved with a detail level lower than the one IdmGetPropertiesState requires to set all the configured entity attributes and properties in the session.
ch.adnovum.nevisidm.clientName: Mandator name of the user. ch.adnovum.nevisidm.clientId: Unique identifier of the client.
ch.adnovum.nevisidm.profileName: Account name of the user. ch.adnovum.nevisidm.profileId: Unique identifier of the profile. ch.adnovum.nevisidm.profileDeputedId: Unique identifier of the deputed profile if the actual profile is a deputy profile (not set if profile is not a deputy profile).
The following profile properties are written to the session:
  • ch.nevis.idm.prof.<propertyName>: Properties of the scope PROFILE_GLOBAL for the selected profile .
  • ch.nevis.idm.prof.<scopeName>.<propertyName>: Properties of the scope PROFILE_GLOBAL for the selected profile. <scopeName> stands for <applicationName>.<roleName>.
  • ch.nevis.idm.role.<applicationName>.<roleName>.<propertyName>: Properties of the scope ROLE_FOR_APP for the roles of the selected profile .
property.<application>.:* All the user's custom application delegation properties are returned here.
property.<role>.{*}: All the user's custom role delegation properties are returned here.
Sets the following key/value pairs in the session depending on which attribute has been selected in the config:
  • ch.nevis.idm.User.attributename: user attribute values
  • ch.nevis.idm.User.prop.propertyName: user properties values (nevisIDM property scope: onUserGlobal)
  • ch.nevis.idm.User.unit.attrubutename: attributes of the users unit
  • ch.nevis.idm.User.unit.propertyName: Properties of the users unit (onUnitGlobal)
  • ch.nevis.idm.User.cred.credentialtype.attributename: credential attribute values
  • ch.nevis.idm.User.cred.certificateN.attributename: certificate attribute values
  • ch.nevis.idm.User.cred.mobile_signature.mobile_signature_attributename: mobile signature-specific attributes
  • ch.nevis.idm.User.cred.genericN.attributename: generic credential attribute values
  • ch.nevis.idm.User.cred.saml_federationN.attributename: SAML federation credential attribute values
Example:
If the following config is set:
  • <property name="user.attributes" value="mobile,email" />
  • <property name="user.properties" value="myUserGlobalProperty" />
  • <property name="user.cred.kerberos.extId" value="true" />
  • <property name="user.cred.certificate1.value" value="true" />
  • <property name="user.cred.mobile_signature.identificator" value="true" />
  • <property name="user.cred.saml_federation1.issuerNameId" value="true" />
then the retrieved values could be accessed in the session using the following keys:
  • ch.nevis.idm.User.mobile
  • ch.nevis.idm.User.email
  • ch.nevis.idm.User.prop.myUserGlobalProperty
  • ch.nevis.idm.User.cred.kerberos.extId
  • ch.nevis.idm.User.certificate1.value
  • ch.nevis.idm.User.cred.mobile_signature.identificator
  • ch.nevis.idm.User.saml_federation1.issuerNameId
Properties that are only set if the IdmGetPropertiesState operates in impersonation mode:
  • ch.adnovum.nevisidm.impersonator.userId: The userId of the impersonator.
  • ch.adnovum.nevisidm.impersonator.loginId: Unique identifier of the impersonator.
  • ch.adnovum.nevisidm.impersonator.clientName: Mandatory name of the impersonator.
  • ch.adnovum.nevisidm.impersonator.clientId: Unique identifier of the client of the impersonator.
ErrorsNone
NotesNone

Example

<AuthState name="IdmPostProcessing" final="false"

class="ch.nevis.idm.authstate.IdmGetPropertiesState" >
<ResultCond name="ok" next="AuthDone"/>
<ResultCond name="showGui" next="IdmPostProcessing"/>
<ResultCond name="SOAP:showGui" next="AuthDone"/>
<ResultCond name="default" next="AuthDone"/>
<Response value="AUTH_CONTINUE">
<Gui name="AuthProfileSelectionDialog">
<GuiElem name="lasterror" type="error"
label="${notes:lasterrorinfo}" value="${notes:lasterror}"/>
</Gui>
</Response>
<propertyRef name="IdmCertificateLogin"/>
</AuthState>