Skip to main content
Version: 8.2411.x.x RR

IdmX509State

This AuthState is an authenticating AuthState.

This plug-in is used to look up a user by the client certificate sent to and trusted by the access proxy. The user must have a registered certificate in nevisIDM.

Do not use the IdmX509State without trusting the certificate, this state expects that the certificate is valid and trusted.

TopicDescription
Classch.nevis.idm.authstate.IdmX509State
LoggingIdmAuth
Auditingnone
MarkerNevisIDM:token
Propertiesclient.name (defined in the chapter "Default input properties")
user.certificate (string, "${request:clientCertAsString}") The source of the user's client certificate.
automatic.credential.update (boolean, true) Controls the update of login information after successful certificate verification. If set to true, the last login timestamp is written into the database. If set to false, the credential update is skipped (only use if the credential is updated in a later state anyway).
detaillevel.:* as specified in the Transitions shared among all nevisIDM AuthStates.
Methodsauthenticatestepup
Inputnone
Transitionsok: Authentication successful
locked: The credential in nevisIDM is locked.
disabled: All users with this certificate are disabled, no login possible.
failed: Authentication failed, i.e., the user does not have the corresponding certificate.
chooseClient: The certificate is mapped to multiple users in different mandators. This transition can be handled by this state itself by displaying a list of clients to select from.
clientNotFound: User uses an unsupported client ID or the "default" client ID (see input above) is not available.
Outputnone
Errors
  • 1: account deleted or non-existent
  • 1: user has no certificates
  • 1: no certificate in request (caller does not send a client certificate)
  • 1: client does not match previous authentication
  • 8: account was locked already
  • 8: account is temporarily locked
  • 98: account or password disabled by admin
  • 98: account or password is not yet active
  • 98: credential expired
Notesuserid

Example

<AuthState name="IdmCertificateLogin"
class="ch.nevis.idm.authstate.IdmX509State"
final="false">
<ResultCond name="ok" next="IdmPostProcessingStrong"/>
<ResultCond name="chooseClient" next="IdmCertificateLogin" />
<ResultCond name="wrongClient" next="IdmUserIdPasswordLogin"
startOver="true"/>
<ResultCond name="disabled" next="IdmUserIdPasswordLogin"
startOver="true"/>
<ResultCond name="locked" next="IdmUserIdPasswordLogin"
startOver="true"/>
<ResultCond name="failed" next="IdmUserIdPasswordLogin"
startOver="true"/>
<Response value="AUTH_CONTINUE">
<Gui name="AuthChooseClientDialog" label="login.cert.label">
<GuiElem name="lasterror" type="error"
label="${notes:lasterrorinfo}"
value="${notes:lasterror}"/>
<GuiElem name="info" type="info" label="error_11"/>
</Gui>
</Response>
<property name="login.service.connection.1"
value="https://localhost:8989/nevisidm/services/v1/AdminService" />
</AuthState>