Skip to main content
Version: 2.75.x.x LTS

IdmURLTicketVerifyState

This AuthState is an authenticating AuthState.

This plug-in provides URL ticket authentication. The URL ticket is part of a personalized link. This state gets the URLTicket parameter from the link and passes it to the nevisIDM.

TopicDescription
Classch.nevis.idm.authstate.IdmURLTicketVerifyState
LoggingIdmAuth
Auditingnone
MarkerNevisIDM:one-time-password
Propertiesclient.name (string, "${inargs:client}") In a multi-client (tenant) setup, a user with a certificate registered in multiple clients needs to select the client to select the correct account. AuthState Fallbacks:
  • "${sess:ch.adnovum.nevisidm.user.clientName}"
  • "${inargs:Client}"
  • "${notes:client}"
  • The client name is taken from the user.loginid property if it is in the form clientname/loginId.
user.ticket (string, ${inargs:x}) The source of the URLTicket parameter. It is optional. If it is not set, the auth state will get the URLTicket parameter from the "${inargs:x}" parameter.
user.loginid (string, ${inargs:x}) loginId parameter sourceIt is optional. If it is not set, it will be parsed from the URLTicket parameter.
Methodsauthenticate
InputThe request parameter that contains the URLTicket parameter. It depends on the value of the user.ticket property. If user.ticket=${inargs:myURLTicketSource}, the request parameter that contains the URL ticket will be "myURLTicketSource".
Example URL: https://<host_url>?**myURLTicketSource**=Npw6Cm78WupusGwelmLx0LeujLwWh1RfOmJIlSRo6P6h5maGfKlR5‑rK7i_nR7_QqaLI8SgNyqmCKdmjnFylBA
If the user.ticket property is not set, the "x" input parameter will be used as default.
Example URL: https://<host_url>?**x**=Npw6Cm78WupusGwelmLx0LeujLwWh1RfOmJIlSRo6P6h5maGfKlR5‑rK7i_nR7_QqaLI8SgNyqmCKdmjnFylBA
The request parameter has to be the same as configured in the urlPrefix parameter when the URL ticket was created. The urlPrefix parameter can be set in the URLTicket policy configuration (see the chapter "URL ticket") or in the IdmCreateCredentialState AuthState (see the chapter "IdmCreateCredentialState").
Transitionsok: Authentication was successful. The user has a valid URL ticket credential and the URL ticket matches this credential.
failed: Authentication failed. The following use cases can lead to failed authentication:
  • The URL ticket was not correct. Error code and detail: 1 - "authentication failed"
  • The user does not have an URL ticket credential.Error code and detail: 98 - "account/credential deleted or non-existent"
  • The user has an inactive URL ticket credential.Error code and detail: 98 - "account/credential disabled by admin"
  • The user is inactive.Error code and detail: 98 - "user disabled, archived, not valid anymore or not yet valid"
tmpLocked: The URL ticket credential is temporarily locked. Error code and detail: 8 - "credential is temporarily locked"
lockWarn: Last try to login, next failure will lock the URL ticket credential. Error code and detail: 3 - "will lock on next failure"
nowLocked: The last try failed, the URL ticket credential was locked in this step. Error code and detail: 8 - "just locked"
locked: The URL ticket credential in nevisIDM is locked or expired.
  • The credential is locked:Error code and detail: 8 - "credential is permanently locked"
  • The credential is expired:Error code and detail: 98 - "credential has expired"
Outputnone
Errors
  • 1: authentication failed
  • 3: will lock on next failure
  • 8: just locked
  • 8: just temporarily locked
  • 8: credential is temporarily locked
  • 8: credential is permanently locked
  • 98: account/credential disabled by admin
  • 98: account/credential deleted or non-existent
  • 98: user disabled, archived, not valid anymore, or not yet valid.
  • 98: credential has expired
Notesuserid

Example

<AuthState name="VerifyURLTicket" final="false"

class="ch.nevis.idm.authstate.IdmURLTicketVerifyState" >
<ResultCond name="ok" next="URLTicketSuccess"
authLevel="auth.weak"/>
<ResultCond name="tmpLocked" next="URLTicketTmpLocked"/>
<ResultCond name="lockWarn" next="URLTicketLoginLockWarn"/>
<ResultCond name="nowLocked" next="URLTicketNowLocked"/>
<ResultCond name="locked" next="URLTicketLocked"/>
<ResultCond name="failed" next="URLTicketFailed"/>
<Response value="AUTH_CONTINUE">
<Gui name="NoGui"/>
</Response>
<propertyRef name="IdmCertificateLogin"/>
</AuthState>