External credentials
In the case of external credentials, the authentication information is not stored in nevisIDM but in another system, e.g., an Active Directory. To map the authentication information to a nevisIDM user, the following credential types have been defined.
Kerberos
Kerberos credentials are used for mapping. nevisAuth handles the authentication. If it is successful, nevisAuth receives the security account manager (SAM) account (<windows-user-login-ID>@<windows-domain>
) that is stored on the Kerberos credential. Finally, nevisAuth uses the SAM account to look for the user in nevisIDM.
SecurID
In the case of SecurID authentication, nevisIDM is only used for the mapping of the user's name to the SecurID user name. The authentication as such is performed in a proprietary back end.
Safeword
See the chapter SecurID.
mTAN
This credential type is used for SMS authentication. During the authentication process, the user receives an SMS on his mobile, containing a one-time password that has to be used for the login. The mobile number of the user may be retrieved from nevisIDM (the mobile attribute of the user entity), or returned in the context field.
[The table] lists all mTAN policy parameters.
Generic credential
A generic credential can be used for any kind of mapping between (usuallly external) credentials and nevisIDM users. The Kerberos credential, for example, is basically a "pre-labelled" generic credential.
[The table] lists all generic credential policy parameters.
Mobile signature
Mobile signature credentials are two-factor credentials. The user must have access to his mobile phone and know the PIN to allow a SIM-card-based application to sign the authentication requests sent by the MSSP (mobile signature service provider).
The validation of the signature of the response can be done by various components: currently it is the MSSP, later it could be the nevisAuth AuthState or even nevisIDM. If the signature is valid, the authentication was successful. lists all mobile signature attributes. contains all mobile signature policy parameters.
SAML federation
SAML federation credentials link a nevisIDM user with an identity managed by an identity provider, who is able to assert the subject's identity through the issuance of a SAML assertion. A nevisIDM user may have zero, one or more SAML federation credentials.
A SAML federation credential is unique in its subject's nameID and its issuer's nameID.
This credential respects the SAML 2.0 standard from OASIS (see http://saml.xml.org/saml-specifications), but it is not designed to fully implement it. " lists all SAML federation attributes. contains all SAML federation policy parameters.
FIDO UAF
This credential type respects the FIDO Universal Authentication Framework protocol, which describes a passwordless login expierence. The FIDO UAF credential can also be used as a second factor or for mobile authentication. A nevisIDM user may have zero, one or FIDO UAF credentials.
A FIDO UAF credential is unique in the combination of its authenticator attestation identifier and its key identifier.
The standard describes multiple flows and variants; we recommend reading the FIDO specification (see http://fidoalliance.org/download/).
[The table] lists all FIDO UAF attributes.