Detail levels
Most of the nevisIDM authentication plug-ins support detail levels to limit the amount of data fetched from the nevisIDM SOAP services. Reducing the detail level to only the required attributes improves performance.
A detail level can be specified per entity, e.g., user, profile, credential. Possible detail values in increasing order are: EXCLUDE, LOW, MEDIUM, HIGH.
Detail levels might have dependencies. For example, to fetch profile properties, a user detail level of at least MEDIUM is required. For the IdmAuthStates, the following detail levels are of use:
Detail level | Description |
---|---|
detaillevel.certificate | certificate detail level, depends on detaillevel.user ≥ MEDIUM |
detaillevel.credential | credential detail level, depends on detaillevel.user ≥ MEDIUM |
detaillevel.default | default detail level, used if a detail level of an entity is not explicitly specified. If no default detail level is configured by the user, MEDIUM is used. |
detaillevel.mobile_signature | mobile signature detail level, depends on detaillevel.user ≥ MEDIUM |
detaillevel.profile | profile detail level, depends on detaillevel.user ≥ MEDIUM |
detaillevel.property | a special detail level that activates properties on all other objects. It has no enforced dependency, but properties of a certain entity are only returned if the entity's detail level is at least MEDIUM. |
detaillevel.role | role/authorization detail level, depends on detaillevel.profile ≥ MEDIUM |
detaillevel.saml_federation | SAML federation detail level, depends on detaillevel.user ≥ MEDIUM |
detaillevel.security_questions | security question detail level, depends on detaillevel.user ≥ MEDIUM |
detaillevel.unit | unit detail level, depends on detaillevel.profile ≥ MEDIUM |
detaillevel.user | user detail level | |
The detail level of a fetched entity is stored in the session along with the user for usage in another nevisIDM authentication plug-in. IdmGetPropertiesState detects if the detail level of the current user on the session is too low and forces a refetch in this case.
If an early nevisIDM authentication plug-in fetches entity with a low detail level, it must be ensured that also a following IdmGetProperties state will use the same detail levels, or else the entity will be refetched in a second call. If known in advance, the first nevisIDM authenication plug-in should fetch the user entity with a detail level, which satisfies all the following nevisIDM authentication plug-ins.Examples:
- Only the userExtId is required:
<property name="detaillevel.default" value="EXCLUDE"/>
<property name="detaillevel.user" value="LOW"/>
- This is equivalent to specifying no detail level at all:
<property name="detaillevel.default" value="MEDIUM"/>
- Non-satisfied dependencies will be enforced. The following config snippet will be interpreted as "default=EXCLUDE,user=MEDIUM,profile=MEDIUM,unit=LOW":
<property name="detaillevel.default" value="EXCLUDE"/>
<property name="detaillevel.unit" value="LOW"/>
- The default detail level does not enforce any dependencies. The following config will not fetch any profiles, roles, and so on, but it fetches the user along with user properties:
<property name="detaillevel.default" value="LOW"/>
- Properties have no dependencies and are not enforced. If only the role-properties are required, it must be configured as:
<property name="detaillevel.default" value="EXCLUDE"/>
<property name="detaillevel.role" value="LOW"/>
<property name="detaillevel.property" value="LOW"/>
Note that this will also cause user and profile properties to be fetched.
nevisIDM authentication plug-ins try to detect a minimum required detail level such that they remain operational and will warn if a config is obviously bad.