External credentials
In the case of external credentials, the authentication information is not stored in nevisIDM but in another system, e.g., an Active Directory. To map the authentication information to a nevisIDM user, the following credential types have been defined.
Kerberos
Kerberos credentials are used for mapping. nevisAuth handles the authentication. If it is successful, nevisAuth receives the security account manager (SAM) account <windows-user-login-ID>@<windows-domain>
that is stored on the Kerberos credential. Finally, nevisAuth uses the SAM account to look for the user in nevisIDM.
SecurID
In the case of SecurID authentication, nevisIDM is only used for the mapping of the user's name to the SecurID user name. The authentication as such is performed in a proprietary back end.
Safeword
See the chapter SecurID.
mTAN
This credential type is used for SMS authentication. During the authentication process, the user receives an SMS on his mobile, containing a one-time password that has to be used for the login. The mobile number of the user may be retrieved from nevisIDM (the mobile attribute of the user entity), or returned in the context field.
The table lists all mTAN policy parameters.
Generic credential
A generic credential can be used for any kind of mapping between (usuallly external) credentials and nevisIDM users. The Kerberos credential, for example, is basically a "pre-labelled" generic credential.
Mobile signature
Mobile signature credentials are two-factor credentials. The user must have access to his mobile phone and know the PIN to allow a SIM-card-based application to sign the authentication requests sent by the MSSP (mobile signature service provider).
The validation of the signature of the response can be done by various components: currently it is the MSSP, later it could be the nevisAuth AuthState or even nevisIDM. If the signature is valid, the authentication was successful.
- The table in Mobile signature lists all mobile signature attributes.
- The table in Mobile signature - policy parameters contains all mobile signature policy parameters.
SAML federation
SAML federation credentials link a nevisIDM user with an identity managed by an identity provider, who is able to assert the subject's identity through the issuance of a SAML assertion. A nevisIDM user may have zero, one or more SAML federation credentials.
A SAML federation credential is unique in its subject's nameID and its issuer's nameID.
This credential respects the SAML 2.0 standard from OASIS (see http://saml.xml.org/saml-specifications), but it is not designed to fully implement it.
- The table in SAML federation lists all SAML federation attributes.
- The table in SAML federation - policy parameters contains all SAML federation policy parameters.