IdmPasswordVerifyState
This AuthState is an authenticating AuthState ).
This plug-in provides password authentication and is used as an initial authenticator.
| Topic | Description |
|---|---|
| Class | ch.nevis.idm.authstate.IdmPasswordVerifyState |
| Logging | IdmAuth |
| Auditing | none |
| Marker | NevisIDM:username/password |
| Properties | user.loginType ("AUTO" / "EMAIL" / "LOGINID", "AUTO") This property specifies which information the user has to enter at the login view. EMAIL: The user has to enter the e-mail address, and nevisIDM searches the user by this e-mail address.; LOGINID: The user has to enter his login ID, and nevisIDM searches the user by this login ID.; AUTO (default): The user can use either his login ID or his e-mail address at login, and nevisIDM will detect automatically which of them the user entered. Note that login by e-mail address will only work if within nevisIDM application.feature.emaillogin.enabled has been set to true. Note that if user.loginType is "AUTO" and the user's login ID looks like an e-mail address, nevisIDM will perform a "search user by e-mail address". |
| credential.type (enum {"password", "ticket", "tempStrongPassword", "PUK", "devicePassword", "contextPassword"}, "password") The credential type to authenticate the user against: password: a permanent password credential (this is the default); ticket: single login via ticket; PUK: single login via PUK; tempStrongPassword: single login via temporary strong password; devicePassword: login via device password. This requires credential.id to be set since they are not unique per user; contextPassword: login via context password. This requires credential.context or credential.id to be set since they are not unique per user. | |
| credential.id (string, "") Explicitely defines a credential ID to authenticate against. This is not required for credential types that are unique per user, i.e., credential.id is currently only used for device passwords and context passwords. | |
| credential.context (string, "") Explicitly defines a credential context to authenticate against. It is only used for context password credentials to identify which context password of the user to use. | |
| updateOnSuccess (boolean, true) Optional parameter, controls the update of login information on successful authentication. Default is true: the last login timestamp will be written in the DB. When false: the login info remains untouched. It is helpful in step-up cases, in which the two (or more) authentication steps should behave atomically. After both steps succeeded, the login info update happens via IdmCredStatusCheckState (see the IdmCredStatusCheckState). | |
| Properties (Input) | client.name (defined in the "Default input properties") |
| user.loginId (defined in the "Default input properties") Login ID, known to the user. If the nevisIDM config parameter application.feature.emaillogin.enabled has been set to true, the user can use his unique e-mail address to log in. IdmPasswordVerifyState transparently detects if the user entered a loginId or an e-mail address. | |
| user.password (string: "${inargs:isiwebpasswd}") Password, matching the password credential in nevisIDM | |
| detaillevel.:* as specified in the Transitions shared among all nevisIDM AuthStates. | |
| Methods | authenticate |
| Transitions | ok: Authentication was successful |
| failed: Authentication failed, i.e., the password is incorrect. | |
| clientNotFound: User uses an unsupported client ID or the "default" client ID (see input above) is not available. | |
| lockWarn: Last try to login, next failure will lock. | |
| nowLocked: The last try failed. The credential was locked in this step. | |
| locked: The credential in nevisIDM is locked. | |
| pwChange: A password change is required. | |
| tmpLocked: The password is temporarily locked | |
| Output | none |
| Errors | 1: authentication failed; 1: client not found; 1: account deleted or non-existent; 3: will lock on next failure; 6: need password change; 8: just locked; 8: account was locked already; 8: account is temporarily locked; 98: account or password disabled by admin; 98: account or password is not yet active; 98: password has expired |
| Notes | client: Mandatory. |
| loginid: The user's accepted login ID or the user's e-mail address respectively, if he used his e-mail to log in (see Input). | |
| userid: The user's authenticated user ID. |
Example
<AuthState name="IdmUserIdPasswordLogin" final="false"
class="ch.nevis.idm.authstate.IdmPasswordVerifyState" >
<ResultCond name="ok" next="IdmPostProcessing"
authLevel="auth.weak"/>
<ResultCond name="pwChange" next="IdmPasswordChange" authLevel="auth.weak"/>
<ResultCond name="lockWarn" next="IdmUserIdPasswordLogin"/>
<ResultCond name="nowLocked" next="IdmUserIdPasswordLogin"/>
<ResultCond name="locked" next="IdmUserIdPasswordLogin"/>
<ResultCond name="tmpLocked" next="IdmUserIdPasswordLogin" />
<ResultCond name="failed" next="IdmUserIdPasswordLogin"/>
<ResultCond name="clientNotFound" next="IdmUserIdPasswordLogin"/>
<ResultCond name="disabled" next="IdmUserIdPasswordLogin"/>
<Response value="AUTH_CONTINUE">
<Gui name="AuthUidPwDialog" label="login.uidpw.label">
<GuiElem name="lasterror" type="error"
label="${notes:lasterrorinfo}"
value="${notes:lasterror}"/>
<GuiElem name="isiwebuserid" type="text"
label="userid.label"
value="${notes:loginid}"/>
<GuiElem name="isiwebpasswd" type="pw-text" label="password.label"/>
<GuiElem name="submit" type="submit" label="submit.button.label"
value="Login"/>
</Gui>
</Response>
<propertyRef name="IdmCertificateLogin"/>
<property name="credential.type" value="password"/>
</AuthState>