Skip to main content
Version: 7.2405.x.x LTS

IdmPasswordVerifyState

This AuthState is an authenticating AuthState ).

This plug-in provides password authentication and is used as an initial authenticator.

TopicDescription
Classch.nevis.idm.authstate.IdmPasswordVerifyState
LoggingIdmAuth
Auditingnone
MarkerNevisIDM:username/password
Propertiesuser.loginType ("AUTO" / "EMAIL" / "LOGINID", "AUTO") This property specifies which information the user has to enter at the login view. EMAIL: The user has to enter the e-mail address, and nevisIDM searches the user by this e-mail address.; LOGINID: The user has to enter his login ID, and nevisIDM searches the user by this login ID.; AUTO (default): The user can use either his login ID or his e-mail address at login, and nevisIDM will detect automatically which of them the user entered. Note that login by e-mail address will only work if within nevisIDM application.feature.emaillogin.enabled has been set to true. Note that if user.loginType is "AUTO" and the user's login ID looks like an e-mail address, nevisIDM will perform a "search user by e-mail address".
credential.type (enum {"password", "ticket", "tempStrongPassword", "PUK", "devicePassword", "contextPassword"}, "password") The credential type to authenticate the user against: password: a permanent password credential (this is the default); ticket: single login via ticket; PUK: single login via PUK; tempStrongPassword: single login via temporary strong password; devicePassword: login via device password. This requires credential.id to be set since they are not unique per user; contextPassword: login via context password. This requires credential.context or credential.id to be set since they are not unique per user.
credential.id (string, "") Explicitely defines a credential ID to authenticate against. This is not required for credential types that are unique per user, i.e., credential.id is currently only used for device passwords and context passwords.
credential.context (string, "") Explicitly defines a credential context to authenticate against. It is only used for context password credentials to identify which context password of the user to use.
updateOnSuccess (boolean, true) Optional parameter, controls the update of login information on successful authentication. Default is true: the last login timestamp will be written in the DB. When false: the login info remains untouched. It is helpful in step-up cases, in which the two (or more) authentication steps should behave atomically. After both steps succeeded, the login info update happens via IdmCredStatusCheckState (see the IdmCredStatusCheckState).
Properties (Input)client.name (defined in the "Default input properties")
user.loginId (defined in the "Default input properties") Login ID, known to the user. If the nevisIDM config parameter application.feature.emaillogin.enabled has been set to true, the user can use his unique e-mail address to log in. IdmPasswordVerifyState transparently detects if the user entered a loginId or an e-mail address.
user.password (string: "${inargs:isiwebpasswd}") Password, matching the password credential in nevisIDM
detaillevel.:* as specified in the Transitions shared among all nevisIDM AuthStates.
Methodsauthenticate
Transitionsok: Authentication was successful
failed: Authentication failed, i.e., the password is incorrect.
clientNotFound: User uses an unsupported client ID or the "default" client ID (see input above) is not available.
lockWarn: Last try to login, next failure will lock.
nowLocked: The last try failed. The credential was locked in this step.
locked: The credential in nevisIDM is locked.
pwChange: A password change is required.
tmpLocked: The password is temporarily locked
Outputnone
Errors1: authentication failed; 1: client not found; 1: account deleted or non-existent; 3: will lock on next failure; 6: need password change; 8: just locked; 8: account was locked already; 8: account is temporarily locked; 98: account or password disabled by admin; 98: account or password is not yet active; 98: password has expired
Notesclient: Mandatory.
loginid: The user's accepted login ID or the user's e-mail address respectively, if he used his e-mail to log in (see Input).
userid: The user's authenticated user ID.

Example

<AuthState name="IdmUserIdPasswordLogin" final="false"
class="ch.nevis.idm.authstate.IdmPasswordVerifyState" >
<ResultCond name="ok" next="IdmPostProcessing"
authLevel="auth.weak"/>
<ResultCond name="pwChange" next="IdmPasswordChange" authLevel="auth.weak"/>
<ResultCond name="lockWarn" next="IdmUserIdPasswordLogin"/>
<ResultCond name="nowLocked" next="IdmUserIdPasswordLogin"/>
<ResultCond name="locked" next="IdmUserIdPasswordLogin"/>
<ResultCond name="tmpLocked" next="IdmUserIdPasswordLogin" />
<ResultCond name="failed" next="IdmUserIdPasswordLogin"/>
<ResultCond name="clientNotFound" next="IdmUserIdPasswordLogin"/>
<ResultCond name="disabled" next="IdmUserIdPasswordLogin"/>
<Response value="AUTH_CONTINUE">
<Gui name="AuthUidPwDialog" label="login.uidpw.label">
<GuiElem name="lasterror" type="error"
label="${notes:lasterrorinfo}"
value="${notes:lasterror}"/>
<GuiElem name="isiwebuserid" type="text"
label="userid.label"
value="${notes:loginid}"/>
<GuiElem name="isiwebpasswd" type="pw-text" label="password.label"/>
<GuiElem name="submit" type="submit" label="submit.button.label"
value="Login"/>
</Gui>
</Response>
<propertyRef name="IdmCertificateLogin"/>
<property name="credential.type" value="password"/>
</AuthState>