IdmX509State
This AuthState is an authenticating AuthState.
This plug-in is used to look up a user by the client certificate sent to and trusted by the access proxy. The user must have a registered certificate in nevisIDM.
Do not use the IdmX509State without trusting the certificate, this state expects that the certificate is valid and trusted.
Topic | Description |
---|---|
Class | ch.nevis.idm.authstate.IdmX509State |
Logging | IdmAuth |
Auditing | none |
Marker | NevisIDM:token |
Properties | client.name (defined in the chapter "Default input properties") |
user.certificate (string, "${request:clientCertAsString}") The source of the user's client certificate. | |
automatic.credential.update (boolean, true) Controls the update of login information after successful certificate verification. If set to true, the last login timestamp is written into the database. If set to false, the credential update is skipped (only use if the credential is updated in a later state anyway). | |
detaillevel.:* as specified in the Transitions shared among all nevisIDM AuthStates. | |
Methods | authenticatestepup |
Input | none |
Transitions | ok: Authentication successful |
locked: The credential in nevisIDM is locked. | |
disabled: All users with this certificate are disabled, no login possible. | |
failed: Authentication failed, i.e., the user does not have the corresponding certificate. | |
chooseClient: The certificate is mapped to multiple users in different mandators. This transition can be handled by this state itself by displaying a list of clients to select from. | |
clientNotFound: User uses an unsupported client ID or the "default" client ID (see input above) is not available. | |
Output | none |
Errors |
|
Notes | userid |
Example
<AuthState name="IdmCertificateLogin"
class="ch.nevis.idm.authstate.IdmX509State"
final="false">
<ResultCond name="ok" next="IdmPostProcessingStrong"/>
<ResultCond name="chooseClient" next="IdmCertificateLogin" />
<ResultCond name="wrongClient" next="IdmUserIdPasswordLogin"
startOver="true"/>
<ResultCond name="disabled" next="IdmUserIdPasswordLogin"
startOver="true"/>
<ResultCond name="locked" next="IdmUserIdPasswordLogin"
startOver="true"/>
<ResultCond name="failed" next="IdmUserIdPasswordLogin"
startOver="true"/>
<Response value="AUTH_CONTINUE">
<Gui name="AuthChooseClientDialog" label="login.cert.label">
<GuiElem name="lasterror" type="error"
label="${notes:lasterrorinfo}"
value="${notes:lasterror}"/>
<GuiElem name="info" type="info" label="error_11"/>
</Gui>
</Response>
<property name="login.service.connection.1"
value="https://localhost:8989/nevisidm/services/v1/AdminService" />
</AuthState>