User Authentication: Challenge/Response

Mis à jour le 11 Dec 2024
2 Minutes à lire

Partager
Sombre
Lumière
PDF

The content is currently unavailable in French. You are viewing the default English version.

Résumé de l’article

Avez-vous trouvé ce résumé utile ?

Merci pour vos commentaires

This operation performs a user authentication using a Challenge/Response authenticator application.

The following types of Challenge/Response operations are supported:

1-step Challenge/Response
2-step Challenge/Response

For this operation to succeed, the following administrative tasks should be performed in OneSpan Authentication Server:

To configure OneSpan Authentication Server for Challenge/Response authentication

Register client application.
Define/assign an authentication policy that supports of a 1-step server-based challenge.
Define users and assign authenticators supporting Challenge/Response authentication.

1-step Challenge/Response

This operation type assumes that an authenticator challenge has already been generated before. This challenge might be generated by OneSpan Authentication Server via the getChallenge operation (server challenge, see User authentication: getChallenge operation), or it might be generated by the client application (any challenge).

To execute this operation, the registered client application should send an authUser SOAP command to OneSpan Authentication Server. The authUser command should, at a minimum, specify the following credential field attributes:

CREDFLD_USERID
CREDFLD_COMPONENT_TYPE. Indicates the client application component type.
CREDFLD_CHALLENGE_KEY. In case the challenge has been generated by OneSpan Authentication Server.
CREDFLD_CHALLENGE. In case the challenge has NOT been generated by OneSpan Authentication Server.
CREDFLD_PASSWORD_FORMAT
The one-time password (OTP) specified either via the CREDFLD_PASSWORD or the CREDFLD_DP_RESPONSE credential attribute, depending on the chosen password format.

A client application with component type SOAP Auth Client will typically send the following SOAP command to perform a Challenge/Response-based authenticator authentication for user test1:

<SOAP-ENV:Envelope
  xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns:AUTH-TYPES="http://www.vasco.com/IdentikeyServer/IdentikeyTypes/Authentication">
  <SOAP-ENV:Header/>
  <SOAP-ENV:Body>
    <AUTH-TYPES:authUser>
      <credentialAttributeSet>
        <attributes>
          <valuexsi:type="xsd:string">testuser</value>
          <attributeID>CREDFLD_USERID</attributeID>
        </attributes>
        <attributes>
          <valuexsi:type="xsd:string">5656</value>
          <attributeID>CREDFLD_CHALLENGE</attributeID>
        </attributes>
        <attributes>
          <valuexsi:type="xsd:unsignedInt">0</value>
          <attributeID>CREDFLD_PASSWORD_FORMAT</attributeID>
        </attributes>
        <attributes>
          <valuexsi:type="xsd:string">1682703</value>
          <attributeID>CREDFLD_PASSWORD</attributeID>
        </attributes>
        <attributes>
          <valuexsi:type="xsd:string">SOAP Client</value>
          <attributeID>CREDFLD_COMPONENT_TYPE</attributeID>
        </attributes>
      </credentialAttributeSet>
    </AUTH-TYPES:authUser>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

2-step Challenge/Response

This operation requests a server challenge as a first step. In the second step, a user authentication is performed. This second step is identical to a 1-step Challenge/Response request (see 1-step Challenge/Response).

To perform the first step in the 2-step Challenge/Response operation, the registered client application should send an authUser SOAP command to OneSpan Authentication Server, requesting a challenge by submitting a trigger keyword. This keyword should be specified in the authentication policy associated with the registered client application.

For this step to succeed, the authUser command should, at a minimum, specify the following set of credential field attributes:

CREDFLD_USERID
CREDFLD_COMPONENT_TYPE. Indicates the client application component type.
CREDFLD_PASSWORD_FORMAT
The keyword specified either via the CREDFLD_PASSWORD or the CREDFLD_STATIC_PASSWORD credential attribute, depending on the chosen password format.

A client application with component type SOAP Auth Client will typically send the following SOAP command to perform step 1 in a 2-step Challenge/Response-based authenticator authentication for user test1:

<soapenv:Envelope
  xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:aut="http://www.vasco.com/IdentikeyServer/IdentikeyTypes/Authentication">
  <!-- ... Additional namespace declarations -->
  <soapenv:Header/>
  <soapenv:Body>
    <aut:authUser>
      <credentialAttributeSet>
        <attributes>
          <valuexsi:type="xsd:unsignedInt">4</value>
          <attributeID>CREDFLD_PASSWORD_FORMAT</attributeID>
        </attributes>
        <attributes>
          <valuexsi:type="xsd:string">getchallenge</value>
          <attributeID>CREDFLD_STATIC_PASSWORD</attributeID>
        </attributes>
        <attributes>
          <valuexsi:type="xsd:string">SOAP Client</value>
          <attributeID>CREDFLD_COMPONENT_TYPE</attributeID>
        </attributes>
        <attributes>
          <valuexsi:type="xsd:string">test1</value>
          <attributeID>CREDFLD_USERID</attributeID>
        </attributes>
      </credentialAttributeSet>
    </aut:authUser>
  </soapenv:Body>
</soapenv:Envelope>

For this request, it is assumed that the specified client application component has an associated policy that has the 2-step Challenge/Response keyword set to getChallenge.

Cet article vous a-t-il été utile ?

What's Next

Change Server PIN