User Authentication: Challenge/Response
- 20 Jan 2025
- 2 Minutes à lire
- SombreLumière
- PDF
User Authentication: Challenge/Response
- Mis à jour le 20 Jan 2025
- 2 Minutes à lire
- SombreLumière
- PDF
The content is currently unavailable in French. You are viewing the default English version.
Résumé de l’article
Avez-vous trouvé ce résumé utile ?
Merci pour vos commentaires
This operation performs a user authentication using a Challenge/Response authenticator application.
The following types of Challenge/Response operations are supported:
- 1-step Challenge/Response
- 2-step Challenge/Response
For this operation to succeed, the following administrative tasks should be performed in OneSpan Authentication Server:
To configure OneSpan Authentication Server for Challenge/Response authentication
- Register client application.
- Define/assign an authentication policy that supports of a 1-step server-based challenge.
- Define users and assign authenticators supporting Challenge/Response authentication.
1-step Challenge/Response
This operation type assumes that an authenticator challenge has already been generated before. This challenge might be generated by OneSpan Authentication Server via the getChallenge operation (server challenge, see User authentication: getChallenge operation), or it might be generated by the client application (any challenge).
To execute this operation, the registered client application should send an authUser SOAP command to OneSpan Authentication Server. The authUser command should, at a minimum, specify the following credential field attributes:
- CREDFLD_USERID
- CREDFLD_COMPONENT_TYPE. Indicates the client application component type.
- CREDFLD_CHALLENGE_KEY. In case the challenge has been generated by OneSpan Authentication Server.
- CREDFLD_CHALLENGE. In case the challenge has NOT been generated by OneSpan Authentication Server.
- CREDFLD_PASSWORD_FORMAT
- The one-time password (OTP) specified either via the CREDFLD_PASSWORD or the CREDFLD_DP_RESPONSE credential attribute, depending on the chosen password format.
A client application with component type SOAP Auth Client will typically send the following SOAP command to perform a Challenge/Response-based authenticator authentication for user test1:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:AUTH-TYPES="http://www.vasco.com/IdentikeyServer/IdentikeyTypes/Authentication"> <SOAP-ENV:Header/> <SOAP-ENV:Body> <AUTH-TYPES:authUser> <credentialAttributeSet> <attributes> <value xsi:type="xsd:string">testuser</value> <attributeID>CREDFLD_USERID</attributeID> </attributes> <attributes> <value xsi:type="xsd:string">5656</value> <attributeID>CREDFLD_CHALLENGE</attributeID> </attributes> <attributes> <value xsi:type="xsd:unsignedInt">0</value> <attributeID>CREDFLD_PASSWORD_FORMAT</attributeID> </attributes> <attributes> <value xsi:type="xsd:string">1682703</value> <attributeID>CREDFLD_PASSWORD</attributeID> </attributes> <attributes> <value xsi:type="xsd:string">SOAP Client</value> <attributeID>CREDFLD_COMPONENT_TYPE</attributeID> </attributes> </credentialAttributeSet> </AUTH-TYPES:authUser> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
This operation requests a server challenge as a first step. In the second step, a user authentication is performed. This second step is identical to a 1-step Challenge/Response request (see 1-step Challenge/Response).
To perform the first step in the 2-step Challenge/Response operation, the registered client application should send an authUser SOAP command to OneSpan Authentication Server, requesting a challenge by submitting a trigger keyword. This keyword should be specified in the authentication policy associated with the registered client application.
For this step to succeed, the authUser command should, at a minimum, specify the following set of credential field attributes:
- CREDFLD_USERID
- CREDFLD_COMPONENT_TYPE. Indicates the client application component type.
- CREDFLD_PASSWORD_FORMAT
- The keyword specified either via the CREDFLD_PASSWORD or the CREDFLD_STATIC_PASSWORD credential attribute, depending on the chosen password format.
A client application with component type SOAP Auth Client will typically send the following SOAP command to perform step 1 in a 2-step Challenge/Response-based authenticator authentication for user test1:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aut="http://www.vasco.com/IdentikeyServer/IdentikeyTypes/Authentication"> <!-- ... Additional namespace declarations --> <soapenv:Header/> <soapenv:Body> <aut:authUser> <credentialAttributeSet> <attributes> <value xsi:type="xsd:unsignedInt">4</value> <attributeID>CREDFLD_PASSWORD_FORMAT</attributeID> </attributes> <attributes> <value xsi:type="xsd:string">getchallenge</value> <attributeID>CREDFLD_STATIC_PASSWORD</attributeID> </attributes> <attributes> <value xsi:type="xsd:string">SOAP Client</value> <attributeID>CREDFLD_COMPONENT_TYPE</attributeID> </attributes> <attributes> <value xsi:type="xsd:string">test1</value> <attributeID>CREDFLD_USERID</attributeID> </attributes> </credentialAttributeSet> </aut:authUser> </soapenv:Body> </soapenv:Envelope>For this request, it is assumed that the specified client application component has an associated policy that has the 2-step Challenge/Response keyword set to getChallenge.
Cet article vous a-t-il été utile ?