Authentication Methods

The authentication methods requires different sets of request and response parameters and the parameters used may be dynamically selected depending on internal state or current work flow. Below is a short description on each authentication method. In general, all methods will return required parameters in the response. If null values are returned, incorrect parameters were supplied. Principals returned in responses that have a value set is pass-through parameters and should be sent back unaltered in the next request.

Note! Before any of the listed authentication methods below can be used they must be configured within the appropriate servers.

Active Directory

The Active Directory method makes an authentication call to an Active Directory server using a single request with the parameters "username" and "password". Should the user be required to change password a challenge with the parameters "username", "oldPassword", "newPassword" and "newPassword2" will be generated (where the "newPassword2" is a confirmation of "newPassword").

E-ID

The BankID method makes authentication requests to a Nexus MultiID v2 Server. The first request must contain the parameter "client", which holds a constant defining which PKI client that is being used. See Nexus PKI client documentation for supported client constants. The Nexus server will then reply with a challenge request with parameter "challenge" containing a generated challenge string. The client then makes another request, after processing the challenge string, with parameters "signature" and "detachtedbs". The "signature" parameter contains the client generated signature and "detachedtbs" usually contains the challenge. For more information, see Nexus documentation.

Basic

The Basic method makes an HTTP BASIC authentication call to a web server using a single request with the parameters "username" and "password".

Form

The Form method makes an HTTP Form authentication call to a web server using a single request with the parameters "username", "password" and an optional "domain" parameter.

LDAP

The LDAP method makes an authentication call to a LDAP server using a single request with the parameters "username" and "password".

NTLM

The NTLM method makes an HTTP authentication call to a Microsoft or Samba server using a single request with the parameters "username" and "password".

RADIUS

This method is actually a range of different authentication methods which uses the RADIUS protocol. The methods includes the ones listed below and any other general or custom RADIUS methods.

• PortWise Challenge
• PortWise Mobile Text
• PortWise OATH
• PortWise OCRA
• PortWise Password
• PortWise Synchronized
• PortWise Web
• PortWise Invisible Token
• SafeWord
• SecurID

A request is initiated with the parameters "username" and "password". Depending on the method flow a challenge may be generated containing all required parameters for the next request, several request-challenge-responses may be issued. For example PortWise Challenge uses the following flow of events;

1. Client calls authenticate with parameter "username" and an empty "password".
2. Server returns a ChallengeException containing a subject with the parameters in the credential set.
• "password", empty, required parameter in next request
• "arg1", challenge value, 9 bytes
• "replyMsg", challenge text, a presentable text version with the challenge
3. Client presents the challenge to the user who creates the OTP.
4. Client calls authenticate again with parameter "username", "password" (set to the OTP) and all previously returned principals.

Copyright © 1999-2023, Technology Nexus Secured Business Solutions AB. All rights reserved.