Auth markers
A nevisAuth session contains information about the operations performed to authenticate and authorize the user. This information takes the form of a sequence of auth markers. An auth marker represents a successfully completed operation relevant for the authentication and authorization process.
An auth marker has the following form:
<technology>:<type>(<user identification>)
technology: A short text that indicates the technology used in the operation. Examples: "Kerberos", "X509", "LDAP".
type: The classification of the authentication or authorization type. These values are available:
- username/password: The user was authenticated by validating the username and password he entered.
- token: The user was authenticated by validating proof of possession of a token (e.g., an X509 certificate or an RSA SecurID) or a token was issued to allow the client to access protected resources (e.g., OAuth2 access token).
- challenge/response: The user was authenticated by a challenge/response process such as CAPTCHA or TAN.
- one-time password: The user was authenticated by a one-time password procedure such as a scratch list.
- federation: The user's identity was internalized by a federation service provider (SP) (e.g., a SAML or WS-Federation SP). Or an assertion was issued by a federation identity provider (IdP), which assures the user's identity (e.g., OpenID Connect ID token issued by an OpenID Connect TokenEndpoint or a SAML assertion issued by a SAML IdP).
- extern: The user was authenticated by a trusted external service (such as a WS-Trust STS or a generic RADIUS service) with an unspecified method.
user identification: The user identification that was established in the operation.
This is an example of an auth marker: LDAP:username/password(uid=xxx,ou=people,o=siven,c=ch)
To access and inspect all available auth markers in your system, use the variable ${request:authMarkers}
.
Each auth marker in a session belongs to an AuthState. For the correct notation of the auth marker per AuthState (that is, the correct combination of technology and type), see the descriptions of the AuthStates in Authentication Plug-ins (AuthStates).
The Nevis product nevisIDM makes use of AuthStates, as well. These AuthStates can also be part of the authentication and authorization process. As such, they also generate auth markers after a successfully completed operation. For information about the auth markers per nevisIDM AuthState, see the nevisIDM reference guide.
Auth markers are used for auditing, e.g., to trace the route of the user through the various AuthStates during the authentication process. Therefore, the system stores auth markers as audit data. An audit log file can contain all auth markers belonging to a certain authentication process in the form of a trail. For more information about the auditing of auth markers and trails, see Auditing.