Skip to main content
Version: 7.2402.x.x RR

IdmOTPState

The IdmOTPState is an authenticating AuthState. This plug-in is used to authenticate a user, using one-time passwords. It can be used for authentication with OATH credentials, Vasco Digipass tokens, Vasco response-only and OTP credentials.

The IdmOTPState replaces the IdmChallengeResponseState, IdmResponseOnlyState and IdmOTPCardState, which have been deprecated.

Note that the AuthState has to be configured as final "false".

TopicDescription
Classch.nevis.idm.authstate.IdmOTPState
LoggingIdmAuth
MarkerNevisIDM: one-time password
Propertiesclient.name (defined in the chapter "Default input properties") Note that for the challenge response authentication (like OTP card), the client name has to be set in some previous auth state because it is required for generating the challenge.
user.loginId (defined in the chapter "Default input properties") The source of the user's login ID. Either the source of the login or external ID has to be defined. If the nevisIDM config parameter application.feature.emaillogin.enabled is set to true, the user can also use their unique e-mail address to log in. IdmUserVerifyState transparently detects if the user entered a loginId or an e-mail address.
Note that for the challenge response authentication (like OTP card), the login ID of the user has to be set in some previous auth state because it is required for generating the challenge.
user.loginType (AUTO / EMAIL / LOGINID, AUTO) This property specifies which information the user has to enter on the login view.
  • EMAIL: The user has to enter the e-mail address, and nevisIDM searches the user by this e-mail address.
  • LOGINID: The user has to enter his login ID, and nevisIDM searches the user by this login ID.
  • AUTO (default): The user can use either his login ID or his e-mail address at login, and nevisIDM will detect automatically which of them the user entered. Note that login with e-mail address will only work if within nevisIDM application.feature.emaillogin.enabled has been set to true.
    Note that if user.loginType is "AUTO" and the user's login ID looks like an e-mail address, nevisIDM will perform a "search user by e-mail address".
credential.type (String, required) The type of credential used for this state. The following types are supported: OATH, OTP and VASCO
credential.label (String, optional) For OATH authentication, we can select the OATH credential the user will be authenticated with by setting this parameter. If it is not set, the OATH credential with the label "Default" will be used. The label is a technical property and should not be exposed to the user.
updateUserInfoOnSuccess (boolean, true, optional) The value of this parameter determines whether the user login info will be updated after a successful login. The parameter does not have any effect on failed logins. In case of a failed login, the user login info will always be updated. Note that the parameter does not affect the credential login info. The credential login info will always be updated.
challengeRequired: (boolean, true, optional) The value of this parameter determines whether a challenge is required for credential types that can work in challenge/response and response-only mode as well, like Vasco credentials. If the value of this parameter is false, no challenge will be fetched from nevisIDM. The parameter is supported only for credential types that can work in both modes. For other credential types, it is defined whether a challenge is needed. Therefore, the parameter will be ignored.
Methodsprocess (all events)
Inputresponse (caller, required) The OTP that was generated.
Transitionsok: Response was correct, user is now authenticated.
showGui: The initialization of the AuthState and, if required, fetching the challenge from nevisIDM were successful. The dialog for typing the response will be displayed. The GUI is not shown if the property challengeRequired is set to "false", and if the response is already present in the input (for example, the response was added already by a previous step/state).
noChallenge: The challenge could not be fetched from nevisIDM. It can happen if the credential or user is inactive or due to technical errors.
failed: The authentication failed. More info can be found in the error attributes of the response and in the log.
tmpLocked: The credential is temporarily locked due to failed authentication.
lockWarn: The credential will be permanently locked if the next authentication fails.
nowLocked: The credential just got permanently locked.
locked: The credential is already locked.
noCredential: The user does not have a credential with the specified type in nevisIDM. Use transition to fallback to another (strong) authentication mechanism.
clientNotFound: No client was provided or no client found with the provided name or extId.
Outputchallenge:To verify the response, the challenge is also temporarily stored in the local authentication session under ch.adnovum.nevisidm.auth.otp.challenge.
Errors
  • 1: client not found
  • 1: authentication failed
  • 1: user non-existent or deleted
  • 3: will lock on next failure
  • 4: new password rejected
  • 6: need password change
  • 8: credential is permanently locked
  • 8: credential is temporarily locked
  • 8: just locked
  • 8: temp locked
  • 11: no credential found
  • 83: no challenge retrieved
  • 83: no challenge found
  • 98: account/credential deleted or non-existent
  • 98: credential or password is not yet active
  • 98: credential has expired
  • 98: user disabled, archived, not valid anymore, or not yet valid.
  • 99: unknown UserState code
  • 99: CredentialState code is null.
  • 99: unknown CredentialState code
  • 99: unknown CredentialCheckStatus code

Example

<AuthState name="OATHLogin" class="ch.nevis.idm.authstate.IdmOTPState"
final="false">
<ResultCond name="ok" next="NextState"/>
<ResultCond name="showGui" next="OATHLogin"/>
<ResultCond name="failed" next="OATHLogin"/>
<ResultCond name="tmpLocked" next="ErrorState"/>
<ResultCond name="lockWarn" next="OATHLogin"/>
<ResultCond name="nowLocked" next="ErrorState"/>
<ResultCond name="locked" next="ErrorState"/>
<ResultCond name="noCredential" next="ErrorState"/>
<ResultCond name="clientNotFound" next="ErrorState"/>
<ResultCond name="default" next="ErrorState"/>
<Response value="AUTH_CONTINUE">
<Gui name="OATHLoginDialog" label="OATH login">
<GuiElem name="lasterror" type="error"label="${notes.lasterrorinfo}"
value="${notes.lasterror}"/>
<GuiElem name="client" type="text" label="client.label"
value="${notes.client}"/>
<GuiElem name="isiwebuserid" type="text" label="Login ID"
value="${notes:loginid}"/>
<GuiElem name="credlabel" type="text" label="Label" optional="true"/>
<GuiElem name="response" type="text" label="Token"/>
<GuiElem name="submit" type="submit" label="Login"/>
</Gui>
</Response>
<propertyRef name="IdmCertificateLogin"/>
<property name="credential.type" value="OATH"/>
<property name="credential.label" value="${inargs:credlabel}" />
<property name="updateUserInfoOnSuccess" value="true" />
</AuthState>
<AuthState name="OTPCardLogin" class="ch.nevis.idm.authstate.IdmOTPState"
final="false">
<ResultCond name="ok" next="NextState"/>
<ResultCond name="showGui" next="OTPCardLogin"/>
<ResultCond name="failed" next="OTPCardLogin"/>
<ResultCond name="tmpLocked" next="ErrorState"/>
<ResultCond name="lockWarn" next="OTPCardLogin"/>
<ResultCond name="nowLocked" next="ErrorState"/>
<ResultCond name="locked" next="ErrorState"/>
<ResultCond name="noCredential" next="ErrorState"/>
<ResultCond name="clientNotFound" next="ErrorState"/>
<ResultCond name="noChallenge" next="ErrorState"/>
<ResultCond name="default" next="ErrorState"/>
<Response value="AUTH_CONTINUE">
<Gui name="OTPCardLoginDialog" label="OTP Card login">
<GuiElem name="lasterror" type="error"label="${notes.lasterrorinfo}"
value="${notes.lasterror}"/>
<GuiElem name="challenge" type="info" label="Challenge: ${sess:ch.adnovum.nevisidm.auth.otp.challenge}" />
<GuiElem name="response" type="text" label="Token"/>
<GuiElem name="submit" type="submit" label="Login"/>
</Gui>
</Response>
<propertyRef name="IdmCertificateLogin"/>
<property name="credential.type" value="OTP"/>
<property name="updateUserInfoOnSuccess" value="true" />
</AuthState>