Verifying the Authentication Tokens

CA Strong Authentication Web Services Guide › Authenticating Users › Verifying the Authentication Tokens

Verifying the Authentication Tokens

The AuthMinder Authentication Web service provides an appropriate token to the end user after they authenticate successfully. The token is then presented to AuthMinder Server, indicating that the user is authenticated and can be provided access to the protected resources.

By using the Authentication Web service, you can specify whether the token has to be returned after authentication or not. In addition, you can also specify the type of the token that must be returned after authentication. The tokenType element specifies the return token type and supports the following types of tokens:

Native Tokens
Specify this type when CA-proprietary (or Native) token is required after successful authentication. This token can be used multiple times before it expires.
One-Time Tokens
Specify this type when one-time token is required after successful authentication. This token can be used only one time before it expires.
SAML Tokens
Secure Assertion Markup Language (SAML) is an open standard, which specifies the format of the authentication data exchanged between security domains. The Native, Default, and One-Time tokens issued by AuthMinder can only be interpreted by the AuthMinder Server, but the SAML tokens issued by the AuthMinder Server can be interpreted by any other authentication system. AuthMinder supports 1.1 and 2.0 versions of SAML:
- SAML 1.1 Tokens
  Specify this type of token when you are using custom (non-AuthMinder) authentication mechanism that needs SAML 1.1 tokens after successful authentication.
- SAML 2.0 Tokens
  Specify this type of token when you are using custom (non-AuthMinder) authentication mechanism that needs SAML 2.0 tokens after successful authentication.
Default Tokens
Specify this type of token when the default token configured at the server is to be requested after successful authentication.

AuthMinder Server can verify only the Native and One-Time tokens that are issued to the users. The authentication token must be verified in cases when you use the token for Single Sign-On, wherein you authenticate the user once and allow them to use multiple resources using the same authentication token.

This section walks you through the following topics for verifying authentication tokens:

Preparing the Request Message
Invoking the Web Service
Interpreting the Response Message

Preparing the Request Message

The VerifyAuthTokenRequestMessage is used to verify the authentication token returned by AuthMinder Server. The following table lists the elements of this message.

Element	Mandatory	Description
clientTxnId	No	Specifies the unique transaction identifier that the calling application can include. This identifier helps in tracking the related transactions.
token	No	The authentication token that is returned to the user after successful authentication.
additionalInput/pairs	No	AuthMinder’s additionalInput element enables you to set additional inputs if you want to augment AuthMinder’s authentication capability by specifying additional information. In such cases, you need to set the extra information in name-value pairs. name (The name with which you want to create the key pair.) value (The corresponding value for name.) Note: You can add more than one of these elements. Some of the pre-defined additional input parameters include: AR_WF_LOCALE_ID Specifies the locale that AuthMinder will use while returning the messages back to your calling application. AR_WF_CALLER_ID This is useful in tracking transactions. You can use session ID or client transaction ID (clientTxnId) for specifying this information.

Element

Mandatory

Description

clientTxnId

Specifies the unique transaction identifier that the calling application can include. This identifier helps in tracking the related transactions.

token

The authentication token that is returned to the user after successful authentication.

additionalInput/pairs

AuthMinder’s additionalInput element enables you to set additional inputs if you want to augment AuthMinder’s authentication capability by specifying additional information. In such cases, you need to set the extra information in name-value pairs.

name (The name with which you want to create the key pair.)
value (The corresponding value for name.)
Note: You can add more than one of these elements.

Some of the pre-defined additional input parameters include:

AR_WF_LOCALE_ID
Specifies the locale that AuthMinder will use while returning the messages back to your calling application.
AR_WF_CALLER_ID
This is useful in tracking transactions. You can use session ID or client transaction ID (clientTxnId) for specifying this information.

Invoking the Web Service

To verify if a token is valid or not:

(Optional) Include the authentication and authorization details in the SOAP header or in the additionalInput element of the VerifyAuthToken operation. See chapter, "Managing Web Services Security" for more information on these details.
(Optional) If you are implementing a plug-in, then invoke the additionalInput element type to fill the additional input.
Use VerifyAuthTokenRequestMessage and construct the input message.
Invoke the VerifyAuthToken operation of the ArcotWebFortAuthSvc service to verify the token of the user.
This operation returns VerifyAuthTokenResponseMessage, which provides the credential and transaction details.

Interpreting the Response Message

For successful transactions, the response message, VerifyAuthTokenResponseMessage returns the elements explained in the following table. These elements are included in the SOAP body. If there are any errors, then the Fault response is included in the SOAP body. See appendix, "Error Codes" for more information on the SOAP error messages.

Method	Description
userName	The name of the user to whom the authentication token belongs to.
orgName	The organization to which the user belongs to.
transactionDetails	Contains the following transaction details: message A string that defines the status of the operation. reasoncode Unique code that is sent by AuthMinder Server if the operation fails. responseCode Unique code that is sent by AuthMinder Server if the operation fails. transactionID Unique identifier of the transaction. additionalOutput The output for the additionalInput that was passed to AuthMinder Server.

Method

Description

userName

The name of the user to whom the authentication token belongs to.

orgName

The organization to which the user belongs to.

transactionDetails

Contains the following transaction details:

message
A string that defines the status of the operation.
reasoncode
Unique code that is sent by AuthMinder Server if the operation fails.
responseCode
Unique code that is sent by AuthMinder Server if the operation fails.
transactionID
Unique identifier of the transaction.
additionalOutput
The output for the additionalInput that was passed to AuthMinder Server.