Partial Password Authentication

CA Strong Authentication Web Services Guide › Authenticating Users › Password Authentication › Partial Password Authentication

Partial Password Authentication

AuthMinder supports partial password authentication, if you enable this feature, then the user will be challenged to enter the characters in different positions of the password. For example, if the password is casablanca!, then the user can be asked to enter the characters in positions 1, 3, and 8, which would be csn.

The following topics for performing partial password authentication are covered in this section:

Preparing Request Messages
Invoking the Web Service
Interpreting Response Messages

Preparing Request Messages

For partial password authentication, you must prepare the following request messages:

Fetching Challenge
Verifying Password

Fetching Challenge

The GetPasswordChallengeRequestMessage is used to fetch the password challenge for the user from AuthMinder Server. The following table lists the elements of this message.

Element	Mandatory	Description
clientTxnId	No	Specifies the unique transaction identifier that the calling application can include. This identifier helps in tracking the related transactions.
userName	Yes	The unique identifier of the user.
orgName	No	The organization name to which the user belongs to.
additionalInput/pairs	No	AuthMinder’s additionalInput element enables you to set additional inputs if you want to augment AuthMinder’s authentication capability by specifying additional information. In such cases, you need to set the extra information in name-value pairs. name (The name with which you want to create the key pair.) value (The corresponding value for name.) Note: You can add more than one of these elements. Some of the pre-defined additional input parameters include: AR_WF_LOCALE_ID Specifies the locale that AuthMinder will use while returning the messages back to your calling application. AR_WF_CALLER_ID This is useful in tracking transactions. You can use session ID or client transaction ID (clientTxnId) for specifying this information.

Verifying Password

The VerifyPasswordRequestMessage is used to verify the password provided by the users. The following table lists the elements of this message.

Element	Mandatory	Description
clientTxnId	No	Specifies the unique transaction identifier that the calling application can include. This identifier helps in tracking the related transactions.
userName	Yes	The unique identifier of the user.
orgName	No	The organization name to which the user belongs to.
password	Yes	The password provided by the user.
tokenType	No	The type of authentication token that is expected from AuthMinder Server after successful authentication. See "Verifying the Authentication Tokens" for more information.
challengeID	No	The unique identifier of the challenge returned by AuthMinder Server. Note: The challengeID is required for complete partial password verification.
additionalInput/pairs	No	AuthMinder’s additionalInput element enables you to set additional inputs if you want to augment AuthMinder’s authentication capability by specifying additional information. In such cases, you need to set the extra information in name-value pairs. name (The name with which you want to create the key pair.) value (The corresponding value for name.) Note: You can add more than one of these elements. Some of the pre-defined additional input parameters include: AR_WF_LOCALE_ID Specifies the locale that AuthMinder will use while returning the messages back to your calling application. AR_WF_CALLER_ID This is useful in tracking transactions. You can use session ID or client transaction ID (clientTxnId) for specifying this information.

Invoking the Web Service

To perform partial password authentication:

(Optional) Include the authentication and authorization details in the SOAP header or in the additionalInput element of the GetPasswordChallenge operation. See chapter, "Managing Web Services Security" for more information on these details.
(Optional) If you are implementing a plug-in, then invoke the additionalInput element type to fill the additional input.
Use GetPasswordChallengeRequestMessage and construct the input message.
Invoke the GetPasswordChallenge operation of the ArcotWebFortAuthSvc service to obtain the challenge from AuthMinder Server. The challenge contains the password positions that the user has to answer.
Implement the logic to collect the user’s password.
(Optional) Include the authentication and authorization details in the SOAP header or in the additionalInput element of the VerifyPassword operation. See chapter, "Managing Web Services Security" for more information on these details.
(Optional) If you are implementing a plug-in, then invoke the additionalInput element type to fill the additional input.
Use VerifyPasswordRequestMessage and construct the input message.
Invoke the VerifyPassword operation of the ArcotWebFortAuthSvc service to verify the password provided by the user. Optionally, you can also specify the token type that must be returned to the user after successful authentication by using the tokenType element.
This operation returns VerifyPasswordResponseMessage, which provides the transaction details, credential details, and token information.

Interpreting Response Messages

Following are the response messages that are returned as part of QnA authentication:

Fetch Password Challenge Response Message
Verify Password Response Message

Fetch Password Challenge Response Message

For successful transactions, the response message, GetPasswordChallengeResponseMessage returns the elements explained in the following table. These elements are included in the SOAP body. If there are any errors, then the Fault response is included in the SOAP body. See appendix, "Error Codes" for more information on the SOAP error messages.

Element	Description
positions	The password positions for which the user has to provide the password characters.
challengeID	The unique identifier of the challenge returned by AuthMinder Server.
transactionDetails	Contains the following transaction details: message A string that defines the status of the operation. reasoncode Unique code that is sent by AuthMinder Server if the operation fails. responseCode Unique code that is sent by AuthMinder Server if the operation fails. transactionID Unique identifier of the transaction. additionalOutput The output for the additionalInput that was passed to AuthMinder Server.

Element

Description

positions

The password positions for which the user has to provide the password characters.

challengeID

The unique identifier of the challenge returned by AuthMinder Server.

transactionDetails

Contains the following transaction details:

message
A string that defines the status of the operation.
reasoncode
Unique code that is sent by AuthMinder Server if the operation fails.
responseCode
Unique code that is sent by AuthMinder Server if the operation fails.
transactionID
Unique identifier of the transaction.
additionalOutput
The output for the additionalInput that was passed to AuthMinder Server.

Verify Password Response Message

For successful transactions, the response message, VerifyPasswordResponseMessage returns the elements explained in Verify Signed Challenge Response Message in Step 2: ArcotID PKI Authentication. These elements are included in the SOAP body. If there are any errors, then the Fault response is included in the SOAP body. See appendix, "Error Codes" for more information on the SOAP error messages.