Previous Topic: One-Time Password AuthenticationNext Topic: OATH One-Time Password Synchronization

CA Strong Authentication Web Services GuideAuthenticating UsersOATH One-Time Password Authentication

OATH One-Time Password Authentication

The following topics for performing OATH-based OTP authentication are covered in this section:

Preparing the Request Message

The VerifyOATHOTPRequestMessage is used to verify the OATH OTP provided by the users. The following table lists the elements of this message.

Element

Mandatory

Description

clientTxnId

No

Specifies the unique transaction identifier that the calling application can include. This identifier helps in tracking the related transactions.

userName

Yes

The unique identifier of the user.

orgName

No

The organization name to which the user belongs to.

otp

Yes

The OATH OTP provided by the user.

tokenType

No

The type of authentication token that is expected from AuthMinder Server after successful authentication. See "Verifying the Authentication Tokens" for more information.

additionalInput/pairs

No

AuthMinder’s additionalInput element enables you to set additional inputs if you want to augment AuthMinder’s authentication capability by specifying additional information. In such cases, you need to set the extra information in name-value pairs.

  • name (The name with which you want to create the key pair.)
  • value (The corresponding value for name.)

    Note: You can add more than one of these elements.

Some of the pre-defined additional input parameters include:

  • AR_WF_LOCALE_ID
    Specifies the locale that AuthMinder will use while returning the messages back to your calling application.
  • AR_WF_CALLER_ID
    This is useful in tracking transactions. You can use session ID or client transaction ID (clientTxnId) for specifying this information.

Invoking the Web Service

To authenticate the OTPs that are OATH compliant:

  1. Implement the logic to collect the OATH OTP from the user.
  2. (Optional) Include the authentication and authorization details in the SOAP header or in the additionalInput element of the VerifyOATHOTP operation. See chapter, "Managing Web Services Security" for more information on these details.
  3. (Optional) If you are implementing a plug-in, then invoke the additionalInput element type to fill the additional input.
  4. Use VerifyOATHOTPRequestMessage and construct the input message.
  5. Invoke the VerifyOATHOTP operation of the ArcotWebFortAuthSvc service to verify the OATH OTP of the user. Optionally, you can also specify the token type that must be returned to the user after successful authentication by using the tokenType element.

    This operation returns VerifyOATHOTPResponseMessage, which provides the transaction details, credential details, and token information.

Interpreting the Response Message

For successful transactions, the response message, VerifyOATHOTPResponseMessage returns the elements explained in Verify Signed Challenge Response Message in Step 2: ArcotID PKI Authentication. These elements are included in the SOAP body. If there are any errors, then the Fault response is included in the SOAP body. See appendix, "Error Codes" for more information on the SOAP error messages.