Authenticate User Challenge
POST/api/web/v1/authentication/users/authenticate/:authenticator/complete
Authenticate User Challenge
Request
Path Parameters
Possible values: [MACHINE
, PASSWORD
, EXTERNAL
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, SMARTCREDENTIALPUSH
, PASSWORD_AND_SECONDFACTOR
, SMART_LOGIN
, IDP
, PASSKEY
, IDP_AND_SECONDFACTOR
, USER_CERTIFICATE
, FACE
]
Header Parameters
- application/json
Body
required
Array [
]
Array [
]
Unique identifier of Identity as a Service Authentication API application.
Client provided information about the application that will be included in the authentication audits if provided.
Cancel Identity as a Service authentication to the application
The certificate with public key to verify signature.
Provided client IP address.
If set to true, enhanced session protection is enabled for the auth token. An HTTP cookie named INTELLITRUST_SESSION_ID is returned with the response and must be returned in all subsequent requests using the auth token.
For Face Biometric authentication, the workflow run id to check.
fidoResponse
object
The values returned from a FIDO token when performing an authentication.
Authenticator Data returned from the token.
Data about the token used to authenticate.
The ID of the token used to authenticate.
The authentication signature generated by the token.
The UUID of the user logging in.
Setting defines if IP Address is ignored for RBA or not. Default value is false and will not ignore IP Address for RBA.
kbaChallenge
object
Knowledge-based authenticator required for authentication to Identity as a Service
userQuestions
object[]
required
The question's answer.
The UUID of the KBA question/answer.
The question.
The locale of this user. If not set, the default account locale will be used.
machineAuthenticator
object
Machine authenticator required to complete authentication challenge
The device fingerprint if it's required during Machine authentication. It will always be null when returned from IDaaS as part of the response body.
machineNonce
sequenceNonce
machineAuthenticatorRegistration
object
Register a machine authenticator for authentication to Identity as a Service
The device fingerprint. It must be a valid fingerprint as produced by Entrust SDK.
Identifies the device/machine from the end-user point of view.
mschapV1Response
object
A MSCHAPv1Response specifies the values included in an MSCHAPv1 encoded authentication response.
mschapV2Response
object
A MSCHAPv2Response specifies the values included in an MSCHAPv2 encoded authentication response.
The MSCHAPv2 identifier.
The MSCHAPv2 userId. This must be the exact same value used to calculate the MSCHAPv2 response. It will normally be the same as the userId value passed to the authentication method but allows for differences between the two values. For example, an alias may have been passed to the authentication method but the actual userid was used to calculate the MSCHAPv2 response.
New password if change requested.
A flag indicating if the offline QR code token verification is used
API response based on Authenticator type. This is not a required field if Mobile Smart Credential, KBA, Token Push, or Smart Login authentication is being used.
Possible values: [MACHINE
, PASSWORD
, EXTERNAL
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, SMARTCREDENTIALPUSH
, PASSWORD_AND_SECONDFACTOR
, SMART_LOGIN
, IDP
, PASSKEY
, IDP_AND_SECONDFACTOR
, USER_CERTIFICATE
, FACE
]
Authenticator type selected for second factor (if enabled).
tokenProtectedOfflineParms
object
The model used to generate the offline token.
The name sent by the client.
Flag indicating whether the number of OTPs being returned need to be optimized.
Possible values: [NONE
, MINOR
, MAJOR
, CUSTOM
]
The different levels of protection for offline tokens.
Request size (Units of hour or count).
transactionDetails
object[]
Transaction Details.
The transaction detail name.
Possible values: [RBA
, TVS
]
The transaction detail value.
userCertificateResponse
object
For user certificate login
User ID (containing the user ID or a user alias) of the Identity as a Service user completing the authentication challenge.
Responses
- 200
- 400
- 401
- 403
- 404
Authenticators retrieved successfully
- application/json
- Schema
- Example (from schema)
Schema
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Flag to indicate if authentication has successfully completed.
Flag to indicate if the user has to attempt device certificate authentication.
Expiry time of token.
faceChallenge
object
Parameters returned to initialize a Face Biometric authenticator.
Applicant ID associated with the user.
The SDK token generated for the user.
Workflow run ID to use for the user.
fidoChallenge
object
If the authentication challenge is of type FIDO, the FIDOChallenge will contain the FIDO challenge parameters that must be passed to the FIDO token to complete authentication.
The list of IDs of the FIDO tokens registered for the user. Each value is base-64 encoded.
A random challenge. It is a base-64 encoded value.
The number of seconds that the client will wait for the FIDO token to respond.
First Name.
gridChallenge
object
If the authentication challenge is of type grid, the GridChallenge object will contain the grid challenge that the end user must answer.
challenge
object[]
required
The grid challenge specifies a list of grid cells that the user must answer in their challenge.
The column within the grid starting at 0.
The row within the grid starting at 0.
gridInfo
object[]
required
The grid details.
The expiry date of the grid. Null value indicates the grid will never expire.
The serial number of the grid that can be used to answer this challenge.
The numCharsPerCell value specifies the number of characters expected in the response for each cell as defined by current settings.
The serial numbers of the grids that can be used to answer this challenge.
kbaChallenge
object
Knowledge-based authenticator required for authentication to Identity as a Service
userQuestions
object[]
required
The question's answer.
The UUID of the KBA question/answer.
The question.
Last Name.
machineAuthenticator
object
Machine authenticator required to complete authentication challenge
The device fingerprint if it's required during Machine authentication. It will always be null when returned from IDaaS as part of the response body.
machineNonce
sequenceNonce
offlineTokenResponses
object
Used to return batches of protected OTPs for a given token
This is the moving factor index for the first hashed OTP returned. In the case of time-based tokens, it represents time step, otherwise it represents the value of the counter.
The number of iterations of the hash function to be performed.
This is the policy-configured maximum number (hours or counters)
This is the max number of time steps used to validate a token.
This is the policy-configured recommended number (hours or counters)
An array of all of the OTPs returned in the batch, each with its public component of the salt.
The number of digits in the private part of the salt that the client must guess.
Flag indicating if the set of OTP hashes returned was optimized so that OTPs which have already been downloaded in prior requests, but that have no yet expired, are not sent again.
This is the token time drift in seconds. This applies only to time-based tokens.
If this contains a positive value then this batch is for time-based tokens, otherwise it is for event based tokens.
The serial number of the token for which offline tokens are generated.
organizations
object[]
A list of the user organizations.
The description of the organization.
The display name of the organization.
The unique UUID assigned to the organization when it is created.
The URI of the logo to display when showing organizations.
The name of the organization.
Possible values: [EMAIL
, SMS
, VOICE
]
The OTP delivery type used.
The redirect URL when using a Magic Link.
For a SMART_LOGIN authenticator challenge, provides the challenge.
Possible values: [CONFIRM
, CONCERN
, CANCEL
, NO_RESPONSE
]
Status of authenticator. This is not a required API field if Mobile Smart Credential or Token Push authentication is being used.
The timeout for step-up authentication
tempAccessCodeChallenge
object
Information about the temporary access code settings.
An optional admin contact value (like an admin email address or phone number) to be displayed in the admin contact message.
Indicates if the admin contact message should be displayed for this challenge.
Authenticated/unauthenticated authorization token.
tokenChallenge
object
If the authentication challenge is of offline token, the TokenChallenge object will contain the QR codes can be scanned by the mobile app.
token
object[]
required
The token challenge contains a list of TokenInfo objects for each of the token that can be used to authenticate. In the case of an offline QR code challenge, a TokenInfo object includes the QR code.
Optional label to identify an assigned token: a String up to 100 characters.
The base-64 encoded QR code. This QR code can be scanned by the Entrust Identity mobile application to perform activation in the case of an offline QR code challenge.
The URL based QR code string. In the case of an offline QR code challenge, this string can be used to generated the base-64 encoded QR code.
The serial number of the token.
For a token or token push authenticator challenge, provides a list of serial numbers of the tokens that can be used to authenticate.
The token push authentication mutual challenge.
transactionReceipt
object
Transaction Receipt item and its value used with push authenticators and with offline transaction verification.
Possible values: [OTP
, TOKEN
]
The transaction authentication type.
The transaction date.
details
object[]
The transaction details.
The transaction detail name.
Possible values: [RBA
, TVS
]
The transaction detail value.
The transaction id.
Possible values: [LOW
, MEDIUM
, HIGH
]
The transaction authentication security level.
The transaction user.
userCertificateChallenge
object
For a user certificate authenticator challenge, provides the challenge.
The User ID of the Identity as a Service user that completed authentication.
userMachineSettings
object
UserMachineSettings
List of device fingerprinting attributes that should not be collected when a device fingerprint is captured.
Indicates whether a device fingerprint should be captured during machine registration or authentication
machineAuthenticatorEnabled
userMachineAuthenticators
object[]
List of Machine Authenticators that the user currently has--used to prevent duplicated labels.
When this machine secret expires in UTC time
Identifies the device/machine
Identifies the device/machine from the end-user point of view
When this machine secret was last used
When this machine secret was created in UTC time
Whether the user still requires registration.
Whether the user still requires verification.
{
"authenticationCompleted": true,
"authenticatorResponse": "string",
"deviceCertAuthDesired": true,
"expires": 0,
"faceChallenge": {
"applicantId": "string",
"sdkToken": "string",
"workflowRunId": "string"
},
"fidoChallenge": {
"allowCredentials": [
"string"
],
"challenge": "string",
"timeout": 0
},
"firstName": "string",
"gridChallenge": {
"challenge": [
{
"column": 0,
"row": 0
}
],
"gridInfo": [
{
"expiryDate": "2019-02-19T13:15:27Z",
"serialNumber": "string"
}
],
"numCharsPerCell": 0
},
"kbaChallenge": {
"id": "string",
"userQuestions": [
{
"answer": "string",
"id": "string",
"question": "string"
}
]
},
"lastName": "string",
"machineAuthenticator": {
"fingerprint": "platform:web,version:1.0.2.",
"machineNonce": "07ZeToA3YfoATTxoU6h2x==",
"sequenceNonce": "03ReToA37851tyVU8f3y=="
},
"offlineTokenResponses": {
"firstMovingFactor": 0,
"iterations": 0,
"maxSizeInUnits": 0,
"maxTimeSteps": 0,
"minorSizeInUnits": 0,
"otps": "string",
"privateSaltLength": 0,
"resultOptimized": true,
"timeDrift": 0,
"timeInterval": 0,
"tokenSerialNumber": "string",
"useSecret": "string"
},
"organizations": [
{
"description": "string",
"displayName": "string",
"id": "string",
"logoUri": "https://account.mycompany.com/images/logo.png",
"name": "string"
}
],
"otpdeliveryType": "EMAIL",
"redirectUrl": "string",
"smartLoginChallenge": "string",
"status": "CONFIRM",
"stepUpAuthExpiry": 0,
"tempAccessCodeChallenge": {
"adminContact": "string",
"enableAdminContact": true
},
"time": 0,
"token": "string",
"tokenChallenge": {
"token": [
{
"label": "PENDING",
"qrCode": "string",
"qrCodeUrl": "string",
"serialNumber": "string"
}
]
},
"tokenDetails": [
"string"
],
"tokenPushMutualChallenge": "string",
"transactionReceipt": {
"authenticationType": "OTP",
"date": "2020-02-01T12:13:24Z",
"details": [
{
"detail": "Amount",
"usage": [
"RBA"
],
"value": "$10,001"
}
],
"id": "Qwpfsc6AmWU6GHkvRzIhew==",
"securityLevel": "MEDIUM",
"userid": "user1"
},
"userCertificateChallenge": {
"challenge": "string"
},
"userId": "string",
"userMachineSettings": {
"attributeExclusions": [
"string"
],
"deviceFingerprintRequired": true,
"machineAuthenticatorEnabled": true,
"userMachineAuthenticators": [
{
"expiryTime": "2019-02-19T13:15:27Z",
"id": "string",
"label": "string",
"lastUsedTime": "2019-02-19T13:15:27Z",
"registrationTime": "2019-02-19T13:15:27Z"
}
]
},
"userRegistrationRequired": true,
"userVerificationRequired": true
}
Bad request
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}
Access denied
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}
Forbidden
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}
Not Found
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}