Skip to main content

Authenticate User Challenge

POST 
/api/web/v1/authentication/users/authenticate/:authenticator/complete

Authenticate User Challenge

Request

Path Parameters

    authenticator stringrequired

    Possible values: [MACHINE, PASSWORD, EXTERNAL, KBA, TEMP_ACCESS_CODE, OTP, GRID, TOKEN, TOKENPUSH, FIDO, SMARTCREDENTIALPUSH, PASSWORD_AND_SECONDFACTOR, SMART_LOGIN, IDP, PASSKEY, IDP_AND_SECONDFACTOR, USER_CERTIFICATE, FACE]

Header Parameters

    Authorization string

Body

required

    applicationId string

    Unique identifier of Identity as a Service Authentication API application.

    applicationInfo string

    Client provided information about the application that will be included in the authentication audits if provided.

    cancel boolean

    Cancel Identity as a Service authentication to the application

    certificate string

    The certificate with public key to verify signature.

    chapResponse object
    clientIp string

    Provided client IP address.

    enableWebSession boolean

    If set to true, enhanced session protection is enabled for the auth token. An HTTP cookie named INTELLITRUST_SESSION_ID is returned with the response and must be returned in all subsequent requests using the auth token.

    faceResponse string

    For Face Biometric authentication, the workflow run id to check.

    fidoResponse

    object

    The values returned from a FIDO token when performing an authentication.

    authenticatorData stringrequired

    Authenticator Data returned from the token.

    clientDataJSON stringrequired

    Data about the token used to authenticate.

    credentialId stringrequired

    The ID of the token used to authenticate.

    signature stringrequired

    The authentication signature generated by the token.

    userHandle string

    The UUID of the user logging in.

    ignoreIPAddressForRBA boolean

    Setting defines if IP Address is ignored for RBA or not. Default value is false and will not ignore IP Address for RBA.

    kbaChallenge

    object

    Knowledge-based authenticator required for authentication to Identity as a Service

    id string

    userQuestions

    object[]

    required

  • Array [

    • answer string

    The question's answer.

    id string

    The UUID of the KBA question/answer.

    question string

    The question.

  • ]

    • locale string

    The locale of this user. If not set, the default account locale will be used.

    machineAuthenticator

    object

    Machine authenticator required to complete authentication challenge

    fingerprint string

    The device fingerprint if it's required during Machine authentication. It will always be null when returned from IDaaS as part of the response body.

    machineNonce string

    machineNonce

    sequenceNonce string

    sequenceNonce

    machineAuthenticatorRegistration

    object

    Register a machine authenticator for authentication to Identity as a Service

    fingerprint string

    The device fingerprint. It must be a valid fingerprint as produced by Entrust SDK.

    label stringrequired

    Identifies the device/machine from the end-user point of view.

    mschapV1Response

    object

    A MSCHAPv1Response specifies the values included in an MSCHAPv1 encoded authentication response.

    challenge byterequired
    response byterequired

    mschapV2Response

    object

    A MSCHAPv2Response specifies the values included in an MSCHAPv2 encoded authentication response.

    challenge byterequired
    identifier int32required

    The MSCHAPv2 identifier.

    peerChallenge byterequired
    response byterequired
    userId stringrequired

    The MSCHAPv2 userId. This must be the exact same value used to calculate the MSCHAPv2 response. It will normally be the same as the userId value passed to the authentication method but allows for differences between the two values. For example, an alias may have been passed to the authentication method but the actual userid was used to calculate the MSCHAPv2 response.

    newPassword string

    New password if change requested.

    offlineTVS boolean

    A flag indicating if the offline QR code token verification is used

    response string

    API response based on Authenticator type. This is not a required field if Mobile Smart Credential, KBA, Token Push, or Smart Login authentication is being used.

    secondFactorAuthenticator string

    Possible values: [MACHINE, PASSWORD, EXTERNAL, KBA, TEMP_ACCESS_CODE, OTP, GRID, TOKEN, TOKENPUSH, FIDO, SMARTCREDENTIALPUSH, PASSWORD_AND_SECONDFACTOR, SMART_LOGIN, IDP, PASSKEY, IDP_AND_SECONDFACTOR, USER_CERTIFICATE, FACE]

    Authenticator type selected for second factor (if enabled).

    tokenProtectedOfflineParms

    object

    The model used to generate the offline token.

    tokenProtectedOfflineOTPClientName string

    The name sent by the client.

    tokenProtectedOfflineOTPClientSecret byte
    tokenProtectedOfflineOTPDoNotOptimize boolean

    Flag indicating whether the number of OTPs being returned need to be optimized.

    tokenProtectedOfflineOTPGet string

    Possible values: [NONE, MINOR, MAJOR, CUSTOM]

    The different levels of protection for offline tokens.

    tokenProtectedOfflineOTPSize int32

    Request size (Units of hour or count).

    transactionDetails

    object[]

    Transaction Details.

  • Array [

    • detail string

    The transaction detail name.

    usage string[]

    Possible values: [RBA, TVS]

    value string

    The transaction detail value.

  • ]

    • userCertificateResponse

    object

    For user certificate login

    code string
    verifier string
    userId string

    User ID (containing the user ID or a user alias) of the Identity as a Service user completing the authentication challenge.

Responses

Authenticators retrieved successfully

Schema

    authenticationCompleted boolean

    Flag to indicate if authentication has successfully completed.

    authenticatorResponse byte
    deviceCertAuthDesired boolean

    Flag to indicate if the user has to attempt device certificate authentication.

    expires int64

    Expiry time of token.

    faceChallenge

    object

    Parameters returned to initialize a Face Biometric authenticator.

    applicantId string

    Applicant ID associated with the user.

    sdkToken string

    The SDK token generated for the user.

    workflowRunId string

    Workflow run ID to use for the user.

    fidoChallenge

    object

    If the authentication challenge is of type FIDO, the FIDOChallenge will contain the FIDO challenge parameters that must be passed to the FIDO token to complete authentication.

    allowCredentials string[]

    The list of IDs of the FIDO tokens registered for the user. Each value is base-64 encoded.

    challenge stringrequired

    A random challenge. It is a base-64 encoded value.

    timeout int32required

    The number of seconds that the client will wait for the FIDO token to respond.

    firstName string

    First Name.

    gridChallenge

    object

    If the authentication challenge is of type grid, the GridChallenge object will contain the grid challenge that the end user must answer.

    challenge

    object[]

    required

    The grid challenge specifies a list of grid cells that the user must answer in their challenge.

  • Array [

    • column int32required

    The column within the grid starting at 0.

    row int32required

    The row within the grid starting at 0.

  • ]

    • gridInfo

    object[]

    required

    The grid details.

  • Array [

    • expiryDate date-time

    The expiry date of the grid. Null value indicates the grid will never expire.

    serialNumber stringrequired

    The serial number of the grid that can be used to answer this challenge.

  • ]

    • numCharsPerCell int32required

    The numCharsPerCell value specifies the number of characters expected in the response for each cell as defined by current settings.

    serialNumbers string[]requireddeprecated

    The serial numbers of the grids that can be used to answer this challenge.

    kbaChallenge

    object

    Knowledge-based authenticator required for authentication to Identity as a Service

    id string

    userQuestions

    object[]

    required

  • Array [

    • answer string

    The question's answer.

    id string

    The UUID of the KBA question/answer.

    question string

    The question.

  • ]

    • lastName string

    Last Name.

    machineAuthenticator

    object

    Machine authenticator required to complete authentication challenge

    fingerprint string

    The device fingerprint if it's required during Machine authentication. It will always be null when returned from IDaaS as part of the response body.

    machineNonce string

    machineNonce

    sequenceNonce string

    sequenceNonce

    offlineTokenResponses

    object

    Used to return batches of protected OTPs for a given token

    firstMovingFactor int64

    This is the moving factor index for the first hashed OTP returned. In the case of time-based tokens, it represents time step, otherwise it represents the value of the counter.

    iterations int32

    The number of iterations of the hash function to be performed.

    maxSizeInUnits int32

    This is the policy-configured maximum number (hours or counters)

    maxTimeSteps int32

    This is the max number of time steps used to validate a token.

    minorSizeInUnits int32

    This is the policy-configured recommended number (hours or counters)

    otps string

    An array of all of the OTPs returned in the batch, each with its public component of the salt.

    privateSaltLength int32

    The number of digits in the private part of the salt that the client must guess.

    resultOptimized boolean

    Flag indicating if the set of OTP hashes returned was optimized so that OTPs which have already been downloaded in prior requests, but that have no yet expired, are not sent again.

    timeDrift int32

    This is the token time drift in seconds. This applies only to time-based tokens.

    timeInterval int32

    If this contains a positive value then this batch is for time-based tokens, otherwise it is for event based tokens.

    tokenSerialNumber string

    The serial number of the token for which offline tokens are generated.

    useSecret byte

    organizations

    object[]

    A list of the user organizations.

  • Array [

    • description string

    The description of the organization.

    displayName stringrequired

    The display name of the organization.

    id stringrequired

    The unique UUID assigned to the organization when it is created.

    logoUri string

    The URI of the logo to display when showing organizations.

    name stringrequired

    The name of the organization.

  • ]

    • otpdeliveryType string

    Possible values: [EMAIL, SMS, VOICE]

    The OTP delivery type used.

    redirectUrl string

    The redirect URL when using a Magic Link.

    smartLoginChallenge string

    For a SMART_LOGIN authenticator challenge, provides the challenge.

    status string

    Possible values: [CONFIRM, CONCERN, CANCEL, NO_RESPONSE]

    Status of authenticator. This is not a required API field if Mobile Smart Credential or Token Push authentication is being used.

    stepUpAuthExpiry int64

    The timeout for step-up authentication

    tempAccessCodeChallenge

    object

    Information about the temporary access code settings.

    adminContact string

    An optional admin contact value (like an admin email address or phone number) to be displayed in the admin contact message.

    enableAdminContact boolean

    Indicates if the admin contact message should be displayed for this challenge.

    time int64
    token string

    Authenticated/unauthenticated authorization token.

    tokenChallenge

    object

    If the authentication challenge is of offline token, the TokenChallenge object will contain the QR codes can be scanned by the mobile app.

    token

    object[]

    required

    The token challenge contains a list of TokenInfo objects for each of the token that can be used to authenticate. In the case of an offline QR code challenge, a TokenInfo object includes the QR code.

  • Array [

    • label string

    Optional label to identify an assigned token: a String up to 100 characters.

    qrCode string

    The base-64 encoded QR code. This QR code can be scanned by the Entrust Identity mobile application to perform activation in the case of an offline QR code challenge.

    qrCodeUrl string

    The URL based QR code string. In the case of an offline QR code challenge, this string can be used to generated the base-64 encoded QR code.

    serialNumber string

    The serial number of the token.

  • ]

    • tokenDetails string[]

    For a token or token push authenticator challenge, provides a list of serial numbers of the tokens that can be used to authenticate.

    tokenPushMutualChallenge string

    The token push authentication mutual challenge.

    transactionReceipt

    object

    Transaction Receipt item and its value used with push authenticators and with offline transaction verification.

    authenticationType string

    Possible values: [OTP, TOKEN]

    The transaction authentication type.

    date date-time

    The transaction date.

    details

    object[]

    The transaction details.

  • Array [

    • detail string

    The transaction detail name.

    usage string[]

    Possible values: [RBA, TVS]

    value string

    The transaction detail value.

  • ]

    • id string

    The transaction id.

    securityLevel string

    Possible values: [LOW, MEDIUM, HIGH]

    The transaction authentication security level.

    userid string

    The transaction user.

    userCertificateChallenge

    object

    For a user certificate authenticator challenge, provides the challenge.

    challenge stringrequired
    userId string

    The User ID of the Identity as a Service user that completed authentication.

    userMachineSettings

    object

    UserMachineSettings

    attributeExclusions string[]

    List of device fingerprinting attributes that should not be collected when a device fingerprint is captured.

    deviceFingerprintRequired boolean

    Indicates whether a device fingerprint should be captured during machine registration or authentication

    machineAuthenticatorEnabled boolean

    machineAuthenticatorEnabled

    userMachineAuthenticators

    object[]

    List of Machine Authenticators that the user currently has--used to prevent duplicated labels.

  • Array [

    • expiryTime date-time

    When this machine secret expires in UTC time

    id stringrequired

    Identifies the device/machine

    label stringrequired

    Identifies the device/machine from the end-user point of view

    lastUsedTime date-time

    When this machine secret was last used

    registrationTime date-timerequired

    When this machine secret was created in UTC time

  • ]

    • userRegistrationRequired boolean

    Whether the user still requires registration.

    userVerificationRequired boolean

    Whether the user still requires verification.

Loading...