Authentication Policies

The createRequest message is used to create authentication policies in the CA Strong Authentication database.
aa821test
2112619
The createRequest message is used to create authentication policies in the CA Strong Authentication database.
This section lists the elements that are required to set the credential policy information.
  • Common Policy Elements
  • CA Auth ID PKI Authentication Policy Elements
  • QnA Authentication Policy Elements
  • Password Authentication Policy Elements
  • OTP-Based Authentication Policy Elements
Common Policy Elements
The following table lists the common policy-related elements that are applicable to all credentials:
Element
Mandatory
Description
name
No
Indicates the name of the new policy.
status
No
Indicates the status of the configuration. Possible values are as follows:
ACTIVE
DISABLED
DELETED
DEFAULT
READONLY
maxStrikes
No
Indicates the number of failed attempts after which the user’s credentials will be locked out.
warningPeriod
No
Indicates the number of days before the warning is sent to the calling application about the user’s impending credential expiration.
gracePeriod
No
Indicates the number of days a user is allowed to authenticate successfully with their expired CA Auth ID PKI credential.
autoUnlockPeriod
No
Indicates the number of hours after which a locked credential can automatically be used to log in again.
userCheck
No
CA Strong Authentication uses the user check information before performing some of the operations. The following elements are used to perform user checks:
userActiveCheck
Indicates whether the user is active.
userAttributesToCheck
Indicates whether the user attributes match certain values. You can set the attributes in name-value pairs.
name
Indicates the name with which you want to create the attribute.
value
Indicates the corresponding value for the name.
matchAcrossUsageType
No
Indicates a match across usage types.
Multiple credentials of the same type can be issued for a user. A description is necessary to identify the purpose for which each credential is used. For example, a user can have a temporary password to perform a remote login to the network. The usage type for this password can be
temporary
.
usageTypeToMatch
No
Indicates the usage type that needs to be matched.
CA Auth ID PKI Authentication Policy Elements
The following table lists the elements that are specific to the CA Auth ID PKI credential authentication policy (arcotIDAuthConfigs):
Element
Mandatory
Description
challengeTimeout
No
Indicates the duration for which the CA Auth ID PKI challenge must be valid. By default, the validity period is 300 seconds.
QnA Authentication Policy Elements
The following table lists the elements that are specific to the QnA credential authentication policy (qnaAuthConfigs):
Element
Mandatory
Description
numQuestionsToChallenge
No
Indicates the number of questions that CA Strong Authentication must ask users during authentication. The default value is 3.
minAnswersRequired
No
Indicates the minimum number of questions for which correct answers are required during authentication. The default value is 3.
questionsChallengeMode
No
Indicates how the questions are selected for the challenge. The supported values are:
1
This indicates a random set wherein the questions are selected randomly from the configured set.
2
This indicates an alternate set wherein a new set of questions is selected from the configured set, which means the questions that were asked in the last authentication prompt are skipped.
questionSetChangeOption
No
Specifies when CA Strong Authentication Server must select a new set of questions for the challenge.
1
This indicates that a fixed set of questions are selected from the configured set and presented to the users.
2
This indicates that a random set of questions are selected from the configured set and presented to the users.
isCVMEnabled
No
Indicates whether caller side verification is enabled or not. The supported values are:
0: Indicates the feature is disabled.
1: Indicates the feature is enabled.
See "Questions and Answers Authentication" for more information on caller side verification.
challengeTimeout
No
Indicates the duration for which the QnA challenge must be valid. By default, the validity period is 300 seconds.
Password Authentication Policy Elements
The following table lists the elements that are specific to the Password credential authentication policy (passwordAuthConfigs):
Element
Mandatory
Description
numPositionsToChallenge
No
Indicates the total number of password character positions that have to be challenged by CA Strong Authentication Server.
Note:
Applicable
only
for partial passwords.
challengeTimeout
No
Indicates the duration for which the password challenge has to be valid. By default, the validity period is 300 seconds.
OTP-Based Authentication Policy Elements
The following table lists the elements that are specific to the OATH OTP, CA Auth ID OTP, and EMV OTP credential authentication policy (oathAuthConfigs,arcotOTPAuthConfigs, and emvAuthConfigs).
The OTP generated by CA Strong Authentication Server (serverOTPAuthConfigs) does not have any specific configurations.
Element
Mandatory
Description
otpCounterTolerance
No
This element contains the OTP counter tolerance parameters.
authLookAhead
Indicates the number of times the OTP counter on CA Strong Authentication Server is increased to verify the OTP entered by the user.
authLookBack
Indicates the number of times the OTP counter on CA Strong Authentication Server is decreased to verify the OTP entered by the user.
reSyncLookAhead
Indicates the number of times the OTP counter on CA Strong Authentication Server is increased to synchronize with the OTP counter on the client device.
reSyncLookBack
Indicates the number of times the OTP counter on CA Strong Authentication Server is decreased to synchronize with the OTP counter on the client device.