Authentication Policies
The createRequest message is used to create authentication policies in the CA Strong Authentication database.
aa821test
2112619
The createRequest message is used to create authentication policies in the CA Strong Authentication database.
This section lists the elements that are required to set the credential policy information.
- Common Policy Elements
- CA Auth ID PKI Authentication Policy Elements
- QnA Authentication Policy Elements
- Password Authentication Policy Elements
- OTP-Based Authentication Policy Elements
Common Policy Elements
The following table lists the common policy-related elements that are applicable to all credentials:
Element
| Mandatory
| Description
|
name | No | Indicates the name of the new policy. |
status | No | Indicates the status of the configuration. Possible values are as follows: ACTIVE DISABLED DELETED DEFAULT READONLY |
maxStrikes | No | Indicates the number of failed attempts after which the user’s credentials will be locked out. |
warningPeriod | No | Indicates the number of days before the warning is sent to the calling application about the user’s impending credential expiration. |
gracePeriod | No | Indicates the number of days a user is allowed to authenticate successfully with their expired CA Auth ID PKI credential. |
autoUnlockPeriod | No | Indicates the number of hours after which a locked credential can automatically be used to log in again. |
userCheck | No | CA Strong Authentication uses the user check information before performing some of the operations. The following elements are used to perform user checks: userActiveCheck Indicates whether the user is active. userAttributesToCheck Indicates whether the user attributes match certain values. You can set the attributes in name-value pairs. name Indicates the name with which you want to create the attribute. value Indicates the corresponding value for the name. |
matchAcrossUsageType | No | Indicates a match across usage types. Multiple credentials of the same type can be issued for a user. A description is necessary to identify the purpose for which each credential is used. For example, a user can have a temporary password to perform a remote login to the network. The usage type for this password can be temporary . |
usageTypeToMatch | No | Indicates the usage type that needs to be matched. |
CA Auth ID PKI Authentication Policy Elements
The following table lists the elements that are specific to the CA Auth ID PKI credential authentication policy (arcotIDAuthConfigs):
Element
| Mandatory
| Description
|
challengeTimeout | No | Indicates the duration for which the CA Auth ID PKI challenge must be valid. By default, the validity period is 300 seconds. |
QnA Authentication Policy Elements
The following table lists the elements that are specific to the QnA credential authentication policy (qnaAuthConfigs):
Element
| Mandatory
| Description
|
numQuestionsToChallenge | No | Indicates the number of questions that CA Strong Authentication must ask users during authentication. The default value is 3. |
minAnswersRequired | No | Indicates the minimum number of questions for which correct answers are required during authentication. The default value is 3. |
questionsChallengeMode | No | Indicates how the questions are selected for the challenge. The supported values are: 1
This indicates a random set wherein the questions are selected randomly from the configured set. 2
This indicates an alternate set wherein a new set of questions is selected from the configured set, which means the questions that were asked in the last authentication prompt are skipped. |
questionSetChangeOption | No | Specifies when CA Strong Authentication Server must select a new set of questions for the challenge. 1
This indicates that a fixed set of questions are selected from the configured set and presented to the users. 2
This indicates that a random set of questions are selected from the configured set and presented to the users. |
isCVMEnabled | No | Indicates whether caller side verification is enabled or not. The supported values are: 0: Indicates the feature is disabled. 1: Indicates the feature is enabled. See "Questions and Answers Authentication" for more information on caller side verification. |
challengeTimeout | No | Indicates the duration for which the QnA challenge must be valid. By default, the validity period is 300 seconds. |
Password Authentication Policy Elements
The following table lists the elements that are specific to the Password credential authentication policy (passwordAuthConfigs):
Element
| Mandatory
| Description
|
numPositionsToChallenge | No | Indicates the total number of password character positions that have to be challenged by CA Strong Authentication Server. Note: Applicable only for partial passwords. |
challengeTimeout | No | Indicates the duration for which the password challenge has to be valid. By default, the validity period is 300 seconds. |
OTP-Based Authentication Policy Elements
The following table lists the elements that are specific to the OATH OTP, CA Auth ID OTP, and EMV OTP credential authentication policy (oathAuthConfigs,arcotOTPAuthConfigs, and emvAuthConfigs).
The OTP generated by CA Strong Authentication Server (serverOTPAuthConfigs) does not have any specific configurations.
Element
| Mandatory
| Description
|
otpCounterTolerance | No | This element contains the OTP counter tolerance parameters. authLookAhead Indicates the number of times the OTP counter on CA Strong Authentication Server is increased to verify the OTP entered by the user. authLookBack Indicates the number of times the OTP counter on CA Strong Authentication Server is decreased to verify the OTP entered by the user. reSyncLookAhead Indicates the number of times the OTP counter on CA Strong Authentication Server is increased to synchronize with the OTP counter on the client device. reSyncLookBack Indicates the number of times the OTP counter on CA Strong Authentication Server is decreased to synchronize with the OTP counter on the client device. |