MSA Authentication
  • 13 Dec 2023
  • Dark
    Light
  • PDF

MSA Authentication

  • Dark
    Light
  • PDF

Article summary

Multi-step authentication is a multiple-step verification process that requires users to provide two or more verification steps to obtain the required permission.

How to set up MSA Authenication in Adapters

MSA Authentication is handled entirely within the IAP Service Instance Configuration for the adapter. You can find this within IAP Admin Essentials, the configuration properties are located in the authentication section. The authentication section includes other properties that are described in detail in the IAP Service Instance Configuration articles.

Every MSA step can have mulitple corresponding entity files under /entities/.system:

  • The request file: schemaTokenReq_MFA_Step_[number]

  • The response file: schemaTokenResp_MFA_Step_[number]

Final token replacement and format:

  • Configuration parameters: auth_field and auth_field_format are used to point location and format of final MSA token in subsequent outgoing application requests that require authorization.
Field Description
name Step name is used by other steps to reference response values
requestFields Request field name if prefixed with header .e.g: header.jx-session means the request will be sent with http header jx-session. Otherwise the field is placed in request body.
responseFields Contains fields exposed for referencing by other steps. Important: the value of the field has to be the same as set in schemaTokenResp_MFA_Step_[number].external_name
sucessfulResponseCode Intermediate steps executed before obtaining final token may have http response code out of range of successful http response codes(200-299, 300-308). Set expected response code here.

Caching

Follow adapter configuration parameters to control caching of the token:

Field Description
token_cache Storage location, either local or redis
token_timeout Timed in miliseconds. If set to value greater then zero then the token is refreshed every time this timeout setting elapses.
Must be set to value greater than 1 minute.
When token_timeout=0, then caching is based on expiry date obtained from schemaTokenResp_MFA_Step_[number] expires attribute.

Example MSA in IAP Service Instance Configuration for the Adapter

"authentication": {
        "auth_method": "multi_step_authentication",
        "token_URI_path": "/v3/auth/tokens",
        "multiStepAuthCalls": [
            {
                "name": "getSession",
                "requestFields": {
                    "username": "Alice",
                    "password": "Alice-secret",
                    "grant_type": "gt-1",
                    "client_secret": "cs-1",
                    "client_id": "cid-1"
                },
                "responseFields": {
                    "session": "session"
                },
                "successfullResponseCode": 401
            },
            {
                "name": "getToken",
                "requestFields": {
                    "header.jx-session": "{getSession.responseFields.session}",
                    "timedOneTimePassword": "123456"
                },
                "responseFields": {
                    "token": "token"
                },
                "successfullResponseCode": 201
            }
        ],                
        "auth_field": "header.headers.xsx-authorization",
        "auth_field_format": "Bearer {token}",
        "token_cache": "local",
        "token_timeout": 120000,
        "invalid_token_error": 401,
        "auth_logging": true
    }


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.