.png?sv=2022-11-02&spr=https&st=2024-12-21T15%3A13%3A07Z&se=2024-12-21T15%3A23%3A07Z&sr=c&sp=r&sig=Xj3Xnu7UorWVAlvOVIW3Brhtt%2BxHK8x3fEvzMvYU%2Bto%3D){kind=logo}
MSA Authentication
- 13 Dec 2023
-
DarkLight
-
PDF
MSA Authentication
- Updated on 13 Dec 2023
-
DarkLight
-
PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Multi-step authentication is a multiple-step verification process that requires users to provide two or more verification steps to obtain the required permission.
How to set up MSA Authenication in Adapters
MSA Authentication is handled entirely within the IAP Service Instance Configuration for the adapter. You can find this within IAP Admin Essentials, the configuration properties are located in the authentication section. The authentication section includes other properties that are described in detail in the IAP Service Instance Configuration articles.
Every MSA step can have mulitple corresponding entity files under /entities/.system:
-
The request file: schemaTokenReq_MFA_Step_[number]
-
The response file: schemaTokenResp_MFA_Step_[number]
Final token replacement and format:
- Configuration parameters:
auth_fieldandauth_field_formatare used to point location and format of final MSA token in subsequent outgoing application requests that require authorization.
| Field | Description |
|---|---|
| name | Step name is used by other steps to reference response values |
| requestFields | Request field name if prefixed with header .e.g: header.jx-session means the request will be sent with http header jx-session. Otherwise the field is placed in request body. |
| responseFields | Contains fields exposed for referencing by other steps. Important: the value of the field has to be the same as set in schemaTokenResp_MFA_Step_[number].external_name |
| sucessfulResponseCode | Intermediate steps executed before obtaining final token may have http response code out of range of successful http response codes(200-299, 300-308). Set expected response code here. |
Caching
Follow adapter configuration parameters to control caching of the token:
| Field | Description |
|---|---|
| token_cache | Storage location, either local or redis |
| token_timeout | Timed in miliseconds. If set to value greater then zero then the token is refreshed every time this timeout setting elapses. Must be set to value greater than 1 minute. When token_timeout=0, then caching is based on expiry date obtained from schemaTokenResp_MFA_Step_[number] expires attribute. |
Example MSA in IAP Service Instance Configuration for the Adapter
"authentication": {
"auth_method": "multi_step_authentication",
"token_URI_path": "/v3/auth/tokens",
"multiStepAuthCalls": [
{
"name": "getSession",
"requestFields": {
"username": "Alice",
"password": "Alice-secret",
"grant_type": "gt-1",
"client_secret": "cs-1",
"client_id": "cid-1"
},
"responseFields": {
"session": "session"
},
"successfullResponseCode": 401
},
{
"name": "getToken",
"requestFields": {
"header.jx-session": "{getSession.responseFields.session}",
"timedOneTimePassword": "123456"
},
"responseFields": {
"token": "token"
},
"successfullResponseCode": 201
}
],
"auth_field": "header.headers.xsx-authorization",
"auth_field_format": "Bearer {token}",
"token_cache": "local",
"token_timeout": 120000,
"invalid_token_error": 401,
"auth_logging": true
}
Was this article helpful?
