Profile Validation API guide

Updated March 23, 2023

Use this guide to configure the SecureAuth Authentication API to validate end user information and to generate one-time passcodes (OTPs), push-to-accept, and link-to-accept requests for end user authentication.

Prerequisites

Complete the steps in the Authentication API guide.
Configure the realm to enable Multi-Factor Methods.
Link-to-accept
Capabilities for phone (sms_link) and email (email_link) now enable end users to get a link-to-accept request through email or their phone.
"Login Request" workflows for phone and email are available for companies that want end users to log in via a link-to-accept request. Ensure the following:
1. Customers running the Identity Platform 19.07 must install hotfix version 19.07.01-25+ to use the phone and email link capabilities.
2. Customers running the Identity Platform 20.06 must install hotfix version 20.06-2+ to use the phone and email link capabilities.
3. Multi-Factor Methods Profile Properties (e.g., Phone 1, Email 1, etc.) in the Identity Platform Advanced Settings (formerly Classic Experience) realm must be accurately mapped to directory attributes to enable multi-factor authentication workflows. The new workflows for link-to-accept include the following:
  - Login Request + One-Time Passcode via Phone Call Only
  - Login Request + One-Time Passcode via SMS Only
  - Login Request + One-Time Passcode via Phone Call and SMS
4. To check the status of link-to-accept responses, see the GET method /auth/link/{REF_ID} endpoint.
If you use a load balancer:
When you use the Push-to-Accept, Symbol-to-Accept, or Link-to-Accept MFA method, you must enable session persistence ("sticky sessions") on the load balancer to maintain state with the Identity Platform. The client applications (Login for Endpoints, RADIUS Server) support cookie-based persistence only. Additionally, only the SecureAuth Java SDK supports cookies.

Endpoints

Use the /auth endpoints to validate information associated with a user account, and to generate and deliver OTPs.

The POST method validates end user information (e.g., username, password, KBAs, tokens, etc.) and generates OTPs for authentication.

For ad hoc OTP delivery, the supported "type" values are call, sms, and email.
The send ad hoc OTP API allows an impromptu OTP to be dispatched to a valid phone number or email address that is not currently stored in the directory (i.e., unregistered).

Note

Refer to Authentication API: Send Ad hoc OTP without Existing User Profile for specific configuration steps when using ad hoc OTP delivery to users who are not registered in the directory.

The GET method checks the status of push-to-accept and link-to-accept responses.

When a push-to-accept request is made, the corresponding response contains a Reference ID, which is then appended to the /auth endpoint to continuously check whether the login request is accepted, denied, pending, or other.

When a link-to-accept request is made, the corresponding response contains a Reference ID, which is then appended to the /auth/link endpoint that waits 2 minutes for a response before expiring.

POST /auth

The POST /auth method validates the end user response.

HTTP Method	URI	Example
POST	`/api/v2/auth`	https://secureauth.company.com/secureauth2/api/v2/auth

user_id: <USERNAME> – Validate user ID, e.g. jsmith
type – Function of POST endpoint:
- user_id – Validate user ID
- password – Validate user password
- kba – Validate knowledge-based answer
- oath – Validate OATH token
- pin – Validate static PIN
- call – Deliver OTP via phone call
- sms – Deliver OTP via text message
- sms_link – Deliver Link-to-Accept text link via phone
- email – Deliver OTP via email
- email_link – Deliver Link-to-Accept email link via email
- push – Deliver OTP via Push Notification
- push_accept – Deliver Push-to-Accept notification OR
- push_symbol_accept - Deliver Symbol-to-Accept notification
- push_accept_biometric - Deliver Push-to-Accept biometric (fingerprint or face–iOS only) notification (to enter fingerprint or face)
- help_desk – Deliver OTP via help desk
biometricType - Optional: If using the push_accept_biometric type, requests a fingerprint or face (iOS only) notification to be sent
token: Response for POST endpoint type:
- <PASSWORD> – Response for password token, which is the user password, e.g. P@$SW0RD
- <ANSWER> – Response for kba token, which is the user answer to knowledge-based question
- <OTP> – Response for oath token, which is a one-time password generated by the OATH token or on an ad hoc basis
- <PIN NUMBER> – Response for pin token, which is the user's static PIN number (e.g. 1234)
- <UNREGISTERED PHONE> – Response for ad hoc call / ad hoc sms, which is a phone number that is not stored in the directory
- <UNREGISTERED EMAIL> – Response for ad hoc email, which is an email address that is not stored in the directory
factor_id: Property mapped to field:
- <KBQ PROPERTY> – Indexed location of the specific KBQ being used for the authentication, e.g. KBQ2
- <DEVICE IDENTIFIER> – Unique identifier provided to SecureAuth Identity Platform by the mobile device during the provisioning process (for OATH and Push)
- <PHONE PROPERTY> – SecureAuth Identity Platform Profile Property that is mapped to the directory field containing the required phone number, e.g. Phone1
- <EMAIL PROPERTY> – SecureAuth Identity Platform Profile Property that is mapped the directory field containing the required email address, e.g. Email1
- <HELPDESK PROPERTY> – Help desk option being used for this authentication, e.g., HelpDesk1. In the Multi-Factor Methods tab in the SecureAuth Identity Platform Web Admin, you must enable two Help Desk authentication options, HelpDesk1 and HelpDesk2.
evaluate_number – For ad hoc call, ad hoc sms, ad hoc email: Verify a recipient's phone number or email address (true) for validity before delivering an OTP via SMS or Voice call, as configured on the Multi-Factor Methods tab. See Phone Number Profiling Service Configuration Guide for more information.
push_accept_details:
- company_name: <COMPANY> – Company name, configured on the Multi-Factor Methods tab of the Web Admin for Push-to-Accept or can be overridden in code
- application_description: <APP> – Application or realm name, configured on the Multi-Factor Methods tab of the Web Admin for Push-to-Accept or can be overridden in code
- enduser_ip: <IP ADDRESS> – IP address of the user's device
status: State of the user ID (valid, invalid, found, not_found, server_error)
message: Explanation for status
reference_id: Response for Push-to-Accept request, which is appended to the /auth endpoint to continuously check whether the login request is accepted, denied, pending, or other
reference_id: Response for Link-to-Accept request, which is appended to the /auth/link endpoint to check whether the login request is accepted, denied, or has expired after the 2 minute default time period

Replace the <CONTENT> below with the actual JSON Parameter values before sending the POST requests.

Function	JSON Parameters	Success Response	Fail / Error Response
user_id	{ "user_id": "<USERNAME>", "type": "user_id" } Example: { "user_id": "jsmith", "type": "user_id" }	{ "status": "found", "message": "User Id found", }	{ "status": "not_found", "message": "User Id was not found." } HTTP Status 404
password	{ "user_id": "<USERNAME>", "type": "password", "token": "<PASSWORD>" } Example: { "user_id": "jsmith", "type": "password", "token": "P@$SW0RD" } Employ SecureAuth's Password Throttling functionality at this endpoint when validating passwords. This requires configuration in the realm; refer to Password Throttling Configuration Guide for more information.	{ "status": "valid", "message": "" }	{ "status": "invalid", "message": "User Id or password is invalid." } { "status": "invalid", "message": "A <X> value is required for this type." } { "status": "invalid", "message": "Unknown value. Supported values are: <X>." }
kba	{ "user_id": "<USERNAME>", "type": "kba", "token": "<ANSWER>", "factor_id": "<KBQ PROPERTY>" } Example: { "user_id": "jsmith", "type": "kba", "token": "biking", "factor_id": "KBQ2" }	{ "status": "valid", "message": "" }	{ "status": "invalid", "message": "Knowledge base answer is incorrect." } { "status": "invalid", "message": "KBQ Id is out of range." } { "status": "invalid", "message": "A <X> value is required for this type." } { "status": "invalid", "message": "Unknown value. Supported values are: <X>." }
oath	{ "user_id": "<USERNAME>", "type": "oath", "token": "<OTP>", "factor_id": "<DEVICE IDENTIFIER>" } Example: { "user_id": "jsmith", "type": "oath", "token": "123456", "factor_id": "a0b1cd23e4f5g67h8ij90k" }	{ "status": "valid", "message": "" }	{ "status": "invalid", "message": "OTP is invalid." } { "status": "invalid", "message": "A <X> value is required for this type." } { "status": "invalid", "message": "Unknown value. Supported values are: <X>." }
pin	{ "user_id": "<USERNAME>", "type" : "pin", "token": "<PIN NUMBER>" } Example: { "user_id": "jsmith", "type": "pin", "token": "1234" }	{ "status": "valid", "message": "" }	{ "status": "invalid", "message": "PIN is invalid." } { "status": "invalid", "message": "Request validation failed with: <X> was not present." }
call	{ "user_id": "<USERNAME>", "type": "call", "factor_id": "<PHONE PROPERTY>", "evaluate_number": "true" } Example: { "user_id": "jsmith", "type": "call", "factor_id": "Phone1" "evaluate_number": "true" }	{ "status": "valid", "message": "", "user_id": "jsmith", "otp": "8430" }	{ "status": "invalid", "message": "Request validation failed with: Unknown factor id '<X>'" } In case of a server error, it returns the following response: { "status": "server_error", "message": "<Exception message describing the issue.>", } HTTP Status 500
sms	{ "user_id": "<USERNAME>", "type": "sms", "factor_id": "<PHONE PROPERTY>" "evaluate_number": "true" } Example: { "user_id": "jsmith", "type": "sms", "factor_id": "Phone1" "evaluate_number": "true" }	{ "status": "valid", "message": "", "user_id": "jsmith", "otp": "8430" }	{ "status": "invalid", "message": "Request validation failed with: Unknown factor id '<X>'" } In case of a server error, it returns the following response: { "status": "server_error", "message": "<Exception message describing the issue.>", } HTTP Status 500
sms_link	{ "user_id": "<USERNAME>", "type": "sms_link", "factor_id": "<PHONE PROPERTY>" "evaluate_number": "true" } Example: { "user_id": "jsmith", "type": "sms_link", "factor_id": "Phone1" "evaluate_number": "true" }	{ "reference_id": "a7e855c1-45a3-XXXXXX", "status": "valid", "message": "", "user_id": "jsmith" }	{ "status": "invalid", "message": "Request validation failed with: Unknown factor id '<X>'" } In case of a server error, it returns the following response: { "status": "server_error", "message": "<Exception message describing the issue.>", } HTTP Status 500
email	{ "user_id": "<USERNAME>", "type": "email", "factor_id": "<EMAIL PROPERTY>" } Example: { "user_id": "jsmith", "type": "email", "factor_id": "Email1" }	{ "status": "valid", "message": "", "user_id": "jsmith", "otp": "8430" }	{ "status": "invalid", "message": "Request validation failed with: Unknown factor id '<X>'" } In case of a server error, it returns the following response: { "status": "server_error", "message": "<Exception message describing the issue.>", } HTTP Status 500
email_link	{ "user_id": "<USERNAME>", "type": "email_link", "factor_id": "<EMAIL PROPERTY>" } Example: { "user_id": "jsmith", "type": "email_link", "factor_id": "Email1" }	{ "reference_id": "a7e855c1-45a3-XXXXXX", "status": "valid", "message": "", "user_id": "jsmith" }	{ "status": "invalid", "message": "Request validation failed with: Unknown factor id '<X>'" } In case of a server error, it returns the following response: { "status": "server_error", "message": "<Exception message describing the issue.>", } HTTP Status 500
push	{ "user_id": "<USERNAME>", "type": "push", "factor_id": "<DEVICE IDENTIFIER>" } Example: { "user_id": "jsmith", "type": "push", "factor_id": "z0y9x87wv6u5t43srq2p1on" }	{ "status": "valid", "message": "", "user_id": "jsmith", "otp": "8430" }	{ "status": "invalid", "message": "Request validation failed with: Unknown factor id '<X>'" } In case of a server error, it returns the following response: { "status": "server_error", "message": "<Exception message describing the issue.>", } HTTP Status 500
push_accept	{ "user_id": "<USERNAME>", "factor_id": "<DEVICE IDENTIFIER>", "type": "<PUSH-TO-ACCEPT TYPE>", "biometricType":"<BIOMETRIC TYPE>", "push_accept_details": { "company_name": "<COMPANY>", "application_description": "<APP>", "enduser_ip": "<IP ADDRESS>" } } Example: { "user_id": "jsmith", "factor_id": "8117b62897734d71b4XXXXX", "type": "push_accept", "biometricType":"fingerprint", "push_accept_details": { "company_name": "ACME Corp", "application_description": "Salesforce", "enduser_ip": "111.222.33.44" } }	{ "reference_id": "a7e855c1-45a3-XXXXXX", "status": "valid", "message": "", "user_id": "jsmith" }	{ "status": "invalid", "message": "Request validation failed with: Unknown factor id '<X>'" } In case of a server error, it returns the following response: { "status": "server_error", "message": "<Exception message describing the issue.>", } HTTP Status 500
help_desk	{ "user_id": "<USERNAME>", "type": "help_desk", "factor_id": "<HELPDESK PROPERTY>" } Example: { "user_id": "jsmith", "type": "help_desk", "factor_id": "HelpDesk1" }	{ "status": "valid", "message": "", "user_id": "jsmith", "otp": "8430" }	{ "status": "invalid", "message": "Request validation failed with: Unknown factor id '<X>'" } In case of a server error, it returns the following response: { "status": "server_error", "message": "<Exception message describing the issue.>", } HTTP Status 500

Use the token request parameter for the specified ad hoc function to define unregistered recipient phone numbers and email addresses.

Function	JSON Parameters	Success Response	Fail / Error Responses
ad hoc call Deliver OTP via phone call to a phone number not stored in the directory	{ "user_id": "<USERNAME>", "type": "call", "token": "<UNREGISTERED PHONE>", "evaluate_number": "true" } Example: { "user_id": "jsmith", "type": "call", "token": "443965551234" "evaluate_number": "true" }	{ "status": "valid", "message": "", "user_id": "jsmith", "otp": "8430" }	{ "status": "invalid", "message": "Request validation failed with: User Id was not present." } { "status": "not_found", "message": "User Id was not found.", "user_id": "jsmith" } { "status": "invalid", "message": "Request validation failed with: Unknown value. Supported values are: password, user_id, sms, call, email, kba, help_desk, push, push_accept, oath, pin." } { "status": "server_error", "message": "Error parsing phone field." } { "status": "server_error", "message": "The specified string is not in the form required for an e-mail address." } In case of a server error, it returns the following response: { "status": "server_error", "message": "<Exception message describing the issue.>", } HTTP Status 500
ad hoc sms Deliver OTP via text message to a phone number not stored in the directory	{ "user_id": "<USERNAME>", "type": "sms", "token": "<UNREGISTERED PHONE>" "evaluate_number": "true" } Example: { "user_id": "jsmith", "type": "sms", "token": "443965551234" "evaluate_number": "true" }	{ "status": "valid", "message": "", "user_id": "jsmith", "otp": "8430" }	{ "status": "invalid", "message": "Request validation failed with: User Id was not present." } { "status": "not_found", "message": "User Id was not found.", "user_id": "jsmith" } { "status": "invalid", "message": "Request validation failed with: Unknown value. Supported values are: password, user_id, sms, call, email, kba, help_desk, push, push_accept, oath, pin." } { "status": "server_error", "message": "Error parsing phone field." } { "status": "server_error", "message": "The specified string is not in the form required for an e-mail address." } In case of a server error, it returns the following response: { "status": "server_error", "message": "<Exception message describing the issue.>", } HTTP Status 500
ad hoc email Deliver OTP via email to an email address not stored in the directory	{ "user_id": "<USERNAME>", "type": "email", "token": "<UNREGISTERED EMAIL>" } Example: { "user_id": "jsmith", "type": "call", "token": "jsmith@company.com" }	{ "status": "valid", "message": "", "user_id": "jsmith", "otp": "8430" }	{ "status": "invalid", "message": "Request validation failed with: User Id was not present." } { "status": "not_found", "message": "User Id was not found.", "user_id": "jsmith" } { "status": "invalid", "message": "Request validation failed with: Unknown value. Supported values are: password, user_id, sms, call, email, kba, help_desk, push, push_accept, oath, pin." } { "status": "server_error", "message": "Error parsing phone field." } { "status": "server_error", "message": "The specified string is not in the form required for an e-mail address." } In case of a server error, it returns the following response: { "status": "server_error", "message": "<Exception message describing the issue.>", } HTTP Status 500

Function

JSON Parameters

Success Response

Fail / Error Responses

ad hoc call

Deliver OTP via phone call to a phone number not stored in the directory

{
  "user_id": "<USERNAME>",
  "type": "call",
  "token": "<UNREGISTERED PHONE>",
  "evaluate_number": "true"
}

Example:

{
  "user_id": "jsmith",
  "type": "call",
  "token": "443965551234"
  "evaluate_number": "true"
}

{
 "status": "valid",
  "message": "",
  "user_id": "jsmith",
  "otp": "8430"
}

{
  "status": "invalid",
  "message": "Request validation failed with: User Id was not present."
}

{
  "status": "not_found",
  "message": "User Id was not found.",
  "user_id": "jsmith"
}

{
  "status": "invalid",
  "message": "Request validation failed with: Unknown value. Supported values are: 
   password, user_id, sms, call, email, kba, help_desk, push, push_accept, oath, pin."
}

{
  "status": "server_error",
  "message": "Error parsing phone field."
}

{
  "status": "server_error",
  "message": "The specified string is not in the form required for an e-mail address."
}

In case of a server error, it returns the following response:

{
  "status": "server_error",
  "message": "<Exception message describing the issue.>",
}
HTTP Status 500

ad hoc sms

Deliver OTP via text message to a phone number not stored in the directory

{
  "user_id": "<USERNAME>",
  "type": "sms",
  "token": "<UNREGISTERED PHONE>"
  "evaluate_number": "true"
}

Example:

{
  "user_id": "jsmith",
  "type": "sms",
  "token": "443965551234"
  "evaluate_number": "true"
}

{
  "status": "valid",
  "message": "",
  "user_id": "jsmith",
  "otp": "8430"
}

{
  "status": "invalid",
  "message": "Request validation failed with: User Id was not present."
}

{
  "status": "not_found",
  "message": "User Id was not found.",
  "user_id": "jsmith"
}

{
  "status": "invalid",
  "message": "Request validation failed with: Unknown value. Supported values are: 
   password, user_id, sms, call, email, kba, help_desk, push, push_accept, oath, pin."
}

{
  "status": "server_error",
  "message": "Error parsing phone field."
}

{
  "status": "server_error",
  "message": "The specified string is not in the form required for an e-mail address."
}

In case of a server error, it returns the following response:

{
  "status": "server_error",
  "message": "<Exception message describing the issue.>",
}
HTTP Status 500

ad hoc email

Deliver OTP via email to an email address not stored in the directory

{
  "user_id": "<USERNAME>",
  "type": "email",
  "token": "<UNREGISTERED EMAIL>"
}

Example:

{
  "user_id": "jsmith",
  "type": "call",
  "token": "jsmith@company.com"
}

{
  "status": "valid",
  "message": "",
  "user_id": "jsmith",
  "otp": "8430"
}

{
  "status": "invalid",
  "message": "Request validation failed with: User Id was not present."
}

{
  "status": "not_found",
  "message": "User Id was not found.",
  "user_id": "jsmith"
}

{
  "status": "invalid",
  "message": "Request validation failed with: Unknown value. Supported values are: 
   password, user_id, sms, call, email, kba, help_desk, push, push_accept, oath, pin."
}

{
  "status": "server_error",
  "message": "Error parsing phone field."
}

{
  "status": "server_error",
  "message": "The specified string is not in the form required for an e-mail address."
}

In case of a server error, it returns the following response:

{
  "status": "server_error",
  "message": "<Exception message describing the issue.>",
}
HTTP Status 500

GET /auth/{REF_ID}

Use the GET /auth method to access the end user's profile and generate a response.

HTTP Method	URI	Example
GET	`/api/v1/auth/{REF_ID}`	https://secureauth.company.com/secureauth2/api/v1/auth/f50ab2d7-178f-4421-b3ae-9f5634fa54ef

Success Response	Fail / Error Response
{ "status": "found", "message": "ACCEPTED" } { "status": "found", "message": "DENIED" } { "status": "found", "message": "FAILED" } { "status": "found", "message": "EXPIRED" } { "status": "found", "message": "PENDING" }	{ "status": "not_found", "message": "NOTFOUND" } { "status": "invalid", "message": "Invalid reference ID." }

Success Response

Fail / Error Response

{
  "status": "found",
  "message": "ACCEPTED"
}

{
  "status": "found",
  "message": "DENIED"
}

{
  "status": "found",
  "message": "FAILED"
}

{
  "status": "found",
  "message": "EXPIRED"
}

{
  "status": "found",
  "message": "PENDING"
}

{
  "status": "not_found",
  "message": "NOTFOUND"
}

{
  "status": "invalid",
  "message": "Invalid reference ID."
}

GET /auth/link/{REF_ID}

Use the GET /auth/link method to check the user's response to the link-to-accept login request.

HTTP Method	URI	Example
GET	`/api/v1/auth/link/{REF_ID}`	https://secureauth.company.com/secureauth2/api/v1/auth/link/f50ab2d7-178f-4421-b3ae-9f5634fa54ef

Success Response	Fail / Error Response
{ "status": "found", "message": "ACCEPTED" } { "status": "found", "message": "DENIED" } { "status": "found", "message": "FAILED" } { "status": "found", "message": "EXPIRED" } Note Link-to-accept request expires after 2 minute default time period. { "status": "found", "message": "PENDING" } Note Link-to-accept status should not return PENDING because the status call remains open until a response is made. If PENDING is returned, treat it as EXPIRED.	{ "status": "not_found", "message": "NOTFOUND" } { "status": "invalid", "message": "Invalid reference ID." }

Success Response

Fail / Error Response

{
  "status": "found",
  "message": "ACCEPTED"
}

{
  "status": "found",
  "message": "DENIED"
}

{
  "status": "found",
  "message": "FAILED"
}

{
  "status": "found",
  "message": "EXPIRED"
}

Note

Link-to-accept request expires after 2 minute default time period.

{
  "status": "found",
  "message": "PENDING"
}

Note

Link-to-accept status should not return PENDING because the status call remains open until a response is made. If PENDING is returned, treat it as EXPIRED.

{
  "status": "not_found",
  "message": "NOTFOUND"
}

{
  "status": "invalid",
  "message": "Invalid reference ID."
}

In this section:

Profile Validation API guide

Prerequisites

Endpoints

Note

POST /auth

GET /auth/{REF_ID}

GET /auth/link/{REF_ID}

Note

Note

Search results