The Authenticator component specializes in user authentication.
Authenticator provides capabilities for implementing the authenticating party (as opposed to the one being authenticated) of the authentication protocol.
Authenticator can be used in a variety of authentication scenarios, ranging from simple password checks to complicated multi-factor variants. It also supports authentication via a SBB-own DC protocol, which makes it a good pair for DCAuth control.
In default configuration the component uses the attached database of users to handle authentication requests. The authentication flow can be altered if needed to match specific authentication requirements.
In Authenticator's terms, the authentication process is divided into a sequence of atomic steps. Each step is characterized by a user providing an authentication token - such as a password or PIN - and the authenticator validating that token. Each validation step may result in one of the following outcomes:
- Authentication succeeded: the authentication has been completed with the positive outcome;
- Authentication failed: the authentication process has failed, the user didn't provide enough evidence to confirm they are who they claim they are;
- Further authentication is required: the authentication was partly successful, but the settings of the component or user details require further step(s) to be taken.
Use the following logic when integrating the Authenticator into your project:
- Whenever you receive an authentication request from a user, call the StartAuth method, passing the UserID as a parameter. This initiates the authentication procedure: the Authenticator control looks up the user in the Users database and picks the first authentication method. It then returns the Further authentication is required result and stores the details of the first authentication step in AuthInfo property. Apart from the information about the authentication method that is to be performed during this step, AuthInfo also contains a STATE> value, which accumulates parameters and progress of the user's authentication flow. You can save the state value on this stage, and restore it later when a response from the user is received. With that in mind, class is stateless; you can save the current authentication state in a database, and return to it from a different context.
- Now that you have obtained Further authentication needed from StartAuth, it's time to check the AUTHMETHOD> and request the corresponding token from the user. For example, if the method is 'password', you may present the user with a password dialog.
- Upon receiving a password (or other kind of authentication token) from the user, pass it to the ContinueAuth method, together with the state object
that you saved on the preceding step. The component will process the token and come up with one of the three results given above,
signifying the end of the first authentication step. If Further authentication is required result is returned, another authentication step
needs to be performed (either because a multi-factor authentication is configured for this user, or because an alternative authentication method
was chosen following failure of the previous attempt). If that is the case, follow the guidance for StartAuth-initiated step above.
Depending on the settings, many authentication steps may need to be performed, so your code may ultimately end up calling ContinueAuth many times.
class can be customized to use external user information sources instead of a predefined user database. AuthStart, AuthVerify, and AuthAttemptResult events provide an opportunity for your code to intervene into the authentication process by defining your own authentication procedures and validating authentication tokens manually.
The following is the full list of the properties of the module with short descriptions. Click on the links for further details.
|AuthInfo||Contains details of the current authentication step.|
|BlockedCertificates||The certificates that must be rejected as trust anchors.|
|Certificates||A collection of certificates included in the electronic signature.|
|ChainValidationDetails||The details of a certificate chain validation outcome.|
|ChainValidationResult||The general outcome of a certificate chain validation routine. Use ChainValidationDetails to get information about the reasons that contributed to the validation result.|
|DefaultAuthMethods||Contains the list of default authentication methods.|
|ExternalCrypto||Provides access to external signing and DC parameters.|
|IgnoreChainValidationErrors||Makes the component tolerant to chain validation errors.|
|KnownCertificates||Additional certificates for chain validation.|
|KnownCRLs||Additional CRLs for chain validation.|
|KnownOCSPs||Additional OCSP responses for chain validation.|
|OfflineMode||Switches the component to the offline mode.|
|Proxy||The proxy server settings.|
|RevocationCheck||Specifies the kind(s) of revocation check to perform.|
|SigningCertificate||The certificate to be used for signing.|
|SocketSettings||Manages network connection settings.|
|TLSSettings||Manages TLS layer settings.|
|TrustedCertificates||A list of trusted certificates for chain validation.|
|Users||A collection of known users along with their authentication settings.|
|ValidationLog||Contains the complete log of the certificate validation routine.|
|ValidationMoment||The time point at which signature validity is to be established.|
The following is the full list of the methods of the module with short descriptions. Click on the links for further details.
|Config||Sets or retrieves a configuration setting.|
|ContinueAuth||Call this method to process an authentication token and proceed to the next authentication step.|
|StartAuth||Initiates an authentication process.|
The following is the full list of the events fired by the module with short descriptions. Click on the links for further details.
|AuthAttemptResult||Reports the outcome of an authentication attempt.|
|AuthAttemptStart||Signifies the start of an authentication attempt.|
|AuthStart||Signifies the start of an authentication process.|
|AuthVerify||Requests the application to validate an authentication token.|
|CustomAuthStart||Reports the beginning of a custom authentication method.|
|Error||Reports information about errors during authentication.|
|Notification||This event notifies the application about an underlying control flow event.|
The following is a list of configuration settings for the module with short descriptions. Click on the links for further details.
|ForceCompleteChainValidationForTrusted||Whether to continue with the full validation up to the root CA certificate for mid-level trust anchors.|
|IgnoreOCSPNoCheckExtension||Whether OCSP NoCheck extension should be ignored.|
|IgnoreSystemTrust||Whether trusted Windows Certificate Stores should be treated as trusted.|
|ImplicitlyTrustSelfSignedCertificates||Whether to trust self-signed certificates.|
|PromoteLongOCSPResponses||Whether long OCSP responses are requested.|
|TolerateMinorChainIssues||Whether to tolerate minor chain issues.|
|UseMicrosoftCTL||Enables or disables automatic use of Microsoft online certificate trust list.|
|UseSystemCertificates||Enables or disables the use of the system certificates.|
|CheckKeyIntegrityBeforeUse||Enables or disable private key integrity check before use.|
|CookieCaching||Specifies whether a cookie cache should be used for HTTP(S) transports.|
|Cookies||Gets or sets local cookies for the component (supported for HTTPClient, RESTClient and SOAPClient only).|
|DefDeriveKeyIterations||Specifies the default key derivation algorithm iteration count.|
|EnableClientSideSSLFFDHE||Enables or disables finite field DHE key exchange support in TLS clients.|
|GlobalCookies||Gets or sets global cookies for all the HTTP transports.|
|HttpUserAgent||Specifies the user agent name to be used by all HTTP clients.|
|LogDestination||Specifies the debug log destination.|
|LogDetails||Specifies the debug log details to dump.|
|LogFile||Specifies the debug log filename.|
|LogFilters||Specifies the debug log filters.|
|LogFlushMode||Specifies the log flush mode.|
|LogLevel||Specifies the debug log level.|
|LogMaxEventCount||Specifies the maximum number of events to cache before further action is taken.|
|LogRotationMode||Specifies the log rotation mode.|
|MaxASN1BufferLength||Specifies the maximal allowed length for ASN.1 primitive tag data.|
|MaxASN1TreeDepth||Specifies the maximal depth for processed ASN.1 trees.|
|OCSPHashAlgorithm||Specifies the hash algorithm to be used to identify certificates in OCSP requests.|
|UseOwnDNSResolver||Specifies whether the client components should use own DNS resolver.|
|UseSharedSystemStorages||Specifies whether the validation engine should use a global per-process copy of the system certificate stores.|
|UseSystemOAEPAndPSS||Enforces or disables the use of system-driven RSA OAEP and PSS computations.|
|UseSystemRandom||Enables or disables the use of the OS PRNG.|