Getting Started
IDaaS provides an Authentication API that lets you authenticate users programmatically with supported authenticators. Use this guide to create an Authentication API application, review the authentication flow, initialize a client, and make your first authentication request.
Start here
Start with the resource that matches your task:
- Use the Authentication API reference when you need endpoint details, request and response schemas, or interactive testing. Before sending test requests from the API Explorer, enter your IDaaS tenant URL and add this site's origin to your IDaaS CORS origins.
- Use Client setup when you want to install a generated client for your preferred programming language.
Download the OpenAPI file
Download the raw OpenAPI JSON file when you want to import the schema into Postman, generate a client, or validate requests locally.
Authentication API OpenAPI file
Download the OpenAPI JSON file, or open it in a new tab for inspection.
Prerequisites
Before you run the examples in this guide, make sure you have:
- An Authentication API application in IDaaS.
- A resource rule assigned to the Authentication API application.
- The application ID and IDaaS hostname from the Authentication API application settings.
- A test user who is registered in IDaaS and assigned the authenticator you want to test.
Create an Authentication API application in IDaaS
- Go to your IDaaS Admin portal and navigate to
Security > Applications. - Click
+, and then select Authentication API from the list of available applications. - In the General tab, enter the name and description of your application.
- Click Next.
- In the Setup tab, set the Source of Client IP Address for Risk Conditions.
- In the Complete tab, click Copy to copy the
applicationIDto your clipboard. You need theapplicationIDto initialize the Authentication API. Example:9aaf0071-3f79-4663-9782-932c7d53c3da. - Add a resource rule to your Authentication API application.
Required setup
A resource rule must be added to your Authentication API application.
Authentication flow
IDaaS uses three API calls to complete an authentication challenge:
- Get User's Authenticators.
- Select Authenticator.
- Complete Authentication Challenge.
Make these API calls sequentially. Each response contains information that is required to complete the next call.
Available authenticators
The Authentication API supports these authenticator values:
- MACHINE
- PASSWORD
- EXTERNAL
- KBA
- TEMP_ACCESS_CODE
- OTP
- GRID
- TOKEN
- TOKENPUSH
- FIDO
- SMARTCREDENTIALPUSH
- PASSWORD_AND_SECONDFACTOR
- PASSTHROUGH
Initialize the Authentication API client
To call the API, initialize the Authentication API client using the applicationID you copied when you created the application.
- Java
- CSharp
- Python
import com.entrustdatacard.intellitrust.auth.ApiClient;
import com.entrustdatacard.intellitrust.auth.api.AuthenticationApi;
import com.entrustdatacard.intellitrust.auth.model.AuthenticatedResponse;
import com.entrustdatacard.intellitrust.auth.model.UserAuthenticateParameters;
import com.entrustdatacard.intellitrust.auth.model.UserChallengeParameters;
public class Main {
private static final String APPLICATION_ID = "YOUR_APPLICATION_ID";
private static final String HOST_NAME = "YOUR_HOST_NAME";
public static void main(String args[]) throws Exception {
// initialize the API client with the IDaaS hostname
ApiClient apiClient = new ApiClient();
apiClient.setBasePath(HOST_NAME);
}
}
using com.entrustdatacard.intellitrust.auth.api;
using com.entrustdatacard.intellitrust.auth.Client;
using com.entrustdatacard.intellitrust.auth.model;
namespace Sample
{
internal class AuthApiSample
{
private static readonly string HOST_NAME = "YOUR_HOST_NAME";
private static readonly string APPLICATION_ID = "YOUR_APPLICATION_ID";
public static void Main()
{
Configuration configuration = new Configuration();
configuration.BasePath = HOST_NAME;
var authApi = new AuthenticationApi(configuration);
}
}
}
from IntelliTrust_Python_Authentication import ApiClient, Configuration
import IntelliTrust_Python_Authentication.api as apis
import IntelliTrust_Python_Authentication.models as models
import IntelliTrust_Python_Authentication.exceptions as exceptions
conf = Configuration(host="YOUR_HOST_NAME")
with ApiClient(conf) as api_client:
# create an instance of the authentication API
auth_api = apis.AuthenticationApi(api_client)
Try API requests
After you initialize the client, you can make calls to the Authentication API. The following example authenticates a user who is registered in IDaaS and assigned the selected authenticator.
- Java
- CSharp
- Python
String authType = args[0];
String userId = args[1];
UserChallengeParameters challengeParms = new UserChallengeParameters();
challengeParms.setApplicationId(APPLICATION_ID);
challengeParms.setUserId(userId);
AuthenticatedResponse challengeResponse = authApi.userChallengeUsingPOST(authType, challengeParms);
String response = System.console().readLine("Enter response: ");
UserAuthenticateParameters authParms = new UserAuthenticateParameters()
.setApplicationId(APPLICATION_ID)
.setResponse(response)
authApi.userAuthenticateUsingPOST(authType, authParms, challengeResponse.getToken());
String userId = null;
do
{
Console.WriteLine("Enter the User ID of existing user.");
userId = Console.ReadLine().Trim();
} while (userId == null || userId.Length == 0);
String response = null;
do
{
Console.WriteLine("Enter the authentication type (PASSWORD, OTP, KBA, etc.)");
response = Console.ReadLine().Trim();
} while (response == null || response.Length == 0);
Console.WriteLine("Authenticating user " + userId);
UserAuthenticateParameters authParms = new UserAuthenticateParameters(applicationId: APPLICATION_ID, userId: userID);
AuthenticatedResponse challengeResponse = authApi.UserChallengeUsingPOST(authType, authParms);
userAuthenticateParameters = new UserAuthenticateParameters(applicationId: APPLICATION_ID, response: response);
authApi.UserAuthenticateUsingPOST(authType, userAuthenticateParameters, challengeResponse.Token );
auth_type = input("Enter the authentication type (PASSWORD, OTP, KBA, etc.): ")
user_id = input("Enter the User ID of existing user: ")
user_challenge_parameters = models.UserChallengeParameters(application_id=APPLICATION_ID, user_id=user_id)
challenge_response = auth_api.user_challenge_using_post(auth_type, user_challenge_parameters)
response = input("Enter response: ")
user_authenticate_parameters = models.UserAuthenticateParameters(application_id=APPLICATION_ID, response=response)
try:
auth_response = auth_api.user_authenticate_using_post(auth_type, user_authenticate_parameters, challenge_response.token)
if auth_response.authentication_completed:
print("Authentication successful")
except exceptions.ForbiddenException as e:
print("Authentication failed: " + e.reason)
Full example snippet
- Java
- CSharp
- Python
package com.entrust.idaas.userAuthenticate;
import com.entrustdatacard.intellitrust.auth.ApiClient;
import com.entrustdatacard.intellitrust.auth.api.AuthenticationApi;
import com.entrustdatacard.intellitrust.auth.model.*
public class UserAuthenticate {
private static final String APPLICATION_ID = "YOUR_APPLICATION_ID";
private static final String HOST_NAME = "YOUR_HOST_NAME";
public static void main(String args[]) throws Exception {
ApiClient apiClient = new ApiClient();
apiClient.setBasePath(HOST_NAME);
AuthenticationApi authApi = new AuthenticationApi(apiClient);
if (args.length != 2) {
System.err.println("userAuthenticate <authType> <userId>");
System.exit(-1);
}
String authType = args[0];
String userId = args[1];
UserChallengeParameters challengeParms = new UserChallengeParameters();
challengeParms.setApplicationId(APPLICATION_ID);
challengeParms.setUserId(userId);
AuthenticatedResponse challengeResponse = authApi.userChallengeUsingPOST(authType, challengeParms);
String response = System.console().readLine("Enter response: ");
UserAuthenticateParameters authParms = new UserAuthenticateParameters()
.setApplicationId(APPLICATION_ID)
.setResponse(response)
authApi.userAuthenticateUsingPOST(authType, authParms, challengeResponse.getToken());
}
}
using com.entrustdatacard.intellitrust.auth.api;
using com.entrustdatacard.intellitrust.auth.Client;
using com.entrustdatacard.intellitrust.auth.model;
namespace Sample
{
internal class AuthApiSample
{
private static readonly string HOST_NAME = "YOUR_HOST_NAME";
private static readonly string APPLICATION_ID = "YOUR_APPLICATION_ID";
public static void Main()
{
Configuration configuration = new Configuration();
configuration.BasePath = HOST_NAME;
var authApi = new AuthenticationApi(configuration);
Console.WriteLine("Authenticating user");
String userId = null;
do
{
Console.WriteLine("Enter the User ID of existing user.");
userId = Console.ReadLine().Trim();
} while (userId == null || userId.Length == 0);
String authType = null;
do
{
Console.WriteLine("Enter the authentication type (PASSWORD, OTP, KBA, etc.)");
authType = Console.ReadLine().Trim();
} while (authType == null || authType.Length == 0);
Console.WriteLine("Authenticating user " + userId);
var challengeParams = new UserChallengeParameters(applicationId: APPLICATION_ID, userId: userId);
AuthenticatedResponse challengeResponse = authApi.UserChallengeUsingPOST(authType, challengeParams);
String response = null;
do
{
Console.WriteLine("Enter the response");
response = Console.ReadLine().Trim();
} while (response == null || response.Length == 0);
var authParams = new UserAuthenticateParameters(applicationId: APPLICATION_ID, response: response);
try {
authApi.UserAuthenticateUsingPOST(authType, authParams, challengeResponse.Token);
Console.WriteLine("Authentication successful");
} catch (ApiException e) {
Console.WriteLine("Authentication failed: " + e.Message);
}
}
}
}
from IntelliTrust_Python_Authentication import ApiClient, Configuration
import IntelliTrust_Python_Authentication.api as apis
import IntelliTrust_Python_Authentication.models as models
import IntelliTrust_Python_Authentication.exceptions as exceptions
conf = Configuration(host="YOUR_HOST_NAME")
with ApiClient(configuration=conf) as api_client:
auth_api = apis.AuthenticationApi(api_client)
auth_type = input("Enter the authentication type (PASSWORD, OTP, KBA, etc.): ")
user_id = input("Enter the User ID of existing user: ")
user_challenge_parameters = models.UserChallengeParameters(application_id=APPLICATION_ID, user_id=user_id)
challenge_response = auth_api.user_challenge_using_post(auth_type, user_challenge_parameters)
response = input("Enter response: ")
user_authenticate_parameters = models.UserAuthenticateParameters(application_id=APPLICATION_ID, response=response)
try:
auth_response = auth_api.user_authenticate_using_post(auth_type, user_authenticate_parameters, challenge_response.token)
if auth_response.authentication_completed:
print("Authentication successful")
except exceptions.ForbiddenException as e:
print("Authentication failed: " + e.reason)
Sample code only
The sample code above is for demonstration purposes only. It is not intended to be used in production. Validate input parameters, handle exceptions, and use a secure method to set the application ID and host name.
More guides
- For prerequisites, the three-call flow, and supported authenticators, see Authentication overview.
- For PSD2,
offlineTVS, andpushMessageIdentifier, see Transaction details and mobile SDK push messages. - For risk evaluation behavior, see Risk-based authentication and machine authentication.
- For authorization, token, device code, JWT IDaaS, and logout endpoints, see OIDC and OAuth flows and endpoints.
- For raw HTTP walkthroughs, see One-factor authentication, Two-factor authentication, EXTERNAL plus second-factor authentication, and User logout.
- For SDK-based examples, see Get Users Authenticators, One Time Password, Entrust Soft Token, and Self passkey registration.
- For security scheme and support details, see Authentication and support.