Credential Type REST API

The Credential/Type endpoint allows creating and managing credential types which define the credential parameters leveraged during user authentication.

Credentials are stored in devices and contain information used to authenticate users, and are linked to a credential type.

HID Authentication Service includes a set of default credential types.

Note: The API version supported by HID Authentication Service is 10.3.0.

To use the version-specific parameters/attributes, you must add api-version=N to the query parameter.

Previous versions of the API are also supported with the corresponding functionality. For details of the version updates, see SCIM API Revision History.

Method Details

HTTPS Method Entity Action Request URI Description

GET

Read

/configuration/{tenant}/v2/Credential/Type

Get all credentials types

GET

Read

/configuration/{tenant}/v2/Credential/Type/{id}:(String)

Get a known credential type

POST

Create

/configuration/{tenant}/v2/Credential//Type

Create a credential type

PUT

Replace

/configuration/{tenant}/v2/Credential//Type{id}:(String)

Fully replace a known credential type

DELETE

Delete

/configuration/{tenant}/v2/Credential//Type{id}:(String)

Delete a known credential type

Required Permissions

Function Required Permissions

GET

  • Get credential type

  • Read reference data

GET ALL

  • Read reference data

CREATE

  • Read credential details

  • Create credential type

  • Read reference data

REPLACE

  • Read credential details

  • Update credential type

  • Read reference data

DELETE
  • Read credential details

  • Delete credential type

Get All Credential Types

[GET] /Credential/Type

Copy

Sample Request URI

[GET] /configuration/{tenant}/v2/Credential/Type
Copy

Sample Response

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ],
    "totalResults": 70,
    "resources": [
        {
            "schemas": [
                "urn:hid:scim:api:idp:2.0:credential:Type"
            ],
            "id": "CT_PKICR1",
            "meta": {
                "resourceType": "Credential",
                "location": https://[base-server-url]/configuration/{tenant}/v2/Credential/Type/CT_PKICR1,
                "version": "1"
            },
            "readOnly": false,
            "name": "PKI Challenge Response v1",
            "notes": "Validates a signed challenge, i.e. response, using the public key from a PKI x509 Certificates v1"
        },
        {
            "schemas": [
                "urn:hid:scim:api:idp:2.0:credential:Type"
            ],
            "id": "CT_CRTCHK1",
            "meta": {
            "resourceType": "Credential",
                "location": https://[base-server-url]/configuration/{tenant}/v2/Credential/Type/CT_CRTCHK1,
                "version": "1"
            },
            "readOnly": false,
            "name": "PKI Certificate Check v1",
            "notes": "Validates that the certificate is assigned to the authenticating user"
        },
        {
            "schemas": [
                "urn:hid:scim:api:idp:2.0:credential:Type"
            ],
            "id": "CT_PKIDIRECT",
            "meta": {
                "resourceType": "Credential",
                "location": https://[base-server-url]/configuration/{tenant}/v2/Credential/Type/CT_PKIDIRECT,
                "version": "1"
            },
            "readOnly": false,
            "name": "PKI Sync or Async",
            "notes": "Synchronous or asynchronous PKI for direct users"
        },
        {
            "schemas": [
                "urn:hid:scim:api:idp:2.0:credential:type:SDB",
                "urn:hid:scim:api:idp:2.0:credential:Type"
            ],
            "id": "CT_AIAT",
            "meta": {
                "resourceType": "Credential",
                "location": https://[base-server-url]/configuration/{tenant}/v2/Credential/Type/CT_AIAT,
                "version": "1"
            },
            "readOnly": false,
            "name": "AI SKI Time and Event based credential",
            "notes": "ActivID SKI Time and Event based (AT) credential",
            "urn:hid:scim:api:idp:2.0:credential:type:SDB": {
                "serviceName": "PASSWORD",
                "algo": "ai",
                "timeWindow": {
                    "timeStep": 128,
                    "smallWindowTimeStart": -3,
                    "smallWindowTimeEnd": 2,
                    "largeWindowTimeStart": -5,
                    "largeWindowTimeEnd": 4
                },
                "eventWindow": {
                    "smallWindowEventEnd": 2,
                    "largeWindowEventEnd": 10,
                    "eventCounterManualUpdateAllowedDiff": 1
                }
            }
        },
        {
            "schemas": [
                "urn:hid:scim:api:idp:2.0:credential:Type"
            ],
            "id": "CT_AIIN1",
            "meta": {
 "resourceType": "Credential",
                "location": https://[base-server-url]/configuration/{tenant}/v2/Credential/Type/CT_AIIN1,
                "version": "1"
            },
            "readOnly": false,
            "name": "ActivID OTP on smart cards v1",
            "notes": "ActivID SKI Time Passwords on initialized smartcards"
        },
        {
            "schemas": [
                "urn:hid:scim:api:idp:2.0:credential:type:OATH",
                "urn:hid:scim:api:idp:2.0:credential:Type"
            ],
            "id": "CT_SEOS_OTP",
            "meta": {
                "resourceType": "Credential",
                "location": https://[base-server-url]/configuration/{tenant}/v2/Credential/Type/CT_SEOS_OTP,
                "version": "1"    
            },
            "readOnly": false,
            "name": "HID SEOS OATH Event based credential",
            "notes": "HID SEOS OATH Event based credential",
            "urn:hid:scim:api:idp:2.0:credential:type:OATH": {
                "serviceName": "PASSWORD",
                "algo": "hotp|totp|ocra",
                "totp": {
                    "timeStep": 128,
                    "smallWindowTimeStart": -3,
                    "smallWindowTimeEnd": 3,
                    "largeWindowTimeStart": -5,
                    "largeWindowTimeEnd": 4
                },
                "hotp": {
                    "smallWindowEventEnd": 2,
                    "largeWindowEventEnd": 10,
                    "eventCounterManualUpdateAllowedDiff": 1
                },
                "ocra": {
                    "eventCounterResynchronizationWindowOverride": 30,
                    "timeResynchronizationWindowOverride": 20,
                    "ocraSuiteCounterCROverride": "OCRA-1:HOTP-SHA1-8:C-QA06",
                    "ocraSuiteTimestampCROverride": "OCRA-1:HOTP-SHA1-8:QA06-T30S",
                    "ocraSuiteCounterSignOverride": "OCRA-1:HOTP-SHA1-8:C-QA06",
                    "modes": [
                        "CHALLENGE_RESPONSE",
                        "SIGNATURE"
                    ]
                }
            }
        },
        {
            "schemas": [
                "urn:hid:scim:api:idp:2.0:credential:Type"
            ],
            "id": "CT_OOB",
            "meta": {
                "resourceType": "Credential",
                "location": https://[base-server-url]/configuration/{tenant}/v2/Credential/Type/CT_OOB,
                "version": "1"
            },
            "readOnly": false,
            "name": "OOB Credential",
            "notes": "OOB Credential"
        },    
    ************** TRUNCATED OUPUT **************
}

Get a Credential Type

[GET] /Credential/Type/{id}

Copy

Sample Request URI

[GET] /configuration/{tenant}/v2/Credential/Type/CT_PKI1
Copy
{
    "schemas": [
        "urn:hid:scim:api:idp:2.0:credential:Type"
    ],
    "meta": {
        "resourceType": "Credential",
        "location": "https://[base-server-url]/configuration/{tenant}/v2/Credential/Type/CT_PKI1",
        "version": "1"
    },
    "id": "CT_PKI1",
    "name": "PKI Challenge Response v1",
    "notes": "Validates a signed challenge, i.e. response, using the public key from a PKI x509 Certificates v1",
    "readOnly": false
}

Create a Credential Type

Important: You cannot create an Credential Type from scratch. You must use the copyFrom parameter to specify another Credential Type ID from which to copy the configuration.

For details of the extension, see urn:hid:scim:api:idp:2.0:credential:Type

Copy

Sample Request URI

[POST] /configuration/{tenant}/v2/Credential/Type
Copy

Sample request where a new credential type with the id CT_TDSCRNEW is created based on CT_TDSOAECR.

{
    "copyFrom": "CT_TDSOAECR",   
    "id": "CT_TDSCRNEW",
    "name": "New CR credential type",
    "notes": "Validates a signed challenge",
}
Copy

Sample Response

{
    "schemas": ["urn:hid:scim:api:idp:2.0:credential:Type"],
    "id": "CT_TDSCRNEW",
    "meta": {
        "resourceType": "Credential",
        "location": "https://[base-server-url]/configuration/{tenant}/v2/Credential/Type/CT_TDSCRNEW",
        "version": "1"
    },
    "name": "New CR credential type",
    "notes": "Validates a signed challenge",
    "readOnly": false,
    "urn:hid:scim:api:idp:2.0:credential:type:OATH": {
        "serviceName": "PASSWORD",
        "algo": "hotp|totp|ocra",
        "totp": {
            "timeStep": 128,
            "smallWindowTimeStart": -3,
            "smallWindowTimeEnd": 2,
            "largeWindowTimeStart": -5,
            "largeWindowTimeEnd": 4
        },
        "hotp": {
            "smallWindowEventEnd": 2,
            "largeWindowEventEnd": 10,
            "eventCounterManualUpdateAllowedDiff": 1
        },
        "ocra": {
            "eventCounterResynchronizationWindowOverride": 30,
            "timeResynchronizationWindowOverride": 20,
            "ocraSuiteCounterCROverride": "OCRA-1:HOTP-SHA1-8:C-QA06",
            "ocraSuiteTimestampCROverride": "OCRA-1:HOTP-SHA1-8:QA06-T30S",
            "ocraSuiteCounterSignOverride": "OCRA-1:HOTP-SHA1-8:C-QA06"
        }
    },
    ************** TRUNCATED OUPUT **************
}

Replace a Credential Type

[PUT] /Credential/Type/{id}

Accept: application/scim+json

Note: As a best practice, use GET to retrieve the current data for the resource before using PUT.
Copy

Sample Request URI

[PUT] /configuration/{tenant}/v2/Credential/Type/CT_TDSCRNEW?api-version=9
Copy

Sample request to update the OCRA mode (requires api-version=9 or later)

{
    "id": "CT_TDSCRNEW",
    "schemas": [
        "urn:hid:scim:api:idp:2.0:credential:type:PushOATH",
        "urn:hid:scim:api:idp:2.0:credential:Type"
    ],
    "urn:hid:scim:api:idp:2.0:credential:type:PushOATH": {
        "algo": "ocra",
        "ocra": {
            "modes": ["SIGNATURE"]
        }
    }
}
Copy

Sample Response

{
    "schemas": [
        "urn:hid:scim:api:idp:2.0:credential:Type"],
    "meta": {
        "resourceType": "Credential",
        "location": "https://[base-server-url]/configuration/{tenant}/v2/Credential/Type/CT_TDSCRNEW",
        "version": "1"
    },
    "id": "CT_TDSCRNEW",
    "name": "New CR credential type",
    "notes": "Validates a signed challenge",
    "urn:hid:scim:api:idp:2.0:credential:type:PushOATH": {
        "keyValidityPeriod": 1825,
        "keyLabel": "signkey12",
        "keyUsage": "otp",
        "algo": "hotp",
        "hotp": {
            "otpLen": 8,
            "validityWindow": 30,
            "smallWindowCounterEventEnd": 2,
            "largeWindowCounterEventEnd": 10
            "eventCounterManualUpdateAllowedDiff":1
        },
        "totp": {
            "otpLen": 8,
            "validityWindow": 20,
            "smallWindowTimeStart": -3,
            "smallWindowTimeEnd": 3,
            "largeWindowTimeTimeStart": -5,
            "largeWindowTimeTimeEnd": 4
        },
        "ocra": {
            "ocraSuite": "OCRA-1:HOTP-SHA1-8:QN08-T30S",
            "eventCounterResynchronizationWindowOverride": 30,
            "timeResynchronizationWindowOverride": 20,
            "eventCounterManualUpdateAllowedDiff":1
            "modes": ["SIGNATURE"]
        }
    },
}

Delete a Credential Type

Important: Do not delete the default credential types.

All the delete endpoints follow the same standard pattern and can be reached through the following URL pattern:

Copy

Delete entity

DELETE https://[base-server-url]/configuration/{tenant}/v2/ENTITY_TYPE/{id}

Accept: application/scim+json

Copy

Sample Response

HTTP/1.1 204 No content