The Credential/Type endpoint allows creating and managing credential types which define the credential parameters leveraged during user authentication.
Credentials are stored in devices and contain information used to authenticate users, and are linked to a credential type.
HID Authentication Service includes a set of default credential types.
To use the version-specific parameters/attributes, you must add api-version=N to the query parameter.
Previous versions of the API are also supported with the corresponding functionality.
Method Details
| HTTPS Method | Entity Action | Request URI | Description |
|---|---|---|---|
|
Read |
/configuration/{tenant}/v2/Credential/Type |
Get all credentials types |
|
|
Read |
/configuration/{tenant}/v2/Credential/Type/{id}:(String) |
Get a known credential type |
|
|
Create |
/configuration/{tenant}/v2/Credential//Type |
Create a credential type |
|
|
Replace |
/configuration/{tenant}/v2/Credential//Type{id}:(String) |
Fully replace a known credential type |
|
|
Delete |
/configuration/{tenant}/v2/Credential//Type{id}:(String) |
Delete a known credential type |
Required Permissions
| Function | Required Permissions |
|---|---|
|
GET |
|
|
GET ALL |
|
|
CREATE |
|
|
REPLACE |
|
| DELETE |
|
Get All Credential Types
[GET] /Credential/Type
Sample Response
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"totalResults": 70,
"resources": [
{
"schemas": [
"urn:hid:scim:api:idp:2.0:credential:Type"
],
"id": "CT_PKICR1",
"meta": {
"resourceType": "Credential",
"location": https://[base-server-url]/configuration/{tenant}/v2/Credential/Type/CT_PKICR1,
"version": "1"
},
"readOnly": false,
"name": "PKI Challenge Response v1",
"notes": "Validates a signed challenge, i.e. response, using the public key from a PKI x509 Certificates v1"
},
{
"schemas": [
"urn:hid:scim:api:idp:2.0:credential:Type"
],
"id": "CT_CRTCHK1",
"meta": {
"resourceType": "Credential",
"location": https://[base-server-url]/configuration/{tenant}/v2/Credential/Type/CT_CRTCHK1,
"version": "1"
},
"readOnly": false,
"name": "PKI Certificate Check v1",
"notes": "Validates that the certificate is assigned to the authenticating user"
},
{
"schemas": [
"urn:hid:scim:api:idp:2.0:credential:Type"
],
"id": "CT_PKIDIRECT",
"meta": {
"resourceType": "Credential",
"location": https://[base-server-url]/configuration/{tenant}/v2/Credential/Type/CT_PKIDIRECT,
"version": "1"
},
"readOnly": false,
"name": "PKI Sync or Async",
"notes": "Synchronous or asynchronous PKI for direct users"
},
{
"schemas": [
"urn:hid:scim:api:idp:2.0:credential:type:SDB",
"urn:hid:scim:api:idp:2.0:credential:Type"
],
"id": "CT_AIAT",
"meta": {
"resourceType": "Credential",
"location": https://[base-server-url]/configuration/{tenant}/v2/Credential/Type/CT_AIAT,
"version": "1"
},
"readOnly": false,
"name": "AI SKI Time and Event based credential",
"notes": "ActivID SKI Time and Event based (AT) credential",
"urn:hid:scim:api:idp:2.0:credential:type:SDB": {
"serviceName": "PASSWORD",
"algo": "ai",
"timeWindow": {
"timeStep": 128,
"smallWindowTimeStart": -3,
"smallWindowTimeEnd": 2,
"largeWindowTimeStart": -5,
"largeWindowTimeEnd": 4
},
"eventWindow": {
"smallWindowEventEnd": 2,
"largeWindowEventEnd": 10,
"eventCounterManualUpdateAllowedDiff": 1
}
}
},
{
"schemas": [
"urn:hid:scim:api:idp:2.0:credential:Type"
],
"id": "CT_AIIN1",
"meta": {
"resourceType": "Credential",
"location": https://[base-server-url]/configuration/{tenant}/v2/Credential/Type/CT_AIIN1,
"version": "1"
},
"readOnly": false,
"name": "ActivID OTP on smart cards v1",
"notes": "ActivID SKI Time Passwords on initialized smartcards"
},
{
"schemas": [
"urn:hid:scim:api:idp:2.0:credential:type:OATH",
"urn:hid:scim:api:idp:2.0:credential:Type"
],
"id": "CT_SEOS_OTP",
"meta": {
"resourceType": "Credential",
"location": https://[base-server-url]/configuration/{tenant}/v2/Credential/Type/CT_SEOS_OTP,
"version": "1"
},
"readOnly": false,
"name": "HID SEOS OATH Event based credential",
"notes": "HID SEOS OATH Event based credential",
"urn:hid:scim:api:idp:2.0:credential:type:OATH": {
"serviceName": "PASSWORD",
"algo": "hotp|totp|ocra",
"totp": {
"timeStep": 128,
"smallWindowTimeStart": -3,
"smallWindowTimeEnd": 3,
"largeWindowTimeStart": -5,
"largeWindowTimeEnd": 4
},
"hotp": {
"smallWindowEventEnd": 2,
"largeWindowEventEnd": 10,
"eventCounterManualUpdateAllowedDiff": 1
},
"ocra": {
"eventCounterResynchronizationWindowOverride": 30,
"timeResynchronizationWindowOverride": 20,
"ocraSuiteCounterCROverride": "OCRA-1:HOTP-SHA1-8:C-QA06",
"ocraSuiteTimestampCROverride": "OCRA-1:HOTP-SHA1-8:QA06-T30S",
"ocraSuiteCounterSignOverride": "OCRA-1:HOTP-SHA1-8:C-QA06",
"modes": [
"CHALLENGE_RESPONSE",
"SIGNATURE"
]
}
}
},
{
"schemas": [
"urn:hid:scim:api:idp:2.0:credential:Type"
],
"id": "CT_OOB",
"meta": {
"resourceType": "Credential",
"location": https://[base-server-url]/configuration/{tenant}/v2/Credential/Type/CT_OOB,
"version": "1"
},
"readOnly": false,
"name": "OOB Credential",
"notes": "OOB Credential"
},
************** TRUNCATED OUPUT **************
}Get a Credential Type
[GET] /Credential/Type/{id}
{
"schemas": [
"urn:hid:scim:api:idp:2.0:credential:Type"
],
"meta": {
"resourceType": "Credential",
"location": "https://[base-server-url]/configuration/{tenant}/v2/Credential/Type/CT_PKI1",
"version": "1"
},
"id": "CT_PKI1",
"name": "PKI Challenge Response v1",
"notes": "Validates a signed challenge, i.e. response, using the public key from a PKI x509 Certificates v1",
"readOnly": false
}Create a Credential Type
For details of the extension, see urn:hid:scim:api:idp:2.0:credential:Type
Sample request where a new credential type with the id CT_TDSCRNEW is created based on CT_TDSOAECR.
{
"copyFrom": "CT_TDSOAECR",
"id": "CT_TDSCRNEW",
"name": "New CR credential type",
"notes": "Validates a signed challenge",
}Sample Response
{
"schemas": ["urn:hid:scim:api:idp:2.0:credential:Type"],
"id": "CT_TDSCRNEW",
"meta": {
"resourceType": "Credential",
"location": "https://[base-server-url]/configuration/{tenant}/v2/Credential/Type/CT_TDSCRNEW",
"version": "1"
},
"name": "New CR credential type",
"notes": "Validates a signed challenge",
"readOnly": false,
"urn:hid:scim:api:idp:2.0:credential:type:OATH": {
"serviceName": "PASSWORD",
"algo": "hotp|totp|ocra",
"totp": {
"timeStep": 128,
"smallWindowTimeStart": -3,
"smallWindowTimeEnd": 2,
"largeWindowTimeStart": -5,
"largeWindowTimeEnd": 4
},
"hotp": {
"smallWindowEventEnd": 2,
"largeWindowEventEnd": 10,
"eventCounterManualUpdateAllowedDiff": 1
},
"ocra": {
"eventCounterResynchronizationWindowOverride": 30,
"timeResynchronizationWindowOverride": 20,
"ocraSuiteCounterCROverride": "OCRA-1:HOTP-SHA1-8:C-QA06",
"ocraSuiteTimestampCROverride": "OCRA-1:HOTP-SHA1-8:QA06-T30S",
"ocraSuiteCounterSignOverride": "OCRA-1:HOTP-SHA1-8:C-QA06"
}
},
************** TRUNCATED OUPUT **************
}Replace a Credential Type
[PUT] /Credential/Type/{id}
Accept: application/scim+json
Sample request to update the OCRA mode (requires api-version=9 or later)
{
"id": "CT_TDSCRNEW",
"schemas": [
"urn:hid:scim:api:idp:2.0:credential:type:PushOATH",
"urn:hid:scim:api:idp:2.0:credential:Type"
],
"urn:hid:scim:api:idp:2.0:credential:type:PushOATH": {
"algo": "ocra",
"ocra": {
"modes": ["SIGNATURE"]
}
}
}Sample Response
{
"schemas": [
"urn:hid:scim:api:idp:2.0:credential:Type"],
"meta": {
"resourceType": "Credential",
"location": "https://[base-server-url]/configuration/{tenant}/v2/Credential/Type/CT_TDSCRNEW",
"version": "1"
},
"id": "CT_TDSCRNEW",
"name": "New CR credential type",
"notes": "Validates a signed challenge",
"urn:hid:scim:api:idp:2.0:credential:type:PushOATH": {
"keyValidityPeriod": 1825,
"keyLabel": "signkey12",
"keyUsage": "otp",
"algo": "hotp",
"hotp": {
"otpLen": 8,
"validityWindow": 30,
"smallWindowCounterEventEnd": 2,
"largeWindowCounterEventEnd": 10
"eventCounterManualUpdateAllowedDiff":1
},
"totp": {
"otpLen": 8,
"validityWindow": 20,
"smallWindowTimeStart": -3,
"smallWindowTimeEnd": 3,
"largeWindowTimeTimeStart": -5,
"largeWindowTimeTimeEnd": 4
},
"ocra": {
"ocraSuite": "OCRA-1:HOTP-SHA1-8:QN08-T30S",
"eventCounterResynchronizationWindowOverride": 30,
"timeResynchronizationWindowOverride": 20,
"eventCounterManualUpdateAllowedDiff":1
"modes": ["SIGNATURE"]
}
},
}Delete a Credential Type
All the delete endpoints follow the same standard pattern and can be reached through the following URL pattern:
Accept: application/scim+json
