Академический Документы
Профессиональный Документы
Культура Документы
(On-Premise) 7.1
Web Services API Reference Guide
Contact Information
Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com
Trademarks
RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or
other countries. All other trademarks used herein are the property of their respective owners. For a list of RSA trademarks, go
to www.rsa.com/legal/trademarks_list.pdf.
License agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and
may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice
below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any
other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by EMC.
Note on encryption technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE.
Copyright 2013 EMC Corporation. All Rights Reserved. Published in the USA.
November 2013
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
Contents
Preface................................................................................................................................. 13
About This Guide.............................................................................................................. 13
RSA Adaptive Authentication (On-Premise) Documentation .......................................... 13
Support and Service .......................................................................................................... 14
Before You Call Customer Support........................................................................... 14
Contents 3
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
4 Contents
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
QueryRequest Message.............................................................................................. 81
queryResponse Message ............................................................................................ 82
updateUser Method ........................................................................................................... 83
UpdateUserRequest Message .................................................................................... 83
UpdateUserResponse Message .................................................................................. 84
Chapter 5: Web Services Request Data Structures and Types ..... 105
Data Structures and Methods .......................................................................................... 105
Structures Used in All Methods ...................................................................................... 107
ActionTypeList ........................................................................................................ 107
GenericActionTypeList ........................................................................................... 107
configurationHeader ................................................................................................ 109
deviceRequest .......................................................................................................... 109
identificationData......................................................................................................111
messageHeader .........................................................................................................114
securityHeader ..........................................................................................................116
autoCreateUserFlag..........................................................................................................116
clientReturnData Structure...............................................................................................116
collectionRequest .............................................................................................................117
collectionInitiator......................................................................................................117
collectionReason .......................................................................................................118
orgCredentialList ......................................................................................................118
credentialAuthStatusRequest ...........................................................................................118
credentialChallengeRequest.............................................................................................119
credentialDataList ........................................................................................................... 121
credentialManagementRequestList ................................................................................. 122
deviceManagementRequest ............................................................................................ 123
DeviceActionTypeList Values................................................................................. 123
eventDataList .................................................................................................................. 124
eventData Structure.................................................................................................. 124
AuthenticationLevel Structure ................................................................................. 126
EventType Values.................................................................................................... 126
runRiskType.................................................................................................................... 126
userData Structure........................................................................................................... 127
UserAddress Structure .................................................................................................... 128
UserName Structure........................................................................................................ 128
ClientGenCookie Structure ............................................................................................. 129
MobileDevice Structure .................................................................................................. 129
PhoneData ....................................................................................................................... 135
Contents 5
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
Chapter 6: Web Services Common Data Structures and Types ... 137
Account Structures.......................................................................................................... 137
AccountData Structure............................................................................................. 137
Amount Structure..................................................................................................... 139
AccountOwnershipType Values .............................................................................. 140
AccountRelationType Values .................................................................................. 140
AccountType............................................................................................................ 140
Credential Structures....................................................................................................... 141
CredentialList Structure ........................................................................................... 141
Credential Structure ................................................................................................. 141
CredentialStatus ....................................................................................................... 141
CredentialType Values ............................................................................................ 142
Device Structures ............................................................................................................ 142
DeviceData Structure ............................................................................................... 142
BindingType Values ................................................................................................ 143
Fact Structures................................................................................................................. 144
Fact List .................................................................................................................. 144
Fact Structure .......................................................................................................... 144
DataType Values............................................................................................................. 144
Stock Structures .............................................................................................................. 145
StockData Structure ................................................................................................. 145
StockTradeData Structures ...................................................................................... 146
Common Values for Stock Structure Data Elements............................................... 146
Transaction Structures..................................................................................................... 148
TransactionData Structures...................................................................................... 148
Values for Transaction Structure Data Elements..................................................... 149
6 Contents
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
Contents 7
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
8 Contents
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
Contents 9
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
10 Contents
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
Contents 11
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
Preface
Preface 13
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
14 Preface
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
The make and model of the machine on which the problem occurs.
The name and version of the operating system under which the problem occurs.
Preface 15
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
1 API Overview
Introduction to Web Services API
Types of Authentication
Types of Credentials
How Web Services Uses Credentials
Adaptive Authentication (On-Premise) Workflow
Identifying Invalid Users
Authentication Attempt Time-Out
Using Web Services
Using Web Services Security for Case Management API
This chapter provides an overview of the Web Services API and describes how you
can use Web Services.
Note: RSA recommends that your organization implement strict data field validation
on input fields before sending to the Web Services API in order to avoid data
manipulation.
1: API Overview 17
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
Types of Authentication
The Adaptive Authentication (On-Premise) system supports different types of
authentication that fall under the larger umbrella term of Adaptive Authentication.
Logon Authentication. When a user tries to log on to your application, the
Adaptive Authentication (On-Premise) system authenticates the user. Any time a
user who tries to log on proves risky, as determined by your policies, a risk
analysis is performed on the logon to determine how much risk is associated with
that event.
Information is gathered from the users device, such as device information (IP
address) and network information (browser information) to help authenticate
users into your application.
Risk Based Authentication (RBA) can also make use of the positive device
identification where the Adaptive Authentication (On-Premise) system
specifically looks for a device token that serves to identify the users device.
For this type of authentication, the device token is a required piece of information
that could affect the risk score and the recommended actions.
Transaction Authentication. After the user signs into your application, the
Adaptive Authentication (On-Premise) system continues to perform risk analysis.
Any time a user initiates a transaction that might prove risky, as determined by
your policies, a transaction authentication is performed to determine the risk of the
transaction. Information is again collected from the user to authenticate the user.
18 1: API Overview
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
Types of Credentials
Credentials are the means by which a user is authenticated to the application. In any of
the authentication methods, the Adaptive Authentication (On-Premise) system
requests additional credentials if a user is deemed potentially risky. A user is
considered risky when the risk score and recommended policies dictate that additional
authentication is required from the user. The additional credentials provide added
means of verification of the user identity.
When asked for these extra credentials, the user must provide a second level of
authentication. Secondary level authentication is given in one of the following
credential formats:
A one-time password (OTP)
An extra password
Answers to a set of challenge questions
An identification number
The Adaptive Authentication (On-Premise) system uses this secondary level of
authentication in addition to the user name and password or device information to help
authenticate the user. If the secondary authentication matches, the user is allowed to
access the application.
In version 7.1, Adaptive Authentication (On-Premise) expands the use of credentials
to include additional types. The available credential types are listed in the following
table.
1: API Overview 19
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
20 1: API Overview
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
If the user is determined to be a high risk, the user is asked to enter extra
credentials, for example, answers to challenge questions or a one-time
password sent by an out-of-band (OOB) method. For more information about
credentials, see Types of Credentials on page 19.
If the credentials match, the user can access your online system. The user
has a preset number of attempts to correctly enter their credential
information.
If a match is not made and the user has exceeded the predetermined
number of failed attempts, the user is locked out of the account.
Note: Risk scores do not appear, not even a default starting score, or work
correctly until the Risk Engine task is run regularly for 2-4 months. Until then,
there may be erratic behavior when using the score-based modes. For more
information, see the topics on system health checks in the Installation and Upgrade
Guide.
1: API Overview 21
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
The following figure shows a high-level overview of the decisions made within the
Adaptive Authentication (On-Premise) system.
22 1: API Overview
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
1: API Overview 23
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
Backward Compatibility
The application programming interfaces (APIs) provided by both RSA Adaptive
Authentication (On Premise) 7.0 and 7.1 are different than the API provided by
previous versions of Adaptive Authentication (On-Premise).
If no changes are made to the Adaptive Authentication (On-Premise) API which use
features supported in either RSA Adaptive Authentication (On Premise) 7.0 or 7.1, the
API provided with RSA Adaptive Authentication (On Premise) 7.1 is backward
compatible with the API provided with RSA Adaptive Authentication (On Premise)
6.0.2.1 API including 6.0.2.1 service packs.
For backward compatibilty, the version data element in the Message headers of all
SOAP call requests must be 6.0.
If changes are made which use features supported in either RSA Adaptive
Authentication (On Premise) 7.0 or 7.1, the API provided with RSA Adaptive
Authentication (On Premise) 7.1 is not backward compatible.
If the API is not backward compatible, the version data element in the Message
headers of all SOAP call requests must be 7.0.
Note: The RSA Adaptive Authentication (On Premise) 5.7 Backward Compatibility
API, available in previous versions of Adaptive Authentication (On-Premise), is not
supported in RSA Adaptive Authentication (On Premise) 7.0 and 7.1.
24 1: API Overview
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
SOAP Requests
A SOAP request is a special XML-based protocol that defines the framework of the
data contained in the request and how to process the data. By default, the Web
Services SOAP request expects a SOAP response, except in the case of an
asynchronous call.
1: API Overview 25
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
<tns:channel xsi:type="tns:ATM">
<tns:timezone>2</tns:timezone>
<tns:atmOwner>FI</tns:atmOwner>
<tns:atmID>1234</tns:atmID>
<tns:locationType>STREET</tns:locationType>
<tns:cardIssueDate>423543</tns:cardIssueDate>
<tns:atmLanguage>ENG</tns:atmLanguage>
<tns:location>
<tns:country>isr</tns:country>
<tns:state>ISR</tns:state>
<tns:city>PARIS</tns:city>
<tns:address>V</tns:address>
<tns:zip>123</tns:zip>
<tns:geoCoordinates>
<tns:longitude>19.7244</tns:longitude>
<tns:latitude>156.0787</tns:latitude>
<tns:altitude>0</tns:altitude>
</tns:geoCoordinates>
</tns:location>
<tns:cardPINChangeDate>123</tns:cardPINChangeDate>
<tns:atmOS>windows</tns:atmOS>
</tns:channel>
<tns:autoCreateUserFlag>true</tns:autoCreateUserFlag>
<tns:eventDataList>
<tns:eventData>
<tns:eventType>WITHDRAW</tns:eventType>
<tns:transactionData>
<tns:amount>
<tns:amount>12</tns:amount>
<tns:amountInUSD>12</tns:amountInUSD>
<tns:currency>NIS</tns:currency>
</tns:amount>
<tns:myAccountData>
<tns:internationalAccountNumber>123<
/tns:internationalAccountNumber>
</tns:myAccountData>
</tns:transactionData>
</tns:eventData>
</tns:eventDataList>
<tns:runRiskType>ALL</tns:runRiskType>
<tns:channelIndicator>ATM</tns:channelIndicator>
</tns:request>
</tns:analyze>
</soap:Body>
</soap:Envelope>
26 1: API Overview
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
SOAP Responses
All responses are assumed to be in a SOAP envelope.
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:analyzeResponse xmlns:ns1="http://ws.csd.rsa.com">
<ns1:analyzeReturn xsi:type="ns1:AnalyzeResponse"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:deviceResult>
<ns1:authenticationResult>
<ns1:authStatusCode>FAIL</ns1:authStatusCode>
<ns1:risk>0</ns1:risk>
</ns1:authenticationResult>
<ns1:callStatus>
<ns1:statusCode>SUCCESS</ns1:statusCode>
<ns1:statusDescription/>
</ns1:callStatus>
<ns1:deviceData>
<ns1:bindingType>NONE</ns1:bindingType>
<ns1:deviceTokenCookie>PMV6008tZxkzhRev5ecX3cjXqxDwzMNqbzpDwnyJlaVMabOGBJXy4LuV7wF
MMgUGprPV0t</ns1:deviceTokenCookie>
<ns1:deviceTokenFSO>PMV6008tZxkzhRev5ecX3cjXqxDwzMNqbzpDwnyJlaVMabOGBJXy4LuV7wFM
MgUGprPV0t</ns1:deviceTokenFSO>
</ns1:deviceData>
</ns1:deviceResult>
<ns1:identificationData>
<ns1:delegated>false</ns1:delegated> <ns1:transactionId>9af7-:fd4bb419931:5cba5794-
_TRX</ns1:transactionId>
<ns1:userName>user</ns1:userName>
<ns1:userStatus>VERIFIED</ns1:userStatus>
<ns1:userType>PERSISTENT</ns1:userType>
</ns1:identificationData>
<ns1:messageHeader>
<ns1:apiType>DIRECT_SOAP_API</ns1:apiType>
<ns1:requestType>ANALYZE</ns1:requestType>
<ns1:timeStamp>2012-09-05T07:41:18.775Z</ns1:timeStamp>
<ns1:version>7.0</ns1:version>
</ns1:messageHeader>
1: API Overview 27
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
<ns1:statusHeader>
<ns1:reasonCode>0</ns1:reasonCode>
<ns1:reasonDescription>Operations were completed
successfully
</ns1:reasonDescription>
<ns1:statusCode>200</ns1:statusCode>
</ns1:statusHeader>
<ns1:riskResult>
<ns1:riskScore>14</ns1:riskScore>
<ns1:riskScoreBand>SCORE_BAND_0</ns1:riskScoreBand>
<ns1:triggeredRule>
<ns1:actionCode>ALLOW</ns1:actionCode>
<ns1:actionName>FALLBACK RULE</ns1:actionName>
<ns1:actionType>STRICT</ns1:actionType>
<ns1:clientFactList/>
<ns1:ruleId>FALLBACK RULE</ns1:ruleId>
<ns1:ruleName>FALLBACK RULE</ns1:ruleName>
</ns1:triggeredRule>
</ns1:riskResult>
</ns1:analyzeReturn>
</ns1:analyzeResponse>
</soapenv:Body>
</soapenv:Envelope>
If an error occurs in the SOAP response, errors are logged and error messages are
returned in the SOAP response. The SOAP response also contains a status parameter
that lets you know if the SOAP request was successfully processed.
Note: For asynchronous Web Services calls, even if you do not receive a SOAP
response, you still receive an HTTP202 response call.
SOAP Endpoints
Adaptive Authentication (On-Premise) provides SOAP endpoints to be used with the
Web Services operations when sending requests. The URL of the endpoint is as
follows:
Adaptive Authentication (On-Premise) endpoint
http://{host}:{port}/AdaptiveAuthentication/services/AdaptiveAuthentication
Asynchronous Adaptive Authentication endpoint
http://{host}:{port}/AdaptiveAuthentication/services/
AsyncAdaptiveAuthentication
Note: After generating the client mode, you must modify for all client-generated
proxies (that is, NET 3.0) to make the AsyncAdaptiveAuthentication WSDL work
correctly.
28 1: API Overview
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
Additional Endpoints
There are additional SOAP endpoints used for user administration and case
management. Not all organizations will choose to use these endpoints. The following
are the additional endpoints:
AdminService API endpoint
http://{host}:{port}/AdaptiveAuthenticationAdmin/services/
AdaptiveAuthenticationAdmin
Case Management API endpoint
http://{host}:{port}/casemanagement/services/casemanagement
Note: When the parameter is true, you must log on to the Adaptive Authentication
to enter your Web Services credentials.
Note: When the parameter is true, you must log on to the Adaptive Authentication
(On-Premise) to enter your Web Services credentials.
1: API Overview 29
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
4. Save the XSD files to the same directory to which you saved the Adaptive
Authentication WSDL. You must repeat the process for each of the following
XSD files:
ACSP.xsd
ACSPImport.xsd
ACSPInternalImport.xsd
ATM.xsd
RSA_main.xsd
KBA.xsd
OOBGen.xsd
OOBSMS.xsd
OTP.xsd
Note: When the parameter is true, you must log on to the Adaptive Authentication
Admin to enter your Web Services credentials.
Note: When generating the Web Services client, if you are using Axis version 2, RSA
recommends that you use the XML Beans binding method.
30 1: API Overview
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
SOAP Authentication
Starting with release 6.0, Adaptive Authentication (On-Premise) provides a measure
of security for Web Services by providing a user name and password security scheme
(see securityHeader on page 116), whereby the Adaptive Authentication (On-
Premise) system authenticates the SOAP request as coming from a valid server within
your application.
Your organization is responsible for securing the channel end points and implementing
access protection to your servers.
Note: Both Adaptive Authentication (On-Premise) and Web Services use Axis version
2.
1: API Overview 31
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
Example
YYYY-MM-DDThh:mm:ssTZD (for example, 1997-07-16T19:20:30+01:00)
or
YYYYMMDDThhmmssTZD (for example, 19970716T192030+01:00)
where
YYYY = four-digit year
MM = two digits for the month (e.g. 01=January)
DD = two digits for the day of the month (01 through 31)
hh = two digits for the hour (00 through 23)
Note: am and pm are NOT allowed.
mm = two digits for the minute (00 through 59)
ss = two digits for the second (00 through 59)
TZD = time zone designator (Z or +hh:mm or -hh:mm)
The profile defines two ways of handling time zone offsets:
Times are expressed in UTC (Coordinated Universal Time) with the UTC
designator, Z.
Times are expressed in local time, together with a time zone offset in
hours and minutes.
A time zone offset of +hh:mm indicates that the date and time use a local
time zone that is hh hours and mm minutes ahead of UTC. A time zone
offset of -hh:mm indicates that the date and time use a local time zone that
is hh hours and mm minutes behind UTC.
Example
1994-11-05T08:15:30-05:00 corresponds to November 5, 1994, 8:15:30 am, US Eastern
Standard Time.
1994-11-05T13:15:30Z corresponds to the same instant.
32 1: API Overview
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
1: API Overview 33
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-13"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>Alice</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-username-token-profile-1.0#PasswordText"
>pswAlice<
/wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-soap-message-security-1.0#Base64Binary"
>bbl2YNeDtZa+ntclg3P3TA==<
/wsse:Nonce>
<wsu:Created>2012-01-31T10:42:01.391Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
34 1: API Overview
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
Note: The business processes in this chapter are provided as examples. Consult with
your RSA Implementation Manager to fine-tune the processes for your specific
implementation.
The following table provides a description and lists the Web Services methods used
for each workflow.
User Enrollment This process enrolls a validated user into the query or analyze
Adaptive Authentication system. createUser
updateUser
Logon with Risk-Based This process authenticates a user using network and analyze
Authentication device information, optionally, also positive device notify
information. Extra Credentials process
If extra credentials are required to authenticate a
user, the Extra Credentials sub-process is invoked.
Logon with Positive This process authenticates a user using network and analyze
Device Identification device information, as well as positive device notify
Only information. Extra Credentials process
If extra credentials are required to authenticate a
user, the Extra Credentials sub-process is invoked.
Extra Credentials This process is a subprocess for Logon and risk analyze
analysis processes. challenge
For this subprocess, the user is asked for extra authenticate
credentials to allow the user access to your online notify
system.
queryAuthStatus
Extra credentials include:
Answering challenge questions
Voice out-of-band authentication
Email out-of-band authentication
SMS out-of-band authentication
Generic Authentication Plug-In
Knowledge-based authentication
User Maintenance This process allows a user to change their existing query
information or add more information to their user updateUser
profile.
User Enrollment
The User Enrollment process registers a new user in the Adaptive Authentication
system. You can allow the new user to choose several different enrollment options
(such as challenge questions, OOB information, or other credentials).
The application must identify the user as a valid user before invoking the createUser
method. The following are the steps and methods used in this business process:
Step 1: Check if the User is Enrolled
Step 2: Begin Enrollment
Step 3: User Chooses Challenge Questions (Optional)
Step 4: User Enters Out-of-Band Information (optional)
Step 5: User Registers Additional Credentials (optional)
Step 6: Add User Information to the Database
The following figure shows the seven steps for the user enrollment process. Each step
requires the issuing of a request and response for a SOAP method. The numbering of
the request and response messages are noted in the explanation of each step by the
number of the request and response in the figure.
For example, in step 1c, request 1 in the figure is denoted as request message (1).
Likewise, in step 1d, response 1 in the figure is denoted as response message (1).
Note: You may send the Adaptive Authentication system additional information about
the user, such as address, account information, or any other information that you feel
is necessary.
e. (Optional) After the user has chosen their challenge questions and answers,
you can immediately commit this information to the database by sending a
request (A) to the updateUser method. The updateUser method also activates
the users credential.
Note: RSA recommends that you update the user information immediately.
Note: RSA recommends that you update the user information immediately.
Note: RSA recommends that you update the user information immediately.
If you determine the validity of the users password, you need to send a request
message to the notify method. By notifying the Adaptive Authentication system,
this information can be stored and used for further authentication at a later date.
If you allow or deny the user access to your online system, you should inform the
Adaptive Authentication system of your final action by sending a request message
to the notify method.
For example, in step 2, request 1 in the figure is denoted as request message (1).
Likewise, in step 3, response 1a in the figure is denoted as response message (1a).
Using Challenge Questions The user is asked to correctly respond to their pre-chosen challenge
questions.
See Challenge-Response Credentials Process on page 53.
Using Out-of-band Phone Credentials The user receives a one-time password (OTP) via their phone. The user
enters the OTP into field in the web page.
See Out-of-Band Credentials Process on page 56.
Using Out-of-band Email Credentials The user is receives a one-time password via email message. The user
enters the OTP into field in the web page.
See Out-of-Band Credentials Process on page 56.
Using Out-of-band SMS Credentials The user is receives a one-time password via an SMS. The user enters the
OTP into field in the web page.
See Out-of-Band Credentials Process on page 56.
The following figure shows the four steps for the Extra Credentials process. The
figure shows all of the different credential processes.
Each step requires the issuing of a request and response for a SOAP method. The
numbering of the request and response messages are noted in the explanation of each
step by the number of the request and response in the figure.
For example, in step 1a, request 1 in the figure is denoted as request message (1).
Likewise, in step 1b, response 1 in the figure is denoted as response message (1).
Note: (For Logon) The user must successfully pass the challenge in order to re-bind
their device. Otherwise, they will be challenged again the next time they attempt to log
on to your application.
Note: A failed credential can result in a transaction being marked for review and sends
it to the Case Management application, regardless of whether a user is allowed to
continue or is denied the transaction. Your policies dictate which transactions are
marked for review.
b. Collect the answers that the user enters in regards to their challenge questions,
and perform a data validation on the entered answers.
c. Send a request message (3) to the authenticate method to see if the answer
matches.
Note: At any given point, the Adaptive Authentication system can mark a transaction
for review and send it to the Case Management application, regardless of whether a
user is allowed to continue or is denied the transaction.
Your policies dictate which transactions are marked for review.
Note: Your system should allow for the user to request another OOB message be sent
if the user does not receive the call.
Note: At any given point, the Adaptive Authentication system can mark a transaction
for review and send it to the Case Management application, regardless of whether a
user is allowed to continue or is denied the transaction.
Your policies dictate which transactions are marked for review.
User Maintenance
This process allows a user, who has been successfully authenticated, to update their
user information, including their challenge questions and any other credential
information as necessary. Once the user has completed all maintenance of their
information, they are passed to normal user processes, and the information is written
to the Adaptive Authentication database.
The following figure describes the User Maintenance process, which can also be used
as a partial re-enrollment process.
The steps in the figure require the issuing of a request and response messages for a
SOAP method. The numbering of the request and response messages are noted in the
explanation of process by the number of the request and response in the figure.
For example, the review and update processes describe request 1 in the figure as
request message (1). Likewise, response 1 in the figure is described as response
message (1).
Method Description
challenge This method returns the challenge material that will be presented to the user.
notify This method allows the organizations application to notify the Adaptive Authentication
system of any application events that can be added to the Adaptive Authentication systems
profiles.
This method does not return any actionable response values.
queryAuthStatus For asynchronous credentials, this method returns the authentication status of that
credential.
query This method queries a users profile and any system level browsable data.
Synchronous methods in the Adaptive Authentication Web Services are listed below:
analyze
authenticate
challenge
createUser
notify
queryAuthStatus
query
updateUser
Note: The asynchronous methods do not create new devices or rotate the users device
token.
For asynchronous Web Services calls, even if you do not receive a SOAP response,
you still receive an HTTP202 response call.
Request/
Method Data Structure Description
Response
Request/
Method Data Structure Description
Response
GenericRequest Message
The following figure shows how each specific request message extends the
GenericRequest message.
GenericResponse Message
The following figure shows how each specific response message extends the
GenericResponse message.
identificationData Information that identifies user, transaction and session. IdentificationData Structure
analyze Method
The analyze method performs a risk analysis for one event or a list of events. It can
also authenticate one or more credentials that are sent to it. The analyze method sends
its results to the Risk Engine and returns a recommended policy.
AnalyzeRequest Message
This request message extends the GenericRequest message, as defined in
GenericRequest Message on page 66.
The following table describes the specific data elements in the analyze request
message. For a listing of the parameters for these data elements, see Chapter 5, Web
Services Request Data Structures and Types.
credentialDataList A list of any credentials that a user has presented as part N CredentialData
of this transaction. These credentials are authenticated List
by the Adaptive Authenticationsystem.
runRiskType A flag that determines whether the risk engine should Y RunRiskType
be run
by updating the users profile
without updating the users profile
by just relying on the policy rules
AnalyzeResponse Message
This response message extends the GenericResponse message, as defined in
GenericResponse Message on page 68.
The following table lists the specific data elements in the analyze Response. For a
listing of the parameters for these data elements, see Chapter 7, Web Services
Response Data Structures and Types.
requiredCredentialList The required list of credentials that you need to collect RequiredCredentialList
from the user in order for authentication to occur.
riskResult The risk score and resulting recommended policy action for RiskResult
the overall transaction.
authenticate Method
The authenticate method verifies a user using one or more credentials.
AuthenticateRequest Message
This request message extends the GenericRequest message, as defined in
GenericRequest Message on page 66.
The following table lists the specific data elements in the authenticate Request. For a
listing of the parameters for these data elements, see Chapter 5, Web Services
Request Data Structures and Types.
credentialDataList A list of any credentials that the user has presented as N CredentialDataList
part of this transaction.
AuthenticateResponse Message
This response message extends the GenericResponse Message, as defined in
GenericResponse Message on page 66.
The following table lists the specific data elements in the authenticate Response. For a
listing of the parameters for these data elements, see Chapter 7, Web Services
Response Data Structures and Types.
If a response is not received within the amount of time defined in the Transaction
Time To Live parameter, the response is considered rejected and the failure count is
incremented.
If you exceed the number of challenge or authenticate responses allowed, as defined in
the Maximum User Failure Count field in the Administration Console, the user is
locked.
challenge Method
The challenge method can:
Initiate a challenge-response credential type, such as challenge questions. If you
request a challenge question credential, the challenge Response returns the users
challenge questions. If you exceed the number of challenge or authenticate
responses allowed, as defined in the Maximum User Failure Count field in the
Administration Console, the user is locked.
Initiate an asynchronous challenge-response credential, such as OOB phone. The
Adaptive Authentication system makes the out-of-band call.
Initiate an asynchronous verification credential type, such as OOB phone.
For more information about the different workflows that use this method, see
Chapter 2, Web Services Basic Processes.
ChallengeRequest Message
This request message extends the GenericRequest message, as defined in
GenericRequest Message on page 66.
The following table lists the specific data elements in the challengeRequest. For a
listing of the parameters for these data elements, see Chapter 5, Web Services
Request Data Structures and Types.
ChallengeResponse Message
This response message extends the GenericResponse message, as defined in
GenericResponse Message on page 68.
The following table lists the specific data elements in the challenge Response. For a
listing of the parameters for these data elements, see Chapter 7, Web Services
Response Data Structures and Types.
createUser Method
The createUser method is an explicit call to create a new user, which can also query
the Adaptive Authentication system for the necessary data to enroll the user. If
requested, the createUser method can also run a risk analysis on the users enrollment.
CreateUserRequest Message
This request message extends the GenericRequest message, as defined in
GenericRequest Message on page 66.
The following table lists the specific data elements in the createUserRequest. For a
listing of the parameters for these data elements, see Chapter 5, Web Services
Request Data Structures and Types.
1
Not required, but highly recommended.
CreateUserResponse Message
This response message extends the GenericResponse message, as defined in
GenericResponse Message on page 68.
The following table lists the specific data elements in the createUserRequest. For a
listing of the parameters for these data elements, see Chapter 7, Web Services
Response Data Structures and Types.
notify Method
The notify method allows your application to notify the Adaptive Authentication
system of any interesting application events that the Adaptive Authentication system
can add to its profiles. This method does not return any interesting or actionable
response values.
Important: You cannot trigger rules for notify requests. You can send them as
asynchronous analyze methods and get the same behavior at the API level (not the
response level), with the ability to define review rules.
NotifyRequest Message
This request message extends the GenericRequest message, as defined in
GenericRequest Message on page 66.
The following table lists the specific data elements in this request. For a listing of the
parameters for these data elements, see Chapter 5, Web Services Request Data
Structures and Types.
NotifyResponse Message
This response message does not contain any significant information. It merely extends
the GenericResponse message, as defined in GenericResponse Messageon page 68.
The response message does not require your application to take any actions. For a
listing of the parameters for these data elements, see Chapter 7, Web Services
Response Data Structures and Types.
queryAuthStatus Method
The queryAuthStatus method returns the authentication status of an asynchronous
credential.
queryAuthStatusRequest Message
This request message extends the GenericRequest message, as defined in
GenericRequest Message on page 66.
The following table lists the specific data elements in this request. For a listing of the
parameters for these data elements, see Chapter 5, Web Services Request Data
Structures and Types.
queryAuthStatusResponse Message
This response message extends the GenericResponse message, as defined in
GenericResponse Message on page 68.
The following table lists the specific data elements in the response message. For a
listing of the parameters for these data elements, see Chapter 7, Web Services
Response Data Structures and Types.
query Method
The query method looks at the user profile, and returns any browsable data, including
any credential information. For more information about the different workflows that
use this method, see Chapter 2, Web Services Basic Processes.
QueryRequest Message
This request message extends the GenericRequest message, as defined in
GenericRequest Message on page 66.
The following table lists the specific data elements in this request. For a listing of the
parameters for these data elements, see Chapter 5, Web Services Request Data
Structures and Types.
queryResponse Message
This response message extends the GenericResponse message, as defined in
GenericResponse Message on page 68.
The following table lists the specific data elements in this response. For a listing of the
parameters for these data elements, see Chapter 7, Web Services Response Data
Structures and Types.
updateUser Method
The updateUser method updates the users profile, including credential information.
UpdateUserRequest Message
This request message extends the GenericRequest message, as defined in
GenericRequest Message on page 66.
The following table lists the specific data elements in this request. For a listing of the
parameters for these data elements, see Chapter 5, Web Services Request Data
Structures and Types.
UpdateUserResponse Message
This response message extends the GenericResponse message, as defined in
GenericResponse Message on page 68.
The following table lists the specific data elements in the response message. For a
listing of the parameters for these data elements, see Chapter 7, Web Services
Response Data Structures and Types.
riskResult The risk score and resulting recommended policy action RiskResult
for the overall transaction.
Priority Levels
The following settings indicate the levels of priority for sending a particular data
element:
required
highly recommended
recommended
optional
Note: By sending more than the required data elements, the impact and effectiveness
of the Adaptive Authentication Risk Engine in detecting fraud increases, and the
additional data elements help to keep the user challenge and false positive rates low. It
is advisable to also send the highly recommended and the recommended data
elements, in addition to the required data elements, to take advantage of the Risk
Engine and its abilities.
ACTIVATE_CARD The user attempts to activate a card (for example, debit, credit)
ADD_PAYEE The user attempts to add a new payee to their list of payees
CARD_PIN_CHANGE The user attempts to change the PIN of a credit or debit card.
CHANGE_ALERT_SETTINGS The user attempts to change their settings for receiving alerts (for
example, an alert when a change is made to their account)
CHANGE_AUTH_DATA The user attempts to change their authentication data (for example,
phone number, challenge questions)
CHANGE_LIFE_QUESTIONS The user attempts to change the questions/answers they want to see if
they are challenged by this form of additional authentication
CHANGE_PASSWORD The user attempts to change the password they use to access the
organizations online system
CHANGE_STATEMENT_SETTING The user attempts to change their settings for statement display or
S receipt
CLIENT_DEFINED The organization attempts to define their own event type to use
instead of or in addition to the Adaptive Authentication default event
types. The Adaptive Authentication risk model is run on the event
type combination.
ENROLL The user attempts to enroll into the organizations online system
NULL NA
REQUEST_NEW_CARD The user requests a new card (for example, debit, credit).
WITHDRAW The user attempts to initiate a withdrawal from the users account.
messageHeader elements
securityHeader
securityHeader callerCrede Required Created by Web Services This maps to the password of the
ntial Authentication line caller initiating the request
application or GUI message. This does not map to the
users password.
IdentificationData
userLoginN Recommended The User ID that was The users login name.
ame entered in the login form
(can be a hashed / table
translated form of it).
deviceRequest elements
deviceRequest httpAccept Highly HTTP request header - The HTTP accept header value is
Recommended accept retrieved from the HTTP request
header. This is used for device
profiling, and is a potential fraud
predictor.
deviceRequest httpAcceptL Highly HTTP request header - The HTTP accept language is
anguage Recommended Accept-Language retrieved from the HTTP request
header. This is used for device
profiling, and is a potential fraud
predictor
httpReferrer Highly HTTP request header - The HTTP referrer header value
Recommended Referrer is retrieved from the HTTP
request header.
userAgent Highly HTTP request header - The user agent string is retrieved
Recommended user-agent from the HTTP request header
and is used in device profiling.
deviceToke Highly System generated and The cookie retrieved from the
nCookie Recommended locally stored. users device.
The system generates the first
cookie, which is stored locally for
future user requests. This spares
the needs for identification and
authentication checks for each
subsequent logon.
deviceToke Highly System generated and The flash shared object retrieved
nFSO Recommended locally stored. from the users device. The
system generates the first FSO,
which is stored locally for future
user requests.
eventData elements
eventDataList Required (at This may have multiple The event data object element
least one elements if the user describes the event type field in
eventData eventData initiated multiple the event data object.
element) transfers or bill
payments in a single
form.
eventType Required This is defined per event. The type of event that took place
See Event-Specific in your system for the users
Data Elements on transaction.
page 93.
eventDataList eventType Required ADD_PAYEE The type of event that took place
eventData EDIT_PAYEE in your system for the users
transaction.The user sets up a new
payee or edits a current payee to
which they will direct funds.
eventDataList accountCountry Recommende Free text entry The country location of the
eventData d payees account.
transactionData
referenceCode Recommende Free text entry The information used by the user
otherAccountData
d to identify the reason for the
(continued) transaction.
Payment, Deposit
eventDataList eventType Required PAYMENT The type of event that took place
eventData DEPOSIT in your system for the users
transaction. The user sets up a
payment or deposit.
eventDataList otherAccountT Highly BILLER The type of account that the payee
eventData ype Recommende PERSONAL_ has to which the user directs
transactionData d ACCOUNT funds.
referenceCode Recommende Free text entry The information used by the user
d to identify the reason for the
transaction.
Credit Request
eventDataList eventType Required REQUEST_CR The type of event that took place
eventData EDIT in your system for the users
transaction. The user initiates a
request for credit.
Change Address
eventDataList eventType Required CHANGE_AD The type of event that took place
eventData DRESS in your system for the users
transaction. The user initiates a
change of address.
Change Email
eventDataList eventType Required CHANGE_EM The type of event that took place
eventData AIL in your system for the users
transaction. The user initiates a
change to their email.
Change Login ID
eventDataList eventType Required CHANGE_LO The type of event that took place
eventData GIN_ID in your system for the users
transaction. The user initiates a
change to their login ID.
Change Questions
eventDataList eventType Required CHANGE_LIF The type of event that took place
eventData E_QUESTION in your system for the users
S transaction. The user initiates a
change to their challenge
questions.
Change Password
eventDataList eventType Required CHANGE_PAS The type of event that took place
eventData SWORD in your system for the users
transaction. The user initiates a
change to their password.
Change Phone
eventDataList eventType Required CHANGE_PH The type of event that took place
eventData ONE in your system for the users
transaction. The user initiates a
change to their contact phone
number.
Client Defined
eventDataList eventType Required Any Adaptive The type of event that took place
eventData Authentication in your system for the users
defined event transaction.
type
Failed Login
eventDataList eventType Required FAILED_LOGI The type of event that took place
eventData N_ATTEMPT in your system for the users
transaction. The user fails at their
attempt to log in.
Note: Do not
enter the value
default in the
orgName for
the Default
organization.
eventDataList eventType Required FAILED_CHA The type of event that took place
eventData NGE_PASSW in your system for the users
ORD_ transaction. The user fails at their
ATTEMPT attempt to change their password.
Order Checks
eventDataList eventType Required REQUEST_CH The type of event that took place
eventData ECKS in your system for the users
transaction. The user initiates a
request to order checks.
View Checks
eventDataList eventType Required VIEW_CHEC The type of event that took place
eventData KS in your system for the users
transaction. The user initiates a
request to view a check image.
Stock Trade
eventDataList eventType Required STOCK_TRA The type of event that took place
eventData DE in your system for the users
transaction. The user initiates a
request to buy or sell stock.
Note: The Required column indicates which fields are mandatory. RSA also
recommends providing as much information in optional fields as possible to increase
the accuracy of the risk analysis.
ActionTypeList
GenericActionTypeList
genericActionTypes[ ] The action to be taken. To pass more than one item, adjust the GenericActionType
array size.
GenericActionType Values
The ActionType values defines all the actions your application can initiate through the
various methods. If an ActionType is not supported in a particular method, a warning
or error message may occur.
GET_USER_GROUP Get the group(s) to which the user belongs All Methods
BROWSE_USER_GROUP Gets the list of groups to which the user can belong. query
COMMIT Commits any changes made and that are stored in All Methods
the cache
CANCEL Cancels any information that was saved to the All Methods
cache. Information is not written to the database.
configurationHeader
The Configuration Header structure contains information about configuration and
routing information that is used by the RSA Adaptive Authentication (On Premise)
system.
Note: This structure is primarily used by the ASP version of the Adaptive Authentication (On-
Premise) system. This structure is not supported as of release 6.0.2.1 of the RSA
Adaptive Authentication (On Premise) system.
Max
Parameter Description Required Data Type
Length
application Information about the application for which the API is 50 N String
used.
ruleSet The policy rule set to be used when evaluating the risk 200 N String
of the event. If multiple sets are to be used, each
should be separated by a semicolon (;)
1
Required only for the ASP version of the Adaptive Authentication (On-Premise) system.
deviceRequest
The deviceRequest structure contains any information that the your application finds
about a users device. The following table describes the data structure for the
DeviceRequest Structure.
Max
Parameter Description Required Data Type
Length
Max
Parameter Description Required Data Type
Length
httpAccept The HTTP accept header value. This parameter is 3000 N String
retrieved from the HTTP request header.
httpAcceptChars The HTTP accept header character set. This 256 N String
parameter is retrieved from the HTTP request
header.
httpReferrer The HTTP referrer header value. This parameter 256 N String
is retrieved from the HTTP request header.
userAgent The user agent String. This parameter is retrieved 1024 N String
from the HTTP request header.
Max
Parameter Description Required Data Type
Length
identificationData
The identificationData structure contains specific information that uniquely identifies
a given request or response message.
Max Data
Parameter Description Required
Length Type
Max Data
Parameter Description Required
Length Type
userLoginName The name entered by the user when they log into 50 N String
your application. This parameter can change. This
differs from the userName parameter.
UserStatusType Values
Use these value to set the users status (SET_USERSTATUS).
Values Description
UNVERIFIED The user is enrolled, but not yet verified by your application.
The following figure shows how a user can move from each of the states to another.
UserType Values
The UserType defines the type of user that is being sent. Values are:
Values Description
BAIT The user has been flagged as a user that was purposefully given wrong
information about an account.
messageHeader
The messageHeader structure contains general message information, such as the
message type, the version of the Adaptive Authentication (On-Premise) system, and
the timestamp of the message.
Max
Parameter Description Required Data Type
Length
apiType Defines the type of available APIs that are used NA Y ApiType
to communicate with the Adaptive
Authentication (On-Premise) system. See
APIType Values on page 115.
version The version of the Web Services API provided by 7.0 Y messageVersi
this version of Adaptive Authentication (On- on
Premise).
RequestType Values
The RequestType values correspond to the different methods. The requestType value
should match the request message you are sending to Web Services.
See Chapter 3, Web Services API Methods for more information:
Values Description
CHALLENGE This method returns the challenge material that is to be presented to the user.
CREATEUSER This method is an explicit call that creates a user. This method returns the
information you should gather from the user during enrollment.
(Optional) This method can also determine how risky a user is to enroll.
NOTIFY This method allows the organizations application to notify the Adaptive
Authentication System of any application events that can be added to the Systems
profiles.
QUERY This method queries a users profile and any system level browsesable data.
QUERYAUTHSTATUS For asynchronous credentials, this method returns the authentication status of that
credential.
APIType Values
Values Description
DIRECT_SOAP_API The UI is handled by the client, and the Adaptive Authentication (On-
Premise) system supplies the service for risk and authentication.
securityHeader
The securityHeader structure defines the specific ID and password for the application
making the request. The User ID or password is not sent, but rather the master User ID
and password assigned to your organizations system.
Max
Parameter Description Required Data Type
Length
AuthorizationMethod Values
Value Description
autoCreateUserFlag
This Boolean value determines whether or not to automatically create a user if the user
is not already enrolled.
If this value is set to TRUE, you must also pass the SET_USERSTATUS action.
clientReturnData Structure
(This structure is not supported as of release 6.0.2.1.)
The clientReturnData structure is sent during an analyze request message to inform
the Adaptive Authentication (On-Premise) system of where to redirect the user after
they have been authenticated. The Redirect structures define any information that
redirects the user to certain key URLS for a stronger authentication flow
Max
Parameter Description Required Data Type
Length
returnUrl The URL where the user is returned after 200 N String
authentication.
collectionRequest
This structure is not supported as of release 6.0.2.1.
The collectionRequest structure details why a collection is being initiated and the
reasons for the collection. The following table describes the data structure for the
CollectionRequest Structure.
collectionInitiator
The collectionInitiator value determines what party is initiating a collection request
for a credential type. This parameter is used within CollectionRequest.
Values Description
collectionReason
The collectionReason value determines why credentials are being collected. This
parameter is used within CollectionRequest.
USER_SETTINGS The user has specifically requested that additional credentials be collected.
FIRST_COLLECTION This is the first time a user has been seen by the System, and credential
information needs to be collected.
REFRESH_COLLECTION A set amount of time has passed, and a refresh of the credentials is needed.
orgCredentialList
The orgCredentialList uses the CredentialList structure. See Credential Structure
on page 141 for more information.
credentialAuthStatusRequest
The credentialAuthStatusRequest structure is used to view the state of a given
credential, and the result of authenticating the users response. See each of these
credential types for specific information regarding each data structure:
Appendix C, Out-of-Band Phone and Email Credential
Appendix D, One-Time Password Credential
Appendix E, Knowledge-based Authentication Credential
Appendix F, Out-of-Band SMS Authentication Credential,
Appendix G, Challenge Question Credential
Appendix H, Authentication Plug-In Credential
Note: These data structures are defined as to the number of occurrences allowed per
credentialAuthStatusRequest structure.
The range of the number of occurrences is 0-1. This means the data structures listed
above are optional (0) and a maximum of one occur en ce per structure is allowed (1).
credentialChallengeRequest
The credentialChallengeRequest structure is used to request the results of the
challenge for a specific credential. See each of the following credential types for
specific information regarding each data structure:
Appendix C, Out-of-Band Phone and Email Credential
Appendix G, Challenge Question Credential
Appendix H, Authentication Plug-In Credential
Note: These data structures are defined as to the number of occurrences allowed per
credentialChallengeRequest structure.
The range of the number of occurrences is 0-1. This means the data structures listed
above are optional (0) and a maximum of one occur en ce per structure is allowed (1).
credentialDataList
The credentialDataList structure is used to pass the users information as it pertains to
a specific credential. See each of the following credential types for specific
information regarding each data structure:
Appendix C, Out-of-Band Phone and Email Credential
Appendix G, Challenge Question Credential
Appendix H, Authentication Plug-In Credential
Note: These data structures are defined as to the number of occurrences allowed per
credentialDataList structure.
The range of the number of occurrences is 0-1. This means the data structures listed
above are optional (0) and a maximum of one occur en ce per structure is allowed (1).
credentialManagementRequestList
The credentialManagementList structure is used to pass a request for managing the
users credential information as it pertains to a specific credential. See each of the
credential types for specific information regarding each data structure:
Appendix C, Out-of-Band Phone and Email Credential
Appendix G, Challenge Question Credential
Appendix H, Authentication Plug-In Credential
Note: These data structures are defined as to the number of occurrences allowed per
credentialManagementRequestList structure.
The range of the number of occurrences is 0-1. This means the data structures listed
above are optional (0) and a maximum of one occur en ce per structure is allowed (1).
deviceManagementRequest
The deviceManagementRequest structure contains a request to:
bind a device
unbind a device
name a device
create a device binding
modify a device binding
The following table describes the data structure for the
DeviceManagementRequestPayload.
Max
Parameter Description Required Data Type
Length
DeviceActionTypeList Values
The following are the values for DeviceActionType.
Values Description
UPDATE_DEVICES Update the users device binding(s) or add a new device binding.
eventDataList
The following structures are used to document events that occurred within your
Adaptive Authentication (On-Premise) application. The information gathered can be
useful for providing stronger authentication for your users.
Max
Parameter Description Required Data Type
Length
eventData Structure
The eventData structure captures information about a specific event that occurred
during the transaction of the user.
Max
Parameter Description Required Data Type
Length
Max
Parameter Description Required Data Type
Length
timeOfOccurrence The date and time of the event. The date Limited to N String
should follow the ISO 8601 format. ISO date supported
The date format is yyyy-MM-dd format by Java
HH:mm:ss.SSS. For example, if the Simple Date
date and time the event occurred is format
September 21,2012 at 3:45 PM, the date
is represented as: 2012-09-21 15:45:00.
AuthenticationLevel Structure
For organizations using their own authentication or extra authentication, this structure
allows you to pass the information to the Adaptive Authentication (On-Premise)
system. See Appendix I, Authentication Levels for more information.
Max Data
Parameter Description Required
Length Type
EventType Values
For a complete list of EventType values, see Supported Event Types on page 85.
runRiskType
The runRiskType element controls execution of the Risk Engine on Adaptive
Authentication transactions. The values of runRiskType are listed in the following
table.
Note: You must set the value in the runRiskType element to either ALL or
RISK_ONLY in order to apply risk analysis on transactions. If you want to disable
risk assessment completely, you must use NONE as the value when you send SOAP
calls. You can check the values in the riskResult element of the AnalyzeResponse
message to verify that the Risk Engine was applied. For more information, see
riskResult on page 167.
RISK_ONLY Run a risk analysis without updating the users profile. This value also
creates an event in the audit log for reporting purposes.
DEVICE_ONLY Run a device-only risk analysis without calling the risk engine. The analysis
runs against the Policy Engine. This value also creates an event in the audit
log for reporting purposes.
Note: If you have rules that are using a risk score with a less than condition,
you must add an additional condition that says greater than minus one.
ALL Run a risk analysis and update the users profile. This value also creates an
event in the audit log for reporting purposes.
userData Structure
This structure is not supported as of release 6.0.2.1.
The userData Structure contains information specific to a user.
Max
Parameter Description Required Data Type
Length
lastAccountOpenDate The date that the account was opened. Limited to N String
The date should follow the ISO 8601 format ISO date
or: format
YYYY-MM-DD HH:mm:SS.mmm (GMT
time)
lastOnlineServicePassw The date that the users password was Limited to N String
ordChangeDate changed. The date should follow the ISO ISO date
8601 format or: format
YYYY-MM-DD HH:mm:SS.mmm (GMT
time)
onlineServiceEnrollDate The date that the user enrolled in the service. Limited to N String
The date should follow the ISO 8601 format ISO date
or: format
YYYY-MM-DD HH:mm:SS.mmm (GMT
time)
Max
Parameter Description Required Data Type
Length
UserAddress Structure
The UserAddress structure contains specific information regarding the users address.
Max Data
Parameter Description Required
Length Type
addressLastUpdate The date the users address was last updated. Limited to N String
The date should follow the ISO 8601 format or: ISO date
format
YYYY-MM-DD HH:mm:SS.mmm (GMT time)
addressSetDate The date the users address was originally set. Limited to N String
The date should follow the ISO 8601 format or: ISO date
format
YYYY-MM-DD HH:mm:SS.mmm (GMT time)
country The users country. The format should follow the 2 N String
ISO 3166 format (two letter country code in
upper case)
UserName Structure
The UserNameData structure contains specific information regarding the users name.
Max
Parameter Description Required Data Type
Length
Max
Parameter Description Required Data Type
Length
nameLine NA - Text field that is stored but not used by 100 N String
the system.
suffix The users suffix, like junior, jr, III, M.D. etc. 10 N String
ClientGenCookie Structure
This is an extension to DeviceIdentifier and it allows the sending of a persistent
cookie, generated by your application. One generated cookie can be sent per
transaction.
MobileDevice Structure
This structure is an extension to DeviceIdentifier and contains elements which support
organizations that use a mobile channel.
Important: Although on their own, the parameters simId, otherId, and hardwareId
are optional, the mobileDevice structure requires that at least one of these parameters
must be populated.
Max
Parameter Description Required Data Type
Length
Max
Parameter Description Required Data Type
Length
Max
Parameter Description Required Data Type
Length
GeoLocation
GeoLocation, a parameter in the MobileDevice data structure, is a composite data type
that consists of parameters that collect geographical location information from mobile
devices. The parameters for GeoLocation are listed in the following table.
Max
Parameter Description Required Data Type
Length
Max
Parameter Description Required Data Type
Length
statusCode
statusCode refers to the status code of a specific request. The following table lists the
acceptable values for the statusCode options:
PERMISSION DENIED 1 The location collection process failed because the application
origin does not have permissions to use the geo-location API.
API ERROR 2 The position of the device could not be determined. For
example, one or more of the location providers used in the
location collection process reported an internal error that
caused the process to fail entirely.
API TIMEOUT 3 The geo-location API returns a time out error and there is no
available position to return.
PhoneData
This structure is an extension to DeviceIdentifier and contains elements that support
organizations using a mobile channel.
Max Data
Element Description Required
Length Type
Important: If one of the elements in the PhoneData structure is populated, all the
elements in the data structure must be specified except for the parameter extension.
Note: The Required column indicates which fields are mandatory. RSA also
recommends providing as much information in optional fields as possible to increase
the accuracy of the risk analysis.
Account Structures
AccountData Structure
The structure describes a users bank account.
For international banking purposes, it is necessary to also list the users bank account
number in IBAN format. IBAN is an international standard for identifying bank
accounts across national borders. This international account number format facilitates
the tracking and detection of hijacked fund transfers to mule or unintended payee
accounts.
The following table describes the structure.
Max
Parameter Description Required Type
Length
Max
Parameter Description Required Type
Length
accountLastCreditGran The date the user was last granted credit. Limited to N String
tDate The date should follow the ISO 8601 format ISO date
or: format
YYYY-MM-DD HH:mm:SS.mmm (GMT
time)
accountOpenedDate The date the users account was opened. Limited to N String
The date should follow the ISO 8601 format ISO date
or: format
YYYY-MM-DD HH:mm:SS.mmm (GMT
time)
Max
Parameter Description Required Type
Length
nextLiquidDate The next date that the users account is liquid. Limited to N String
The date should follow the ISO 8601 format ISO date
or: format
YYYY-MM-DD HH:mm:SS.mmm (GMT
time)
Amount Structure
The following table describes the data elements for the Amount structure. Enter both
the amount and the currency if an amount value exists.
Max
Parameter Description Required Type
Length
Note: RSA recommends to convert the amount in original currency to USD and enter
the converted amount to the parameter, amountInUSD. This is because the monetary
conversion rates in the static conversion table are not kept current.
AccountOwnershipType Values
The following table lists the Account ownership type values.
Values Description
AccountRelationType Values
The following table lists the Account relation type values..
Values Description
AccountType
The following table lists the Account type values.
Values Description
Values Description
Credential Structures
CredentialList Structure
The following is a structure of the credential list.
Credential Structure
This structure defines the information for a credential. The following table describes
the data structure parameters.
Max
Parameter Description Required Type
Length
CredentialStatus
Each credential can have a specific status associated with it.
DISABLED The specific credential is not currently active for use by your application.
CredentialType Values
If you are using the RSA Adaptive Authentication (On Premise) credential types, use
one of the following values.
Device Structures
DeviceData Structure
The following table defines the parameters that comprise the DeviceData structure.
Max
Parameter Description Required Type
Length
Max
Parameter Description Required Type
Length
BindingType Values
The following are the values for the BindingType.
Values Description
Fact Structures
A Fact structure gives information (or facts) about a user and their activity.
Fact List
Fact Structure
DataType Values
The purpose of the dataType parameter is to describe the type of data entered for the
value parameter of the Fact Structure. The values for the Data Type parameter are
listed in the following table.
Value Description
INTEGER A whole number (not a fraction) that can be positive, negative, or zero.
BOOLEAN A logical data type having two values denoted True and False.
FLOATING POINT A real number that can be positive, negative, or zero and includes a floating
decimal point.
DATE A string that stores year, month, and day values in a given format such as MM/
DD/YYYY. (Not supported as of Release 7.0)
Stock Structures
The following is a listing of all the AuthRequest Elements and for which methods they
are required. Parameters are listed in alphabetical order.
StockData Structure
This structure contains information about a single piece of stock. The following table
describes the data structure for the stockData Structure.
Max
Parameter Description Required Type
Length
last30DaysAverageP The average price of the stock within the last 30 NA N Amount
rice days. See Amount Structure on page 139.
last30DaysHighPric The high price of the stock within the last 30 NA N Amount
e days. See Amount Structure on page 139.
last30DaysLowPrice The lowest price of the stock within the last 30 NA N Amount
days.
See Amount Structure on page 139.
percentSharesHeldB The percentage of the shares that are held by the NA N Integer
yInstitution organization.
Max
Parameter Description Required Type
Length
todayHighPrice The high price of the stock as of the current day. NA N Amount
For more information on this structure, see
Amount Structure on page 139.
StockTradeData Structures
This structure contains information about a single stock trade.
Max
Parameter Description Required Type
Length
PriceType Values
PriceType values are listed in the following table.
Value Description
TermType Values
TermType values are listed in the following table.
Value Description
GOOD_FOR_DAY A day buy or sell order remains in effect for that trading day otherwise, it is
cancelled.
GOOD_UNTIL_CANCELLED An order to buy or sell that remains valid until executed or cancelled.
IMMEDIATE_OR_CANCEL An order requiring that all or part of the order be executed immediately
after it has been brought to the market. Portions not immediately executed
are automatically cancelled.
TradeType Values
TradeType values are listed in the following table.
Value Description
SELL_SHORT Selling a security that is not actually owned in the hope of buying it back at a lower
price.
Transaction Structures
The following is a listing of all the AuthRequest Elements and for which methods they
are required. Parameters are listed in alphabetical order.
TransactionData Structures
The TransactionData structure comprises the details of the specific transaction. It
includes:
the receivers account information, in the case where monies are transferred from
the users account (bill pay or transfer)
the source of the funds, in the case where money is deposited into the users
account. Data elements are otherAccount*
Max
Parameter Description Required Type
Length
Max
Parameter Description Required Type
Length
ExecutionSpeed Values
ExecutionSpeed values are follows:
Values Description
OtherAccountBankType Values
OtherAccountBankType values are as follows.
Values Description
OtherAccountOwnershipType Values
OtherAccountOwnershipType values are as follows.
Values Description
OtherAccountType
OtherAccountType values are as follows.
Values Description
Schedule Values
Schedule values are as follows.
Values Description
Values Description
TransactionMediumType Values
TransactioMediumType values are as follows.
Values Description
Note: Some of the data structures defined in this chapter are also used in request
messages. For request messages, data elements can be required or optional. For
response messages, all data elements are optional.
deviceResult
The deviceResult structure contains information about the authentication of that
device. The following table describes the data structure for the DeviceAuthResult
Structure.
callStatus The status of the Web Services call. See CallStatus CallStatus
Structure on page 166.
deviceData The list of devices and the resulting authentication for each DeviceData Structure
of the devices sent in DeviceResponse.
AuthenticationResult
The following table describes the authentication result returned from all credentials.
risk The credential risk score. This parameter is different from the value Integer
returned in riskResult.
authStatusCode The result of the credential verification (i.e. did the user pass the String
credential?).
See AuthStatusCode Values.
AuthStatusCode Values
identificationData
Note: This parameter is not returned in the response when the user does
not belong to a group.
newUserName If the user has changed their user name, use this field to pass the new user
name (using updateUser method).
transactionId The ID of a specific event for a given transaction. Each session might String
contain different transactions. Only one transaction can occur at any given
time.
This parameter is returned on when the runRiskType = ALL.
However, you only need to return this parameter under two
circumstances:
when a sessionID is also returned in the same response, which usually
occurs when actionCode = CHALLENGE
when you pass eventType = EXTRA_AUTH in a notify request
message, this parameter should be entered in the eventReferenceID
parameter.
If this parameter is passed in any other request message other than what is
described above, an error message occurs.
userLoginName The name entered by the user when they log into your application. This String
parameter can change. This differs from the userName parameter.
userName The internal representation of the userLoginName. This parameter should String
not change for the user.
Note the difference between userLoginName and userName.
userStatus The status of the user. See AuthStatusCode Values on page 155. UserStatus
Type
userType The type of user. See UserType Values on page 157. UserType
UserStatusType Values
Values Description
DELETE The user has been marked as deleted in the Adaptive Authentication
system. The user is not actually removed, but is merely marked as
deleted.
UNVERIFIED The user has enrolled, but is not yet verified by your application.
UserType Values
The userType defines the type of user that is being sent.
Values Description
BAIT The user has been flagged as a user that was purposefully given wrong
information about an account.
messageHeader
The messageHeader structure contains general message information, such as message
type, version of the RSA Adaptive Authentication (On Premise) system, and the
timestamp of the message.
requestId This value is unique per request and should be generated by the String
requested.
requestType This is the type of method that you want to invoke. See Request
RequestType Values on page 158. Type
timestamp The timestamp of the header. The date should follow the ISO 8601 String
format or: YYYY-MM-DD HH:mm:SS.mmm (GMT time)
version The version of the Web Services being used. The value is 7.0. String
RequestType Values
The RequestType values correspond to the different methods. Choose the method that
you want to invoke the request message. For more information, see Chapter 3, Web
Services API Methods.
Values Description
CHALLENGE This method returns the challenge material to be presented to the user.
CREATEUSER This method is an explicit call that creates a user. This method returns the
information that you should gather from the user during enrollment.
(Optional) This method can also determine how risky a user is to enroll.
NOTIFY This method allows the organizations application to notify the Adaptive
Authentication system of any application events that can be added to the systems
profiles.
Note: This notification does not trigger a policy nor does it create case in the Case
Management application.
QUERY For asynchronous credentials, this method returns the authentication status of that
credential.
QUERYAUTHSTATUS This method queries a users profile and any system level browse-able data.
Values Description
statusHeader
The statusHeader structure is returned by the Generic Response, and contains
information about the message status. It only exists in the response message for any
method call.
reasonCode A more detailed explanation of the statusCode being returned. For a Integer
detailed list of the reasonDescriptions, see Appendix J, API Error
Messages.
reasonDescription An explanation of the Web Services call status. For a detailed list of the String
reasonDescriptions, see Appendix J, API Error Messages.
statusCode Values
The statusCode indicates the overall status of the Web Services operation.
200 The Web Services operation was completed This value refers to the completion of an
successfully. actual Web Services call and means that all
Web Services features are functioning
correctly.
300 A warning acknowledging the failure of one or For example, a createUser request is issued.
more actions taken by an API call. This method request not only creates a new
A single API call executes one or more actions. user but also defines the authentication
If one action fails, the others may succeed. This method for the user. For some reason, such
warning notifies the user to check for the one or as a field validation violation, the
more failed actions. registration to the authentication method
fails.
A 300 error code is returned in the
createUser response and the credentials
payload is returned with an error. As a result,
the user exists without an authentication
method.
In this situation,
An updateUser request must be issued to
define the authentication method for the
user.
The error that occured in the createUser
request must be corrected to avoid another
failure.
500 A system error occurred. The operation failed. This is possibly an error in the Adaptive
Authentication application. Contact the RSA
Advanced Technical Support.
510 A process error occurred. The operation failed. Either the data in the element is incorrect, or
the wrong element is being sent.
Alternatively, the data that is required to
properly complete the request is not
available (e.g. the database is not
responding).
browsableGroupNames
This value contains the list of groups to which a group can belong. It is of a String
array type.
browsableGroupNames The list of group names to which the user can belong. These String
group names are defined by your organization in your
Configuration Tree. This structure is only used by the query
method.
collectableCredentialList
This structure is Not Supported as of Release 6.0.2.1.
The following table lists the credentials that are required.
CollectableCredential Structure
The following table lists the collectable Credential structure parameters.
collectionReason The reason why a credential is being collected. See collectionReason CollectionReason
Values on page 161.
collectionType The type of collection. See CollectionType Values on page 162 for CollectionType
more information.
credentialType The type of credentials to be collected. If you are using the Adaptive CredentialType[ ]
Authentication credentials, see CredentialType Values on page 162
for a list of values.
collectionReason Values
The collectionReason value determines why credentials are being collected. This
parameter is used within CollectionRequest.
Value Description
Value Description
FIRST_COLLECTION This is the first time a user has been seen by the system and credential
information needs to be collected.
REFRESH_COLLECTION A set amount of time has passed, and a refresh of the credentials is needed.
CollectionType Values
Value Description
CredentialType Values
Use the following values if you are using the Adaptive Authentication credentials.
Value Description
credentialAuthResult
This structure is used as the response message for the methods, analyze and
authenticate, and each credential structure is specific to each type of credential. For
more information about the individual data structures listed here, refer to the specific
credential payloads.
credentialAuthStatusResponse
This structure is similar to the request message for the method, queryAuthStatus, and
each credential structure is specific to each type of credential. For more information
about the individual data structures listed here, refer to the specific credential payloads
credentialChallengeList
This structure is used as the request message for the method, challenge. For more
information about the individual data structures listed here, refer to the specific
credential payloads.
credentialChallenge
This structure is used as the response message for the method, challenge. For more
information about the individual data structures listed here, refer to the specific
credential payloads.
credentialManagementResponseList
Parameter Description Type
credentialManagementResponse
This structure is used as the response message for the method, createUser, query, and
updateUser. Each structure is specific to the credential type being used. For more
information about the individual data structures listed here, refer to the specific
credential payloads.
deviceManagementResponse
This response structure is used to bind, unbind, name a device, create or modify a
device binding bindings. The following table describes the data structure for the
DeviceManagementResponse Structure.
CallStatus Structure
statusDescription Explanatory text about the status code. See StatusCode Values StatusDescription
below.
StatusCode Values
StatusDescription Structure
requiredCredentialList
A list of the credentials that are required.
RequiredCredential Structure
The RequiredCredential structure is a contained with the analyze response message,
and is used to indicate what credentials are required to be collected from the user by
your application. The following table describes the data structure for the
RequiredCredential Structure.
credentialType The type of credentials to be collected. If you are using the CredentialType
Adaptive Authentication credentials, see CredentialType
Values on page 142 for a list of values.
CredentialType Values
Use the following values if you are using the Adaptive Authentication credentials.
USER_DEFINED The Authentication Plug-In credential type defined by the organization. This
credential type is used for authentication methods such as OOB SMS, knowledge-
based authentication (KBA), and one-time password (OTP).
riskResult
The riskResult element contains information about the risk analysis performed on
transactions.
Note: The parameters in the riskResult element reflect the values set in the
runRiskType element of the AnalyzeRequest. For more information, see
runRiskType on page 126
riskScore The risk score assigned to the event during the logon or a risk analysis. Integer
riskScoreBand The risk score band assigned to the event during the logon or a risk String
analysis
triggeredRule The rule triggered during the risk analysis. See TriggeredRule Triggered
Structure on page 168. Rule
triggeredTestRule If any rules are being tested, this value lists out the test rules that are Triggered
triggered during a risk analysis. See TriggeredRule Structure on Rule
page 168.
TriggeredRule Structure
This structure contains information about the specific rule that is triggered during the
risk analysis.
actionCode Indicates the action recommended by the triggered rule. See ActionCode
ActionCode Values on page 168.
actionName The name of the action taken when the rule was triggered. String
actionType Indicates the type of action to be taken, based on the actionCode. See ActionApplyType
ActionApplyType Values on page 169.
ActionCode Values
The ActionCode indicates the action recommended by a triggered rule. These are the
list of actions that can be executed if triggered by an Adaptive Authentication
predefined rule set.
NONE No recommendation.
ActionApplyType Values
The ActionApplyType defines the actionType to be taken in regards to the
recommended policy; in other words, what your organization will decide to do with
the policy recommended by the Adaptive Authentication system. This structure is sent
to the Adaptive Authentication system in the request message of the methods:
createUser, query, and updateUser.
The values for ActionApplyType are:
STRICT Take action only if the actual action code is stricter than the recommended
policy.
LIGHT Take action only if the actual action code is lighter than the recommended
policy.
OVERRIDE Always use the actual action code, regardless of the recommended policy.
LOG Do not take action, but log the event as a Adaptive Authentication event.
serverRedirectData
This structure is Not Supported as of Release 6.0.2.1.
The ServerRedirectData structure is returned by the analyze response message. It
informs your application of where to redirect the user if they need to be authenticated.
This structure is in response to the clientReturnData structure sent in the request
message.
systemCredentials
This structure is of type CredentialList.
CredentialList Structure
A list of the credentials.
credential The list of credentials. See Credential Structure on page 141 for Credential[ ]
more information.
userCredentials
Max
Parameter Description Type
Length
Retrieving User Information Get a users information about their account. getUserStatus
The customer service representative can getUserChangeHistory
retrieve the users current status or the users
change history.
Unenrolling a User from the Remove a user from the system. getUserStatus
System deleteUser
Unenrolling a User
This process allows the customer service representative to mark a user name as
removed from the system. The users Adaptive Authentication (On-Premise)
information is not deleted, but is marked as unused.
Note: Once a user is unenrolled from the system, the account status is marked as
UNVERIFIED. The user information is not deleted from the Adaptive Authentication
(On-Premise) database.
The various methods for AdminService are listed in the following table.
Method Description
getUserStatus Returns the status of a user (for example: not enrolled, locked, etc.)
The following figure shows how each specific request and response message extends
the GenericRequest and GenericResponse messages respectively.
userName The user name being requested. This data element is Y* String
required.
securityHeader The credential used to authenticate the caller of the Adaptive N* SecurityHeader
Authentication Admin service method.
securityHeader
The securityHeader structure defines the specific ID and password for the Adaptive
Authentication Admin service method making the request.
Max
Parameter Description Required Data Type
Length
Note: If the Administration Console flag Admin Caller Credentials Passed in Payload
is True, the securityHeader parameters are required.
deleteUser Method
The deleteUser method removes a users enrollment in the system. The actual user
information is not deleted from the Adaptive Authentication database, but it is
inaccessible by the user and the customer service representative. A user who has been
unenrolled must re-enroll before they can access the system.
Request Structure
Response Structure
userChangeHistoryList The history for the users account for a specific time UserChangeHistoryList
period.
Sample SOAP
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:adm="http://admin.ws.csd.rsa.com">
<soapenv:Header/>
<soapenv:Body>
<adm:deleteUser>
<adm:in0>
<adm:adminID>admin</adm:adminID>
<adm:userName>user</adm:userName>
<adm:securityHeader>
<adm:callerCredential>password</ adm:callerCredential>
<adm:callerId>callerId</adm:callerId>
</adm:securityHeader>
<adm:userStatus>VERIFIED</adm:userStatus>
</adm:in0>
</adm:deleteUser>
</soapenv:Body>
</soapenv:Envelope>
getUserChangeHistory Method
This method returns a users account history. This method is synchronous. The
customer service representative is blocked from other methods until a response is
received from the Adaptive Authentication database.
Request Structure
Response Structure
userChangeHistory The history for the users account for a specific time UserChangeHistoryList
period.
Sample SOAP
This is a sample request for the getUserChangeHistory method.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:getUserChangeHistoryResponse xmlns:ns1="http://admin.ws.csd.rsa.com">
<ns1:getUserChangeHistoryReturn xsi:type="ns1:AdminResponse" xmlns:xsi="http://www.w3.org/2001/
XMLSchema-instance">
<ns1:status>OK</ns1:status>
<ns1:userChangeHistory>
<ns1:userChangeHistory>
<ns1:date>2012-09-10 07:29:52.165</ns1:date>
<ns1:description>CV</ns1:description>
</ns1:userChangeHistory>
<ns1:userChangeHistory>
<ns1:date>2012-09-11 07:31:51.290</ns1:date>
<ns1:description>L</ns1:description>
<ns1:type>admin -</ns1:type>
</ns1:userChangeHistory>
<ns1:userChangeHistory>
<ns1:date>2012-09-11 07:43:05.572</ns1:date>
<ns1:description>R</ns1:description>
<ns1:type>admin -</ns1:type>
</ns1:userChangeHistory>
<ns1:userChangeHistory>
<ns1:date>2012-09-11 07:45:19.993</ns1:date>
<ns1:description>V</ns1:description>
<ns1:type>admin -</ns1:type>
</ns1:userChangeHistory>
</ns1:userChangeHistory>
<ns1:userStatus>VERIFIED</ns1:userStatus>
</ns1:getUserChangeHistoryReturn>
</ns1:getUserChangeHistoryResponse>
</soapenv:Body>
</soapenv:Envelope>
resetOpenSessions Method
The resetOpenSessions method is provided in the Web Services Adaptive
Authentication Administration API to allow you to terminate the abandoned open
authentication sessions in your application for a specific user.
Request Structure
userName The user name being requested. This data element is Y String
required.
securityHeader The credential used to authenticate the caller of the Adaptive N SecurityHeader
Authentication Administration service method.
Response Structure
Sample Soap
This is a sample request for the resetOpenSessions method.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:resetOpenSessionsResponse
xmlns:ns1="http://admin.ws.csd.rsa.com">
<ns1:resetOpenSessionsReturn xsi:type="ns1:AdminResponse"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:status>OK</ns1:status>
</ns1:resetOpenSessionsReturn>
</ns1:resetOpenSessionsResponse>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:getUserChangeHistoryResponse
xmlns:ns1="http://admin.ws.csd.rsa.com">
<ns1:getUserChangeHistoryReturn xsi:type="ns1:AdminResponse"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:status>OK</ns1:status>
<ns1:userChangeHistory>
<ns1:userChangeHistory>
<ns1:date>2013-02-17 16:26:11.908</ns1:date>
<ns1:description>CV</ns1:description>
</ns1:userChangeHistory>
<ns1:userChangeHistory>
<ns1:date>2013-02-17 16:26:12.661</ns1:date>
<ns1:description>S</ns1:description>
- this is the code for a terminated session
<ns1:type>ADMIN -</ns1:type>
</ns1:userChangeHistory>
</ns1:userChangeHistory>
<ns1:userStatus>VERIFIED</ns1:userStatus>
</ns1:getUserChangeHistoryReturn>
</ns1:getUserChangeHistoryResponse>
</soapenv:Body>
</soapenv:Envelope>
getUserStatus Method
The getUserStatus method returns the status of a given user. This method is triggered
when the customer service representative submits a request. A getUserStatus
AdminRequest is sent to the Adaptive Authentication Server and returns with a
AdminResponse.
Request Structure
Response Structure
userChangeHistory The history for the users account for a specific time UserChangeHistoryList
period.
Sample SOAP
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:adm="http://admin.ws.csd.rsa.com">
<soapenv:Header/>
<soapenv:Body>
<adm:getUserStatus>
<adm:in0>
<adm:adminID>admin</adm:adminID>
<adm:userName>user1</adm:userName>
<adm:securityHeader>
<adm:callerCredential>password</ adm:callerCredential>
<adm:callerId>callerId</adm:callerId>
</adm:securityHeader>
</adm:in0>
</adm:getUserStatus>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:getUserStatusResponse xmlns:ns1="http://
admin.ws.csd.rsa.com">
<ns1:getUserStatusReturn xsi:type="ns1:AdminResponse"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:status>OK</ns1:status>
<ns1:userStatus>VERIFIED</ns1:userStatus>
</ns1:getUserStatusReturn>
</ns1:getUserStatusResponse>
</soapenv:Body>
</soapenv:Envelope>
setUserStatus Method
The setUserStatus method sets a users status to one of the following values:
UNVERIFIED
VERIFIED
LOCKOUT
UNLOCKED
DELETED
Request Structure
Response Structure
userChangeHistory The history for the users account for a specific UserChangeHistoryList
time period.
Sample SOAP
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:adm="http://admin.ws.csd.rsa.com">
<soapenv:Header/>
<soapenv:Body>
<adm:setUserStatus>
<adm:in0>
<adm:adminID>admin</adm:adminID>
<adm:userName>user1</adm:userName>
<adm:securityHeader>
<adm:callerCredential>password</ adm:callerCredential>
<adm:callerId>callerId</adm:callerId>
</adm:securityHeader>
<adm:userStatus>LOCKOUT</adm:userStatus>
</adm:in0>
</adm:setUserStatus>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:setUserStatusResponse xmlns:ns1="http://admin.ws.csd.rsa.com">
<ns1:setUserStatusReturn xsi:type="ns1:AdminResponse" xmlns:xsi="http://
www.w3.org/2001/XMLSchema-instance">
<ns1:status>OK</ns1:status>
<ns1:userStatus>LOCKOUT</ns1:userStatus>
</ns1:setUserStatusReturn>
</ns1:setUserStatusResponse>
</soapenv:Body>
</soapenv:Envelope>
unlockUser Method
The unlockUser method unlocks a user that has been locked out of the system due to
failure on the challenge method.
Request Structure
Response Structure
userChangeHistory The history for the users account for a specific time UserChangeHistoryList
period.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:adm="http://admin.ws.csd.rsa.com">
<soapenv:Header/>
<soapenv:Body>
<adm:unlockUser>
<adm:in0>
<adm:adminID>admin</adm:adminID>
<adm:userName>user1</adm:userName>
<adm:securityHeader>
<adm:callerCredential>password</
adm:callerCredential>
<adm:callerId>callerId</adm:callerId>
</adm:securityHeader>
<adm:userStatus>LOCKOUT</adm:userStatus>
</adm:in0>
</adm:unlockUser>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:unlockUserResponse xmlns:ns1="http:/
/admin.ws.csd.rsa.com">
<ns1:unlockUserReturn xsi:type="ns1:AdminResponse"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:status>OK</ns1:status>
<ns1:userStatus>UNLOCKED</ns1:userStatus>
</ns1:unlockUserReturn>
</ns1:unlockUserResponse>
</soapenv:Body>
</soapenv:Envelope>
lockUser Method
The lockUser method locks a user account in the system. You can lock a users
account for the following reasons:
Request Structure
Response Structure
userChangeHistory The history for the users account for a specific time UserChangeHistoryList
period.
Sample SOAP
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:adm="http://admin.ws.csd.rsa.com">
<soapenv:Header/>
<soapenv:Body>
<adm:lockUser>
<adm:in0>
<adm:adminID>admin</adm:adminID>
<adm:userName>user1</adm:userName>
<adm:securityHeader>
<adm:callerCredential>password</
adm:callerCredential>
<adm:callerId>callerId</adm:callerId>
</adm:securityHeader>
<adm:userStatus>VERIFIED</adm:userStatus>
</adm:in0>
</adm:lockUser>
</soapenv:Body>
</soapenv:Envelope>
RSA Adaptive Authentication (On-Premise) 7.1 Web Services API Reference Guide
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:lockUserResponse xmlns:ns1="http:/
/admin.ws.csd.rsa.com">
<ns1:lockUserReturn xsi:type="ns1:AdminResponse"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:status>OK</ns1:status>
<ns1:userStatus>LOCKOUT</ns1:userStatus>
</ns1:lockUserReturn>
</ns1:lockUserResponse>
</soapenv:Body>
</soapenv:Envelope>
AdminService Methods
The AdminService methods are described in the following table.
Method Description
the user account was deleted, and the user name is being re-used for another
or the same user.
From this state, users can only go to one of the following states: UNVERIFIED
or VERIFIED.
VERIFIEDUsers who are enrolled in the system.
From this state, users can only go to one of the following states: LOCKED or
DELETED.
LOCKEDUsers who have:
failed to enter their password correctly a set number of times
failed in challenge attempts
disabled accounts
From this state, users can only go to:
UNLOCKEDThe customer service representative must unlock the user or
the user performs a self-unlock. In this scenario, the user can immediately log
in and start using his account
UNVERIFIEDThe customer service representative must reset a users
status to UNVERIFIED. In this scenario, the user must re-enroll in the
system in order to access their account.
DELETEDThe customer service representative must set the users status
to DELETED.
UNLOCKEDUsers who have had their accounts unlocked by the customer
service representative
From this state, users can only go to the following state, VERIFIED, by having
the customer service representative change their userStatus.
DELETEDAccounts that have been marked as deleted in the RSA Adaptive
Authentication (On Premise) database. Once a user has been marked deleted, it
can only go to an UNVERIFIED state, and the user (either a new user or same
user) needs to (re)enroll in the system.
AdminRequest Elements
Methods
Parameter Description Data Type Required
Used
userStatus The users current status. You can change the String. Y All
users status to one of several values. Values are:
DELETED
LOCKOUT
UNLOCKED
UNVERIFIED
VERIFIED
AdminResponse Elements
Methods
Parameter Description Data Type
Used
userStatus The current status of the user. String with values: ALL
NOTENROLLED
UNVERIFIED
VERIFIED
LOCKOUT
UNLOCKED
DELETED
AdminService Parameters
The following section lists all of the parameters for AdminRequest and
AdminResponse messages.
AdminRequest Elements
Methods
Parameter Description Data Type Required
Used
userName The identifier or string for the end user for String Y All
which the request applies. This is the key
value that is used to locate the user's data in
the system, as passed in the Web Services
calls.
AdminResponse Elements
Methods
Parameter Description Data Type
Used
userChangeHistoryList The history for the users account for the UserChangeHistory getUserChange
specified range of dates. History
userStatus The current status of the user. String with values: ALL
NOTENROLLED
UNVERIFIED
VERIFIED
LOCKOUT
UNLOCKED
DELETED
UserChangeHistory
UserChange
date The date that the particular change history occurred. String
description A description of the type of change that occurred within date. String
type The type of user history that occurred. The values are: String
R RESET or UNLOCKED.
The user has been reset or unlocked.
U MODIFIED USER NAME. The user has changed their user name.
G MODIFIED GROUP.
The users group membership is changed.
T MODIFIED CONTACTS
The users contact information is changed.
F MODIFIED PREFERENCE
The users preferences are changed.
Retrieving Information for Use this method to get information about existing getActivities
Multiple Activities activities for a particular organization. You can
define the activities to retrieve by using the filter
provided.
Retrieving Information for Use this method to get information about existing getCases
Multiple Cases cases for a particular organization. You can define
the cases to retrieve by using the filter provided.
Retrieving Information for a Use this method to get information about a specific getCase
Specific Case case by providing the caseID. The caseId is
retrieved using the getCases method. This process
allows you to lock data retrieved earmarked for
update.
Updating a Specific Activity Use this method to update resolution information updateActivity
for a specific activity. The activity (event) is
identified by its eventId. This process automatically
locks the data earmarked for update. After update is
completed, the data is unlocked automatically.
Updating a Specific Case Use this method to update information for a specific updateCase
case. The case is identified by its caseId. The case
must be retrieved and locked by the getCase
method prior to update. After update is completed,
the data is unlocked, if specified.
Note: A case is assigned to the operator name of the user who locks the case. A case
cannot be reassigned to a different operator name.
Lock a Case
You are responsible for locking and unlocking cases when using the Case
Management API. This involves setting the lock and unlock parameters of the getCase
and updateCase methods, respectively and in that order.
The locking process itself is similar to locking a case for the updateActivity method.
The procedure is as follows:
1. For the getCase method, set the caseId parameter to the caseId for the case to be
updated. The caseId for the case to be updated is retrieved using the getCases
method.
2. Set the getCase method parameter lock to true.
3. Issue the getCase method SOAP API call.
4. If the lock parameter is true, the application processes the locking request as
follows:
a. The application checks if the case is locked.
b. If the case is not found, an error message is issued:
No case with such an ID exists
In this situation, there is nothing to retrieve or lock.
c. If the case is locked by the same user requesting the lock, the lock is valid
for the update.
d. If the case is locked by a different user, an error message is issued:
Case is already locked by a different operator
In this situation, the lock is not valid for the update.
e. If the case is not locked, the application locks the case, preventing other
users from updating the case and its events.
5. For the updateCase method, set the caseId parameter to the caseId for the case to
be updated.
6. Optionally, set the parameter releaseLock to true, along with the other parameters
needed for the update. This allows the case and its events to be unlocked
following update.
7. Issue the updateCase method SOAP API call.
8. The application verifies the case is locked as follows:
a. The application checks if the case is locked.
b. If the case is not found, an error message is issued:
Unable to update case: no such case exists
In this situation, there is nothing to update.
c. If the case exists and is locked by the same user requesting the lock, the
lock is valid for the update.
d. If the case exists and is locked by a different user, an error message is
issued:
Case is already locked by a different operator
In this situation, the lock is not valid for the update.
e. If the case exists and is not locked, an error message is issued:
Update case failed: case is not locked for update.
In this situation, there is no lock.
9. If the case exists and is locked and valid for the update, the update of the case data
proceeds according to the request parameters. Otherwise, processing stops.
10. If the releaseLock parameter is set to True, as part of the response processing, the
case and its events are unlocked.
Note: A case is assigned to the operator name of the user who locks the case. A case
cannot be reassigned to a different operator name.
Unlock a Case
Use the updateCase transaction to unlock a locked case and its events that was locked
inadvertently.
The procedure is as follows:
1. Set the caseId parameter to the caseId for the case to be unlocked.
2. Set the caseStatus parameter to the current status of the case to be unlocked.
3. Set the assignedToUserName parameter to the operator name of the user who
locked the case.
4. Set the releaseLock parameter to False.
5. Issue the updateCase method SOAP API call.
Important: Encode the information retrieved by the Case Management API methods
before the information is exposed to your end users. Encoding data is used to prevent
potential cross site scripting (XSS) in the web application.
The various methods for Case Management are listed in the following table.
Method Description
getActivities Use to retrieve data for one or more activities (events) using a filter.
getCases Use to retrieve metadata for one or more cases using a filter.
getCase Use to retrieve data for one specific case using the caseId.
updateActivity Use to update resolution information for one event using the eventId.
updateCase Use to update information for a specific case using the caseId.
Paging
The Case Management API includes the paging functionality available for all
methods. Paging provides you with the option to select the maximum number of data
items you want to retrieve. See the paging structure definition inpaging on
page 219.
getActivities Method
The getActivities method retrieves all the data for the activities (events) selected for
retrieval. This method uses a filter to define the selection criteria for the data retrieval.
Events are selected according to this selection criteria.
eventTimeFilter The beginning and end of the retrieval period (range N eventTimeFilter
of the events date and time). For more information,
see eventTimeFilter on page 217.
userInternationalAcct The number of the users account in IBAN format. N String (100)
Number
Note: If the channel indicator for this event is set to
ATM, this is an ATM-related data element. For more
information on ATM transactions, see ATM
Protection Module on page 247.
triggeringRuleType
The triggeringRuleType refers to the characteristic of an event which explains the
status of the events association with a case. This status refers to whether an event is
flagged.
A flagged event is an event that appears to be fraudulent and is associated with a case.
This status also refers to the contributing factors that opened the case associated with
an event.
The table below lists the acceptable pre-defined values for this data type.
Values Description
PRODUCTION The event is associated with a case opened due to production rules, whether
or not test rules were also a contributing factor.
BOTH The event is associated with a case opened due to both test and production
rules.
TEST The event is associated with a case opened due to test rules, whether or not
production rules were also a contributing factor.
TEST_ONLY The event is associated with a case opened only due to test rules.
NOT_FLAGGED The event is not flagged. It is not associated with any case.
Values Description
eventTimeFilter
The eventTimeFilter consists of a date range, indicating the beginning and end of the
retrieval period. An event is retrieved if the eventDate is within the range of the
eventTime filter.
From This is the beginning of the event retrieval period. An String supported by Java
events eventTime must be equal to or greater than this Simple Date format
date.
To This is the end of the event retrieval period. An events String supported by Java
eventTime must be equal to or less than this date. Simple Date format
Note: The To date value must be equal to or less than the From date value.
Important: For both the From and To date fields, the date format is yyyy-MM-dd
HH:mm:ss.SSS.
For example, if the From date is September 21,2012 at 3:45 PM, the date is
represented as: 2012-09-21 15:45:00.
riskScoreFilter
The riskScoreFilter defines the range of acceptable risk scores for events to be
retrieved. An event is retrieved if its risk score is within the range defined by the
riskScoreFilter.
ipFilter
The ipFilter defines the geographic location from where the events are issued. .
ipCountry This is the country where the IP address is located from String
which the events were issued.
caseRefType
The caseAvalabilityAndStatus parameter specifies the type of case that is associated
with a given activity. The table below lists the acceptable pre-defined values for the
data type..
Values Description
OPEN_CASE The status of the case to retrieve is either New or Could not contact user
resolutions Values
The resolutions values correspond to the different resolution outcomes assigned by
the Risk Engine to the individual events or cases. The table below lists the acceptable
values for this data type.
For more information, see the Case Resolution section in the chapter Managing
Cases in RSA Adaptive Authentication (On Premise) in the Back Office Users
Guide..
Values Description
Values Description
UNKNOWN The resolution for this event or case is undetermined. It requires additional
investigation and analysis.
paging
The paging structure is common to all method requests. If you choose to set the
paging for a specific method, you must define both the pageSize and the offset by
inputting both values. For example, if you require 500 results from the halfway point
out of 10000 results, the pageSize is 500 and the offset is 5001.
A few points about paging are:
The default page size is the first 2000 results.
A page contains a maximum of 2000 results.
If you specify a pagesize greater than the maximum number of results, the
default pagesize is retrieved.
The following table describes the paging data elements:.
Note: If you do not define the page size, the default pagesize will be retrieved. If you
do not define the offset, the default is zero.
Important: Encode the information retrieved by this method before the information is
exposed to your end users. Encoding data is used to prevent potential cross site
scripting (XSS) in the web application.
callStatus
The callStatus sub-structure includes all the information about the status of a specific
SOAP call. The table below describes each parameter in the structure and lists their
acceptable values where applicable:
eventDetails
The eventDetails sub-structure consists of most of an events general information.
The following table is the list of the data elements included in this structure.
eventResolution The resolution determination for the event For a list Resolutions
of resolution values, see resolutions Values on
page 218.
eventTime The specific date and time that an event took place. String supported
The date format is yyyy-MM-dd HH:mm:ss.SSS. by Java Simple
For example, if the eventTime date is September Date format
21,2012 at 3:45 PM, the date is represented as: 2012-
09-21 15:45:00.
extInternationalAcctNumber The payee or other account number in IBAN format. String (100)
extAcctOwnerName The name of the owner of the payee or other account. String
acctOpenDate The date that the account was last opened. Date
addrChangeDate The date that the users address record was last Date
changed or created.
passwordChangeDate The date the users password record was last changed Date
or created.
phoneChangeDate The date the users phone number was last changed. Date
riskScore The risk score that this event received from the Risk Integer
Engine.
testRuleNames The list of names of the test rules that were triggered String
by the event. The names in the list are separated by a
comma.
trxSchedule This value that defines all the available transaction String
schedules. See Schedule Values on page 150.
trxSpeed This value determines how fast a transaction will take String
place. SeeOtherAccountBankType Values on
page 150
userId The identification of the user who issued the event. String
channelIndicatorType values
A list of available channel types:
WEB (default)
IVR
CALL_CENTER
BRANCH
ATM
MOBILE
OTHER
ATM-related Information
If the channel indicator is set to ATM, the getActivities response includes specific
information relating to an ATM transaction. For more information on ATM
transactions, see ATM Protection Module on page 247.
The following table lists the data elements issued for an ATM-related event in Case
Management API methods payloads:
atmOwner This specifies if the owner of the ATM device is an RSA String(20)
customer who is implementing the RSA Adaptive
Authentication (On Premise) ATM Protection Module.
The two values accepted for this field are:
FI - the financial institution that owns the ATM device and
is implementing the Adaptive Authentication ATM
Protection Module.
Other - the financial institution that owns the ATM device
and is not implementing the Adaptive Authentication
ATM Protection Module.
locationType The type of location where the ATM device resides. In the LocationType
chapter ATM Protection Module, see the list of pre-defined
types of locations in Location Type Values on page 253.
atmAmount The amount of cash withdrawn for an ATM transaction of the Amount
WITHDRAW event type. In the chapter ATM Protection
Module, see Amount on page 257.
cardPinChangeDate The date the users credit or debit card PIN number was last String
changed, in GMT format. supported by
The date format is yyyy-MM-dd HH:mm:ss.SSS. For Java Simple
example, if the card PIN change date is September 21,2012 at Date format
3:45 PM, the date is represented as: 2012-09-21 15:45:00.
atmCardAge The number of days from the date the users credit or debit Integer
card was issued. For information about the card issue date,
see Channel on page 250, in the chapter ATM Protection
Module.
customFactsList
A list of custom facts, such that each fact consists of a string with a name and a value.
For more information, see the Custom Facts Management section in the Managing
Policies chapter of the Back Office Users Guide.:
ipDetails
The details of the internet protocol (IP) from which the event was issued. The
following table lists the data elements that define the IP that issued the event:
ipAddress The IP address from which this event was sent. String
ipCity The city from which this event was sent. String
ipCountry The country connected to the IP address from which this String
event was sent.
ipIsp The Internet Service Provider taken from the GEO IP. String
ipRegion The IP region from which this event was sent. String
riskContributorsList
This a list of factors that contribute to the risk score. This list consists of up to ten risk
contributors. The following table lists the data elements for each risk contributor:
contribution The value of the risk score assigned to the event due to the Integer
risk score contributor.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:getActivitiesResponse xmlns:ns1="http://ws.rsa.com/cm/types">
<ns1:response>
<ns1:caseEvents>
<ns1:eventDetails>
<ns1:eventId>7ef7-:fd4bb419931:5cba5794-_TRX</ns1:eventId>
<ns1:eventTime>2012-09-05T10:30:17.367+03:00</ns1:eventTime>
<ns1:eventType>WITHDRAW</ns1:eventType>
<ns1:extAcctRoutingCode>NA</ns1:extAcctRoutingCode>
<ns1:amountCurrency>USD</ns1:amountCurrency>
<ns1:amountInUSD>45.0</ns1:amountInUSD>
<ns1:originalAmount>12.0</ns1:originalAmount>
<ns1:policyAction>DENY</ns1:policyAction>
<ns1:policyRuleName>Rule15- Withdraw and Channel Indicator=ATM</ns1:policyRuleName>
<ns1:challengeSuccess>N/A</ns1:challengeSuccess>
<ns1:channelIndicator>ATM</ns1:channelIndicator>
<ns1:triggeringRuleType>Y</ns1:triggeringRuleType>
<ns1:orgId>dummy</ns1:orgId>
<ns1:riskScore>4</ns1:riskScore>
<ns1:clientDefinedEventType>NA</ns1:clientDefinedEventType>
<ns1:userId>user</ns1:userId>
<ns1:atmId>1234</ns1:atmId>
<ns1:atmOwner>FI</ns1:atmOwner>
<ns1:location>
<ns1:country>isr</ns1:country>
<ns1:state>ISR</ns1:state>
<ns1:city>PARIS</ns1:city>
<ns1:zip>123</ns1:zip>
</ns1:location>
<ns1:locationType>STREET</ns1:locationType>
<ns1:userInternationalAcctNumber>123456</ns1:userInternationalAcctNumber>
<ns1:atmCardAge>-1</ns1:atmCardAge>
<ns1:atmAmount>
<ns1:amount>12</ns1:amount>
<ns1:amountInUSD>45</ns1:amountInUSD>
<ns1:currency>USD</ns1:currency>
</ns1:atmAmount>
</ns1:eventDetails>
<ns1:customFactsList/>
<ns1:ipDetails/>
<ns1:riskContributorsList/>
</ns1:caseEvents>
<ns1:eventCount>1</ns1:eventCount>
</ns1:response>
<ns1:callStatus>
<ns1:status>SUCCESS</ns1:status>
<ns1:statusCode>0</ns1:statusCode>
</ns1:callStatus>
</ns1:getActivitiesResponse>
</soapenv:Body>
</soapenv:Envelope>
getCases Method
The getCases method retrieves only the metadata for the cases selected for retrieval.
This method uses a filter to set the selection criteria for the data retrieval. Cases are
selected according to this selection criteria.
caseStatus The status of a case. If not selected, only open cases N String
are retrieved. The case statuses are:
Open Case
New
Couldnt contact user
In progress
Closed
For more information about a case status, see the
Case Status section in Chapter Managing Cases
in RSA Adaptive Authentication (On Premise) in
the Back Office Users Guide.
caseTimeFilter The beginning and end of the retrieval period (range N caseTimeFilter
of the cases dateUpdated). For more information,
see caseTimeFilter on page 232.
operatorUserName The user name of the operator assigned to the case. N String
The default value is fraudanalyst.
userInternationalAcct The number of the users account in IBAN format. N String (100)
Number
Note: Use this parameter to retrieve ATM activities
for a specific users account. ATM monitoring only
recognizes the users account in IBAN format.
caseTimeFilter
The caseTimeFilter consists of a date range, indicating the beginning and end of the
retrieval period. An case is retrieved if the dateUpdated is within the range of the
caseTime filter.
From This is the beginning of the case retrieval period. A String supported by Java
cases dateUpdated must be equal to or greater than Simple Date format
this date.
To This is the end of the case retrieval period. A cases String supported by Java
dateUpdated must be equal to or less than this date. Simple Date format
Note: The To date value must be equal to or less than the From date value.
Important: For both the From and To date fields, the date format is yyyy-MM-dd
HH:mm:ss.SSS.
For example, if the From date is September 21,2012 at 3:45 PM, the date is
represented as: 2012-09-21 15:45:00.
The following table is the list of the data elements which comprise the metadata of a
single case within the response structure for this method:
userId The identification code of the user who issued the case Integer
maxScoreActivity The maximum risk score of the event associated with String
the case that has the highest risk score.
maxRiskScore The risk score of the event associated with the case that Integer
has the highest risk score.
maxScoreIpAddress The IP address of the event associated with the case that String
has the highest risk score.
maxScoreIpCountry The IP country of the event associated with the case String
that has the highest risk score.
assignedToUserName The user name of the user to which the case is assigned. String
lockedAt The date and time the case was last locked. Datetime
lockedBy The identification of the last user who locked the case. String
snoozedAt The date and time the case was last snoozed. For more Datetime
information about cases in snooze mode, see the
Snooze Mode section in the chapter Managing
Cases in RSA Adaptive Authentication (On Premise)
in the Back Office Users Guide.
userInternationalAcct The number of the users account in IBAN format. String (100)
Number
Note: This data element is used only for ATM activities
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<typ:getCases xmlns:typ="http://ws.rsa.com/cm/types">
<typ:caseFilter>
<typ:caseStatus xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<typ:caseResolution xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<typ:userId>user</typ:userId>
<typ:caseTimeFilter xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<typ:ipFilter xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<typ:orgId>default</typ:orgId>
</typ:caseFilter>
<typ:paging>
<typ:pageSize>5</typ:pageSize>
<typ:offset>0</typ:offset>
</typ:paging>
</typ:getCases>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:getCasesResponse xmlns:ns1="http://ws.rsa.com/cm/types">
<ns1:response>
<ns1:case>
<ns1:caseId>162</ns1:caseId>
<ns1:userId>user</ns1:userId>
<ns1:orgId>dummy</ns1:orgId>
<ns1:caseStatus>NEW</ns1:caseStatus>
<ns1:maxRiskScore>4</ns1:maxRiskScore>
<ns1:maxScorePolicyAction>DENY</ns1:maxScorePolicyAction>
<ns1:assignedToUserName>fraudanalyst</ns1:assignedToUserName>
<ns1:lockedBy>0</ns1:lockedBy> <ns1:userInternationalAcctNumber>123</
ns1:userInternationalAcctNumber>
</ns1:case>
<ns1:caseCount>1</ns1:caseCount>
</ns1:response>
<ns1:callStatus>
<ns1:status>SUCCESS</ns1:status>
<ns1:statusCode>0</ns1:statusCode>
</ns1:callStatus>
</ns1:getCasesResponse>
</soapenv:Body>
</soapenv:Envelope>
getCase Method
The purpose of the getCase method is to retrieve the data for one specific case. The
selection criteria for this method is only the case identification (caseId) of the specific
case required.
If the case selected is to be updated, this method enables you to lock the case, prior to
the update. For more information on locking a case, see Locking Process
Implementation on page 210.
operatorUserName The user name of the operator requesting the case N String
retrieval. The default value is fraudanalyst.
Important: Encode the information retrieved by this method before the information is
exposed to your end users. Encoding data is used to prevent potential cross site
scripting (XSS) in the web application.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:getCaseResponse xmlns:ns1="http://ws.rsa.com/cm/types">
<ns1:event>
<ns1:eventDetails>
<ns1:eventId>fcf7-:fd4bb419931:5cba5794-_TRX</ns1:eventId>
<ns1:eventTime>2012-09-05T10:32:21.037+03:00</ns1:eventTime>
<ns1:eventType>WITHDRAW</ns1:eventType>
<ns1:extAcctRoutingCode>NA</ns1:extAcctRoutingCode>
<ns1:amountCurrency>NIS</ns1:amountCurrency>
<ns1:amountInUSD>67.0</ns1:amountInUSD>
<ns1:originalAmount>12.0</ns1:originalAmount>
<ns1:policyAction>DENY</ns1:policyAction>
<ns1:policyRuleName>Rule15-Withdraw and Channel
Indicator=ATM</ns1:policyRuleName>
<ns1:challengeSuccess>N/A</ns1:challengeSuccess>
<ns1:channelIndicator>ATM</ns1:channelIndicator>
<ns1:triggeringRuleType>Y</ns1:triggeringRuleType>
<ns1:orgId>dummy</ns1:orgId>
<ns1:riskScore>4</ns1:riskScore>
<ns1:clientDefinedEventType>NA</ns1:clientDefinedEventType>
<ns1:userId>user</ns1:userId>
<ns1:atmId>987654321</ns1:atmId>
<ns1:atmOwner>FI</ns1:atmOwner>
<ns1:location>
<ns1:country>rus</ns1:country>
<ns1:state>ISR</ns1:state>
<ns1:city>PARIS</ns1:city>
<ns1:zip>1234</ns1:zip>
</ns1:location>
<ns1:locationType>OTHER</ns1:locationType> <ns1:userInternationalAcctNumber>123</
ns1:userInternationalAcctNumber>
<ns1:atmCardAge>-1</ns1:atmCardAge>
<ns1:atmAmount>
<ns1:amount>12</ns1:amount>
<ns1:amountInUSD>67</ns1:amountInUSD>
<ns1:currency>NIS</ns1:currency>
</ns1:atmAmount>
</ns1:eventDetails>
<ns1:customFactsList/>
<ns1:ipDetails/>
<ns1:riskContributorsList/>
</ns1:event>
<ns1:event>
<ns1:eventDetails>
<ns1:eventId>1df7-:fd4bb419931:5cba5794-_TRX</ns1:eventId>
<ns1:eventTime>2012-09-05T10:32:20.927+03:00</ns1:eventTime>
<ns1:eventType>ENROLL</ns1:eventType>
<ns1:extAcctRoutingCode>NA</ns1:extAcctRoutingCode>
<ns1:amountInUSD>0.0</ns1:amountInUSD>
<ns1:originalAmount>0.0</ns1:originalAmount>
<ns1:policyAction>ALLOW</ns1:policyAction>
<ns1:policyRuleName>FALLBACK RULE</ns1:policyRuleName>
<ns1:challengeSuccess>N/A</ns1:challengeSuccess>
<ns1:channelIndicator>WEB</ns1:channelIndicator>
<ns1:triggeringRuleType>N</ns1:triggeringRuleType>
<ns1:orgId>dummy</ns1:orgId>
<ns1:riskScore>9</ns1:riskScore>
<ns1:clientDefinedEventType>NA</ns1:clientDefinedEventType>
<ns1:userId>user</ns1:userId>
<ns1:location>
<ns1:country>NA</ns1:country>
<ns1:state>NA</ns1:state>
<ns1:city>NA</ns1:city>
<ns1:zip>NA</ns1:zip>
</ns1:location>
<ns1:atmCardAge>-1</ns1:atmCardAge>
<ns1:atmAmount>
<ns1:amount>0</ns1:amount>
<ns1:amountInUSD>0</ns1:amountInUSD>
</ns1:atmAmount>
</ns1:eventDetails>
<ns1:customFactsList/>
<ns1:ipDetails/>
<ns1:riskContributorsList/>
</ns1:event>
<ns1:callStatus>
<ns1:status>SUCCESS</ns1:status>
<ns1:statusCode>0</ns1:statusCode>
</ns1:callStatus>
</ns1:getCaseResponse>
</soapenv:Body>
</soapenv:Envelope>
updateActivity Method
The purpose of the updateActivity method is to update the resolution data for an event.
The selection criteria for this method is the identification (eventId) of the specific
event to be updated.
An event must be locked prior to update. An event is locked when the case associated
with the event is locked. The case is automatically locked if it is not locked prior to
update. For more information on locking a case and its events, see Locking Process
Implementation on page 210.
operatorUserName The operator name of the user requesting the case to be N String
updated. If not populated, the parameter is
automatically assigned the default value fraudanalyst.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:updateResponse xmlns:ns1="http://ws.rsa.com/cm/types">
<ns1:callStatus>
<ns1:status>SUCCESS</ns1:status>
<ns1:statusCode>0</ns1:statusCode>
</ns1:callStatus>
</ns1:updateResponse>
</soapenv:Body>
</soapenv:Envelope>
updateCase Method
The purpose of the updateCase method is to update specific data for a case. The
selection criteria for this method is the identification (caseId) of the specific case to be
updated.
assignedToUserName The operator name of the user requesting the case to be N String
updated. If not populated, the parameter is
automatically assigned the default value fraudanalyst.
Error Messages
When issuing the Case Management API SOAP calls, there is the possibility of errors
occurring due to incorrect application of the Case Management API methods.
The following table lists the error messages displayed for each Case Management API
method and the situation that caused the error:
Case Management
Error Message Cause for Error
API method
getCase Case is already locked by different The lock parameter is true and the case is
operator locked by a different user.
updateActivity Cannot update activity: Illegal resolution The resolution value is set to ANY.
value
Case Management
Error Message Cause for Error
API method
updateCase Unable to update case: no such case The identification number of the case to
exists be updated does not exist in the
application system.
The data elements required by the ATM monitoring function are located in the
following sections of the analyze method:
request - This section identifies the SOAP call as an ATM request.
identificationData - This section includes the users personal information.
messageHeader - This section provides general information about the analyze
request.
securityHeader - This section is used to authenticate the caller to the server.
Request
The request section consists of the entire analyze data structure including the sections
required for the ATM payload.
The following table lists the data elements related to the ATM payload,
channelIndicator The channel device type. For a list of the channel ChannelIndica Mandatory
indicator types, see channelIndicatorType values torType
on page 224.
actionTypeList The list of actions your application can initiate for GenericAction Optional
the analyze method when the channel is ATM. Type
For the list of action type values, see
GenericActionType Values on page 107.
Identification Data
The identificationData section provides user information including data required for
the ATM payload.
userName For the ATM payload, the value of this data element String (50) Mandatory
is a representation of the card number.
orgName The organization to which the user belongs. An String (50) Required
identification number for the organization is created
in the Orgs and Groups application.
Message Header
The messageHeader structure includes a number of data elements that provide
general information about the analyze request. The table below lists the data elements
related to ATM.
requestId This value is unique per request and is generated by Integer Required
the request process.
timeStamp The date and time of the event is created in GMT String Optional
format. This value is used when the supported by
timeOfOccurrence is empty. Java Simple
The date format is yyyy-MM-dd HH:mm:ss.SSS. Date format
For example, if the date and time the event occurred
is September 21, 2012 at 3:45 PM, the date is
represented as: 2012-09-21 15:45:00.
securityHeader
The securityHeader structure includes the data elements used to authenticate the
caller to the server. The table below lists the required data elements required..
callerCredential This is the password of the caller initiating the String Required
request message. This is not the users password.
callerId This is used to authenticate the caller initiating the String Required
request message. This is not the users ID.
method This is the authorization method used for credential String Required
encryption. The default value is PASSWORD.
Channel
This is the main section of the ATM payload. The section contains all the ATM-
specific data.
timeZone The local time zone of the ATM location. The range of Float Required
values is -12 - + 12.
atmOwner This specifies if the owner of the ATM device is an String (20) Mandatory
RSA customer who is implementing the Adaptive
Authentication ATM Protection Module.
The two values accepted for this field are:
FI - the financial institution that owns the ATM
device and is implementing the Adaptive
Authentication ATM Protection Module.
Other - the financial institution that owns the ATM
device and is not implementing the Adaptive
Authentication ATM Protection Module.
atmID The global unique identification of the ATM device. String (20) Mandatory
locationType The type of location where the ATM device resides. LocationType Required
For the list of pre-defined values, see Location Type
Values on page 253.
cardIssueDate The date the users credit or debit card was issued, in String Required
GMT format. supported by
The date format is yyyy-MM-dd HH:mm:ss.SSS. For Java Simple
example, if the card issue date is September 21,2012 at Date format
3:45 PM, the date is represented as: 2012-09-21
15:45:00.
atmLanguage The language chosen by the user for the ATM user String (25) Required
interface.
location The geographic location of the ATM devices consisting Location Required
of the physical address and the geographic coordinates.
For details about the Location data structure, see
Location on page 254.
atmIP The internal or external IP address assigned to the ATM IpType Optional
device. The IP address must be in either IpV4 or IpV6
format.
atmExternalScore The ATMs risk score associated with the bank or other Integer Optional
financial institution.
The acceptable range is zero to 1000.
loginFailureReason The reason behind a failed logon . There is a pre- FailureReaso Optional
defined list of values from which to choose. n
For the list of pre-defined values, see Login Failure
Reason Values on page 255.
numberOfFailed The number of failed attempts made prior to the Integer Optional
Logins successful logon.
userYearOfBirth The users year of birth. This field is used to calculateInteger Required
the users age. (Format:
Acceptable values for a users age are in the range from YYYY)
15 to 120.
cardPinChangeDate The date the users credit or debit card PIN number was String Required
last changed, in GMT format. supported by
The date format is yyyy-MM-dd HH:mm:ss.SSS. For Java Simple
example, if the card PIN change date is September Date format
21,2012 at 3:45 PM, the date is represented as: 2012-
09-21 15:45:00.
atmModel The model type of the ATM device. String (50) Optional
atmOS The operating system running on the ATM device. String (50) Optional
cardIssuerId The identification of the business organization that String (50) Optional
issued the users card.
cardType The type of credit card. For example, two possible String (50) Optional
values for this field are:
Credit
Debit.
atmDailyLimit The maximum daily cash amount allowed for atmDailyLimi Required
withdrawal from an ATM device. t
cardDailyLimit The maximum daily cash amount allowed for cardDailyLim Required
withdrawal using a users card. it
atmDailyLimit
The atmDailyLimit structure includes the daily limit information for cash amounts
withdrawn from the ATM device.
amount The maximum cash withdrawal amount per day Long Required
allowed for an ATM device. The value is in the
lowest monetary denomination for the original
currency.
amountInUSD The resulting amount in USD for maximum daily Long Required
cash withdrawal amount from an ATM device,
following monetary conversion, by a static currency
conversion table. See note below.
currency The code that represents the original currency String(3) Required
according to ISO standard 4217.
Note: RSA recommends to convert the amount in original currency to USD and enter
the converted amount to the parameter, amountInUSD. This is because the monetary
conversion rates in the static conversion table are not kept current.
cardDailyLimit
The cardDailyLimit structure includes the daily limit information for cash amounts
withdrawn using a users credit or debit card.
amount The maximum cash withdrawal amount per day Long Required
allowed for a users credit or debit card. The value is
in the lowest monetary denomination for the
original currency.
amountInUSD The resulting amount in USD for maximum daily Long Required
cash withdrawal amount for a users debit or credit
card , following monetary conversion, by a static
currency conversion table. See note below.
currency The code that represents the original currency String(3) Required
according to ISO standard 4217.
Note: .RSA recommends to convert the amount in original currency to USD and enter
the converted amount to the parameter, amountInUSD. This is because the monetary
conversion rates in the static conversion table are not kept current.
PUBLIC TRANSPORT An ATM located on the premises of a public transport station such as a
bus station or an underground (subway) station.
STREET An ATM located on the street not adjacent to any financial institution or
other facility.
CONVENIENCE STORE An ATM located on the premises of a convenience store like a kiosk, a 24-
hour fast-food chain, or an all night market.
LEISURE FACILITY An ATM located on the premises of a country club, sports club(gym),
resort, or other leisure facility.
DRIVE THRU An ATM located adjacent to a branch of a bank with a drive-thru window
for banking transactions.
ENTERTAINMENT VENUE An ATM located on the premises of a bar, bistro, restaurant, sports
stadium, amusement or theme park, movie theatre complex, or other
entertainment venue.
TRANSPORT TERMINAL An ATM located on the premises of a transport terminal such as an airport
or a train station.
RETAIL OUTLET An ATM located on the premises of a store, a shopping mall, or other
retail outlet.
OTHER An ATM located on the premises of a facility not mentioned in the pre-
defined list.
Location
The Location section includes the ATMs geographic location including its
coordinates.
The following table lists the data elements that define the ATMs actual location
including their descriptions.
address The street address of the building in which the String Required
ATM is located.
zip The 10-digit code for the neighborhood in which String Required
the ATM is located.
Event Data
The eventData section identifies the type of event. It also includes the transaction
information. The following are the event types that are protected by the ATM
Protection Module:
Card PIN Change
Change Password
Deposit
Failed Login Attempts
Login
Money Transfer
View Statement
Withdrawal
The following table lists the eventData data elements that are required for the ATM
payload:
timeOfOccurrence The date and time of the event. The date should String Required
follow the ISO 8601 format. supported by
The date format is yyyy-MM-dd HH:mm:ss.SSS. Java Simple
For example, if the date and time the event occurred Date format
is September 21,2012 at 3:45 PM, the date is
represented as: 2012-09-21 15:45:00.
runRiskType A flag that determines whether the risk engine RunRiskType Mandatory
should be run.
Transaction Data
The transactionData section includes the following sections relevant to the ATM
payload.
Amount
The amount structure includes information about the following transactions
withdrawal
payment
deposit
other money transfer activities
currency The code that represents the original currency String(3) Required
according to ISO standard 4217.
Note: RSA recommends to convert the amount in original currency to USD and enter
the converted amount to the data element, amountInUSD. This is because the
monetary conversion rates in the static conversion table are not kept current.
MyAccountData
The myAccountData section lists the users personal banking information. The
following table lists the users account information for ATM purposes.
accountNumber The users account number in standard format. String (50) Required
internationalAccou The users account number in IBAN format. String (100) Mandatory
ntNumber
OtherAccountData
The otherAccountData section includes the payee account information used for ATM
purposes.
accountNumber The payees account number in standard format. String (50) Required
internationalAccou The payees account number in IBAN format. String (100) Required
ntNumber
<tns:location>
<tns:country>isr</tns:country>
<tns:state>ISR</tns:state>
<tns:city>PARIS</tns:city>
<tns:address>V</tns:address>
<tns:zip>123</tns:zip>
<tns:geoCoordinates>
<tns:longitude>19.7244</tns:longitude>
<tns:latitude>156.0787</tns:latitude>
<tns:altitude>0</tns:altitude>
</tns:geoCoordinates>
</tns:location>
<tns:cardPINChangeDate>2012-12-31</tns:cardPINChangeDate>
<tns:atmOS>windows</tns:atmOS>
</tns:channel>
<tns:autoCreateUserFlag>true</tns:autoCreateUserFlag>
<tns:eventDataList>
<tns:eventData>
<tns:eventType>WITHDRAW</tns:eventType>
<tns:transactionData>
<tns:myAccountData> <tns:internationalAccountNumber>123</
tns:internationalAccountNumber>
</tns:myAccountData>
</tns:transactionData>
</tns:eventData>
</tns:eventDataList>
<tns:runRiskType>ALL</tns:runRiskType>
<tns:channelIndicator>ATM</tns:channelIndicator>
</tns:request>
</tns:analyze>
</soap:Body>
Identification Data
The identificationData section for the ATM response payload not only provides user
information but also transaction identification information
.
userName The users user name. It should be the credit or debit String (50) Mandatory
card user name.
orgName The organization to which the user belongs. An String (50) Mandatory
identification code for the organization is created in
the Orgs and Groups application.
Message Header
The messageHeader section for the ATM response payload is the standard data
structure of the generic response for all methods.
For the list of data elements for this data structure, see messageHeader on page 158
in chapter Web Services Response Data Structures and Types.
Status Header
The statusHeader section for the ATM response payload is the standard data structure
of the generic response for all methods. If the status is not completed successfully, an
error is reported.
For the list of data elements for this data structure, see statusHeader on page 159 in
chapter Web Services Response Data Structures and Types.
For a list of ATM-related errors, see ATM Error Messages on page 264.
Risk Result
The riskResult section for the ATM response payload is the standard data structure of
the Analyze response, an extension of the generic response for all methods. Its
purpose is to return the risk score and triggered rules due to the risk score.
For the list of data elements for this data structure, see riskResult on page 167 in
chapter Web Services Response Data Structures and Types.
Within this section is the triggeredRule. All its data elements are required. For the
specific data elements of this structure, see TriggeredRule Structure on page 168 in
the same chapter.
soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:analyzeResponse xmlns:ns1="http://ws.csd.rsa.com">
<ns1:analyzeReturn xsi:type="ns1:AnalyzeResponse" xmlns:xsi="http://www.w3.org/2001/
XMLSchema-instance">
<ns1:identificationData>
<ns1:delegated>false</ns1:delegated> <ns1:transactionId>8fe7-:7cff54a8831:05956a86-_TRX</
ns1:transactionId>
<ns1:userName>TestUser</ns1:userName>
<ns1:userStatus>UNVERIFIED</ns1:userStatus>
<ns1:userType>PERSISTENT</ns1:userType>
</ns1:identificationData>
<ns1:messageHeader>
<ns1:apiType>DIRECT_SOAP_API</ns1:apiType>
<ns1:requestType>ANALYZE</ns1:requestType>
<ns1:timeStamp>2012-07-17T11:05:08.104Z</ns1:timeStamp>
<ns1:version>7.0</ns1:version>
</ns1:messageHeader>
<ns1:statusHeader>
<ns1:reasonCode>0</ns1:reasonCode>
<ns1:reasonDescription>Operations were completed successfully</ns1:reasonDescription>
<ns1:statusCode>200</ns1:statusCode>
</ns1:statusHeader>
<ns1:riskResult>
<ns1:riskScore>4</ns1:riskScore>
<ns1:riskScoreBand>SCORE_BAND_0</ns1:riskScoreBand>
<ns1:triggeredRule>
<ns1:actionCode>ALLOW</ns1:actionCode>
<ns1:actionName>FALLBACK RULE</ns1:actionName>
<ns1:actionType>STRICT</ns1:actionType>
<ns1:clientFactList/>
<ns1:ruleId>FALLBACK RULE</ns1:ruleId>
<ns1:ruleName>FALLBACK RULE</ns1:ruleName>
</ns1:triggeredRule>
</ns1:riskResult>
</ns1:analyzeReturn>
</ns1:analyzeResponse>
</soapenv:Body>
</soapenv:Envelope>
Error
Data Element Error Message Message Explanation
Displayed
amount Yes Missing amount for money The transaction amount data
withdraw or transfer structure is blank or missing for
the event type is either Withdraw
or Transfer.
atmID Yes Missing mandatory field ATM ID No data entered for the ATM
identification number
atmOwner No - validated Missing mandatory field Owner No data entered for the ATM
by Axis owner type.
cardIssueDate No - validated Missing mandatory field Card No data entered for the card issue
by Axis Issue Date date.
channel No - validated Channel field is not ATM type The channel is not for an ATM
by Axis device.
clientReturnData Yes ClientReturnData is not allowed If the channel is ATM, the client
for ATM request return data is not accepted.
Error
Data Element Error Message Message Explanation
Displayed
country Yes Country must be valid country An invalid value is entered for
code of 3 characters country.
deviceRequest Yes DeviceRequest is not allowed for If the channel is ATM, the device
ATM request request section is not accepted.
eventType Yes Incorrect event for ATM The event type issued for the
ATM-related transaction is not
included in the pre-defined set of
event types valid for channel
ATM.
locationType No - validated Missing mandatory field Location No data entered for the type of
by Axis Type location where the ATM device is
situated.
runRiskType No - validated Missing mandatory field No data entered for the run risk
by Axis RunRiskType type.
timeOfOccurrenc No - validated Missing mandatory field No data entered for the date and
e by Axis Datetime time of the event.
timeZone No - validated Missing mandatory field No data entered for the time zone
by Axis Timezone where the ATM is situated.
userData No - validated UserData is not allowed for ATM If the channel is ATM, the
by Axis request userData section is not accepted.
Overview
The Authentication Plug-In for OOB phone is part of the RSA Adaptive
Authentication (On Premise) product that uses OOB phone authentication.
Authentication Plug-In Service Provider facilitates the call to the customer for user
account verification via a One-Time-Password. This credential type integrates into
Adaptive Authentication Multi-Credential Framework (MCF), version 6.0.2 and
above.
The primary use-case is for the organization to send its online customer an automated
phone call through an Authentication Plug-In for additional OOB credentials. The
customer would receive a call that requests them to key in a confirmation code over
the phone. The confirmation code is generated by Adaptive Authentication and sent to
both the Authentication Plug-In Service Provider and served to the organization web
page for the user to retrieve and enter when prompted by the phone call. Also, the
organization will be able to deactivate the Authentication Plug-In feature as needed.
The overall OOB Authentication Plug-In workflow is as follows:
1. The organization performs data collection of users phone numbers for OOB
Authentication Plug-In use.
2. If additional authentication is required, it happens before the transaction is
complete. The user is prompted to select which telephone number (work, home,
cell) to be used in the OOB challenge.
3. The are the following enrollment scenarios:
a. User enrolls with phone information. There is no additional configuration
requirement for this scenario.
b. User enrolls without providing phone information. You need to configure the
c-config-mcf.xml file. Set phone_metadata clientManaged=true.
Note: For more information about Email and OOB phone data structures in the Web
Servicesrequests, Appendix C, Out-of-Band Phone and Email Credential.
The following important terms that are used in this chapter are defined:
Token IDUsers one-time password that is provided by Authentication Plug-In
for the OOB phone challenge response.
One-time password (OTP) Same as the Token ID. The OTP that
Authentication Plug-In sends to the user for the OOB phone challenge response.
Your application Organizations client application
Billing Data
Each user challenge activity is logged at the infrastructural level (by the Multi-
Credential Framework) into the table BILLING_TRANSACTIONS. This table
includes the Authentication Plug-In to which the transaction was sent, and the status
returned by Authentication Plug-In.
Challenge-Response Process
This section describes the OOB Phone credential collection process: Authentication
Plug-In Challenge-Response. The method calls are included in the diagram below.
.
Note: For more information on how to prepare SOAP request and response messages,
see Chapter 9, AdminService API Methods.
Overview
Web Services messaging is accomplished by sending SOAP request and response
messages from your client application to the Adaptive Authentication system. The
Web Services call consists of two messages: a request, and a response.
Authentication Plug-In uses synchronous Web Services messaging. For each Web
Services request that your application issues, the system awaits an immediate response
from the Adaptive Authentication system. For details about how to create a SOAP
request, see Chapter 9, AdminService API Methods.
Your organization client sends challenge requests to initiate the out-of-band (OOB)
phone challenge with the Adaptive Authentication system. Your application also sends
queryAuthStatus requests to Adaptive Authentication to get the status of the
authentication.
Your application receives the response message with the current status of the
authentication as follows:
If the phone authentication is complete, the response message indicates
SUCCESS or FAIL.
If the authentication is in-progress, the response message indicates PENDING for
the authentication status.
If there are system errors during the authentication process, the response message
indicates NULL status.
Response messages will contain the following status codes:
Call Status
Reason
Auth Status
Channel Status
For more details, see Channel Status Codes on page 276.
challengeRequest Your applications challenge request message contains the users phone
number.
statusCode Status of the web services call (session) from Adaptive Authentication to
Authentication Plug-In. Possible values are SUCCESS or FAIL.
Values Description
CREATED The OOB channel has been created, and notification is in progres.s
EXPIRED The OOB notification has exceeded its time limit for a user's response
(default=10 minutes).
UNREACHABLE The user is unreachable. Check the reasonCode for a more detailed description
of the user status.
If the Channel Status code is CREATED, your application searches for a status by
sending a queryAuthStatus request message to Adaptive Authentication.
If the Channel Status code is SYSTEM_ERROR, there is no query for status.
After sending the initial queryAuthStatus request message, if the Channel Status
code returned in the response is CREATED, subsequent queryAuthStatus requests
must be sent.
The challenge response messages contain several status codes:
authStatusCodeResult of the Authentication process; available values are
PENDING, or NULL.
channelStatus Status of the OOB channel; for a list of available values, see
Channel Status Codes on page 276.
ReasonDescription for channel status codes.
statusCode Status of the Web Services session; available values are
SUCCESS, FAIL, or ERROR.
Your application sends the users phone number in a challenge request to Adaptive
Authentication. When the Authentication Plug-In calls the users phone number, the
user answers and hangs up.
Your application receives the status codes in the queryAuthStatus response message
as follows:
authStatusCode FAIL
channelStatus Status.CHALLENGE_FAILED
Reason Reason.HANGUP
statusCode SUCCESS
authStatusCode The status code of the call. See AuthStatusCode Values for more String
information.
AuthStatusCode Values
PENDING The authentication of the credential is still pending. This value is commonly
passed during out-of-band credentials.
NULL There is a system error due to an infrastructure failure. The user has not
passed or failed authentication.
statusHeader
The statusHeader structure is returned only by the generic response, and contains
information about the message status.
reasonCode A more detailed explanation of the status being returned. For a detailed Integer
list of the reasonDescriptions, see Out-of-Band Phone Reason Codes
on page 280.
reasonDescription An explanation of the Web Services call status. For a detailed list of the String
reasonDescriptions, see Out-of-Band Phone Reason Codes on
page 280.
statusCode Values
The statusCode indicates the overall status of the Web Services operation.
200 The Web Services operation was This value refers to the completion of an actual
completed successfully. Web Services call. It means that all Web
Services features are functioning correctly.
300 A warning acknowledging the failure of at A single API call executes one or more
least one of the actions taken by an API actions. Each of the actions are independent of
call. one another. Therefore, even if one action
fails, the others can succeed. This warning
basically notifies the user to check for the one
or more failed actions.
500 A system error occurred. The operation This error is most likely an Adaptive
failed. Authentication error.
510 A process error occurred. The operation This error is usually data driven, and should be
failed. corrected by your application. It normally
points to correcting the Web Services Request
data.
CallStatus Structure
StatusCode Values
Values Description
StatusDescription Structure
Reason.INVALID_AREA_CODE The area code included in the request message did not
match the area code within Authentication Plug-In's
database.
Reason.NO_AFFIRMATION The call was picked up, a voice was detected but no
pound key was entered.
Reason.NO_SOUND_DETECTED The call was picked up, but no sound was detected even
after repeated prompts.
Reason.PHONE_BUSY Repeated attempts were made to call the number, but the
line was busy.
Reason.PHONE_MALFUNCTION The call was picked up, but a phone malfunction, usually
a faulty keypad or a stuck key, caused the session to time
out and be disconnected.
Reason.REACHED_MAX_RETRIES The entry was either not understood, or did not match the
expected entry.
Reason.TOO_MANY_HELPS User pressed the help key (*) too many times for the same
prompt.
Reason.UNASSIGNED_NUMBER The call was placed, but the PSTN returned an "invalid
number" error.
<ns1:analyzeResponse xmlns:ns1="http://ws.csd.rsa.com">
<ns1:analyzeReturn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="ns1:AnalyzeResponse">
<ns1:identificationData>
<ns1:delegated>false</ns1:delegated>
<ns1:groupName>
</ns1:groupName>
<ns1:orgName>CompleteFlowOrg</ns1:orgName>
<ns1:sessionId>56ff18:114b954dc7d:-7fbc</ns1:sessionId>
<ns1:transactionId>TRX_56ff18:114b954dc7d:-7fbb</ns1:transactionId>
<ns1:userName>OOBPhoneUser0831010153640</ns1:userName>
<ns1:userStatus>VERIFIED</ns1:userStatus>
<ns1:userType>PERSISTENT</ns1:userType>
</ns1:identificationData>
<ns1:messageHeader>
<ns1:apiType>DIRECT_SOAP_API</ns1:apiType>
<ns1:requestType>ANALYZE</ns1:requestType>
<ns1:timeStamp>2007-08-31T01:02:17.656Z</ns1:timeStamp>
<ns1:version>7.0</ns1:version>
</ns1:messageHeader>
<ns1:statusHeader>
<ns1:reasonCode>0</ns1:reasonCode>
<ns1:reasonDescription>Operations were completed successfully
</ns1:reasonDescription>
<ns1:required>true</ns1:required>
</ns1:requiredCredential>
</ns1:requiredCredentialList>
<ns1:riskResult>
<ns1:riskScore>3</ns1:riskScore>
<ns1:triggeredRule>
<ns1:actionCode>CHALLENGE</ns1:actionCode>
<ns1:actionName>AuthDevNotBound</ns1:actionName>
<ns1:actionType>STRICT</ns1:actionType>
<ns1:clientFactList />
<ns1:ruleId>AuthDevNotBound</ns1:ruleId>
<ns1:ruleName>AuthDevNotBound</ns1:ruleName>
</ns1:triggeredRule>
</ns1:riskResult>
</ns1:analyzeReturn>
</ns1:analyzeResponse>
</soapenv:Body>
</soapenv:Envelope>
Note: The tokenCollectionFlow element should be always set to True. The phone
broadcast flow is not currently supported.
The following options are available for specifying the phone number:
1. Enter the entire phone number in the phoneNumber field, including the country
code, area code, and phone number.
2. Enter the phone number segments separately using the countryCode, areaCode,
and phoneNumber fields.
Challenge Structure
The following structure contain the specific information for when an OOB challenge
is sent to a user.
OOBPhoneChallengeRequest payload
This structure contains information regarding the users phone contact information.
This request payload uses OOBInfoResponse payload as its response.
Note: For more information on OOB Credential Data Structures, see Appendix C,
Out-of-Band Phone and Email Credential.
<ws:areaCode>650</ws:areaCode>
<ws:countryCode>1</ws:countryCode>
<ws:phoneNumber>1234567</ws:phoneNumber>
</ws:phoneInfo>
<ws:tokenCollectionFlow>true</ws:tokenCollectionFlow>
</ws:payload>
</ws:oobPhoneChallengeRequest>
</ws:credentialChallengeRequestList>
</ws:request>
</ws:challenge>
</soapenv:Body>
</soapenv:Envelope>
</ws:messageHeader>
<ws:securityHeader>
<ws:callerCredential>password</ws:callerCredential>
<ws:callerId>callerId</ws:callerId>
<ws:method>PASSWORD</ws:method>
</ws:securityHeader>
<ws:credentialAuthStatusRequest>
<ws:oobPhoneAuthStatusRequest>
<ws:payload>
<ws:token>740608</ws:token>
</ws:payload>
</ws:oobPhoneAuthStatusRequest>
</ws:credentialAuthStatusRequest>
</ws:request>
</ws:queryAuthStatus>
</soapenv:Body>
</soapenv:Envelope>
<ns1:groupName/>
<ns1:sessionId>a7b7ff:114ab24a736:-8000</ns1:sessionId>
<ns1:transactionId>TRX_a7b7ff:114ab24a736:-7fff</ns1:transactionId>
<ns1:userName>TxnTestUserXX01a3ef</ns1:userName>
<ns1:userStatus>VERIFIED</ns1:userStatus>
<ns1:userType>PERSISTENT</ns1:userType>
</ns1:identificationData>
<ns1:messageHeader>
<ns1:apiType>DIRECT_SOAP_API</ns1:apiType>
<ns1:requestType>QUERYAUTHSTATUS</ns1:requestType>
<ns1:timeStamp>2007-08-24T13:41:14.703Z</ns1:timeStamp>
<ns1:version>7.0</ns1:version>
</ns1:messageHeader>
<ns1:statusHeader>
<ns1:reasonCode>0</ns1:reasonCode>
<ns1:reasonDescription>Operations were completed successfully
</ns1:reasonDescription>
<ns1:statusCode>200</ns1:statusCode>
</ns1:statusHeader>
Query Authentication Status Response Sample (Part 2)
<ns1:credentialAuthStatusResponse>
<ns1:oobPhoneAuthStatusResponse>
<ns1:payload>
<ns1:authenticationResult>
<ns1:authStatusCode>FAIL</ns1:authStatusCode>
<ns1:risk>80</ns1:risk>
</ns1:authenticationResult>
<ns1:callStatus>
<ns1:statusCode>SUCCESS</ns1:statusCode>
<ns1:statusDescription/>
</ns1:callStatus>
<ns1:channelStatus>Status.CHALLENGE_FAILED
</ns1:channelStatus>
<ns1:reason>Reason.HANGUP</ns1:reason>
<ns1:token>004592</ns1:token>
</ns1:payload>
</ns1:oobPhoneAuthStatusResponse>
</ns1:credentialAuthStatusResponse>
</ns1:queryAuthStatusReturn>
</ns1:queryAuthStatusResponse>
</soapenv:Body>
</soapenv:Envelope>
1. The user performs an event that requires authentication, such as sending an online
payment.
2. Adaptive Authentication sends a challenge action to your application requesting
that they challenge the user.
3. Your application prompts the user to choose the phone number that they want to
use for the OOB challenge phone call in this session from a list of phone numbers
displayed in the browser.
4. Your application collects the users phone number from the online session, and
sends a challenge request message with the phone number to Adaptive
Authentication. For the complete message example, see
OOBPhoneChallengeRequest payload on page 285.
<ws:oobPhoneChallengeRequest>
<ws:payload>
<ws:noOp>false</ws:noOp>
<ws:phoneInfo>
<ws:label>work</ws:label>
<ws:areaCode>650</ws:areaCode>
<ws:countryCode>1</ws:countryCode>
<ws:phoneNumber>1234567</ws:phoneNumber>
</ws:phoneInfo>
<ws:tokenCollectionFlow>true</ws:tokenCollectionFlow>
</ws:payload>
</ws:oobPhoneChallengeRequest>
5. Adaptive Authentication sends a challenge response message to your application
containing the Session ID, Transaction ID, and Token ID. For the complete
message example, see Adaptive Authentication Challenge Response Message
on page 286.
<!-- this is only an excerpt of an XML response message -->
<ns1:sessionId>1ab4292:1148edfd5a9:-8000</ns1:sessionId>
<ns1:transactionId>TRX_1ab4292:1148edfd5a9:-7fff</
ns1:transactionId>
---------------------------------------------------------------
<ns1:callStatus>
<ns1:statusCode>SUCCESS</ns1:statusCode>
<ns1:statusDescription/>
</ns1:callStatus>
<ns1:channelStatus>Status.CREATED</ns1:channelStatus>
<ns1:reason>NONE</ns1:reason>
<ns1:token>740608</ns1:token>
6. Adaptive Authentication passes the users phone number and token (OTP) to the
Authentication Plug-In.
7. The Authentication Plug-In server calls the user and requests the user to enter the
token into the telephone keypad.
8. Your application sends queryAuthStatus request message containing the Session
ID, Transaction ID, and optionally, Token ID, to Adaptive Authentication to poll
the status of the authentication.
9. Adaptive Authentication sends a response message to your application. If the
authentication status is PENDING, then your organization continues to send
queryAuthStatus requests.
10. Based on the status codes returned by the Authentication Plug-In, Adaptive
Authentication shows SUCCESS, FAIL, PENDING, or NULL.
The status code NULL means a system error or provider error has occurred. It
does not specify whether the user passed or failed, since the infrastructure failed.
Adaptive
Request/
Authentication Data Structure Extends the Structure
Response
Method
Adaptive
Request/
Authentication Data Structure Extends the Structure
Response
Method
Activity Structures Informs the Adaptive Authentication Web Services what actions to take
with the request message that you send to it. It includes:
ActionType Structure
OOBActionType Values
For more information, see Activity Structures on page 295.
User Information Structures Provide the users actual OOB contact information, such as a list of email
addresses or phone numbers. It includes:
OOBContactInfoObject structure
PhoneInfo Structure
For more information, see User Information Structures on page 297.
Challenge Structures Provides the specific information for when a user is challenge. For
example, the specific phone number to call the user for a challenge. It
includes:
OOBPhoneChallengeRequest payload
For more information, see Challenge Structures on page 298.
Authentication Structures Provides the results of the actual OOB authentication. Did the user
successfully pass the OOB challenge? What is the state of the OOB Web
Services call?
It includes:
OOBInfoRequest payload structure
OOBInfoResponse payload structure
For more information, see Authentication Structures on page 299.
OOB Management Structures Allows you to manage a users OOB information, such as updating,
deleting, or adding contact information.
It includes:
OOBManagementRequest payload
OOBManagementResponse payload
For more information, see OOB Management Structures on page 296.
Activity Structures
These activity structures inform the RSA Adaptive Authentication (On Premise) Web
Services the necessary actions to take with the information being sent.
ActionType Structure
This structure extends the ActionTypeList, as described in ActionTypeList on
page 107.
oobActionType The specific OOB action that the system should OOBActionType[ ]
take.
OOBActionType Values
The following values determine what action should be taken with the OOB Credential
Type.
Action Description
OOBManagementRequest payload
This structure extends the structure PhoneManagementRequest payload.
PhoneManagementRequest payload
OOBManagementResponse payload
This structure provides the parent class to the structure PhoneManagementResponse
payload.
PhoneManagementResponse payload
OOBContactInfoObject structure
This object provides the parent class of the structure PhoneInfo.
Max Data
Data Element Description Required
Length Type
lastModified The date that the users contact information was NA String N
last modified.
PhoneInfo Structure
This structure extends OOBContactInfo object.
Max
Data Element Description Data Type Required
Length
Challenge Structures
The following structures contain the specific information for when an OOB challenge
is sent to a user.
OOBPhoneChallengeRequest payload
This structure contains information regarding the users phone contact information.
This request payload uses OOBInfoResponse payload as its response.
Authentication Structures
The following structures request information regarding the actual authentication of a
users OOB challenge.
Max Data
Data Element Description Required
Length Type
reason The reason for any channel status errors. See String Y
reason values on page 300.
channelStatus values
Values Description
CREATED The OOB channel has been created, and notification is in progress.
Values Description
VERIFIED The OOB mechanism has verified that the transaction is correct.
TRANSMITTED The OOB mechanism has verified that the transaction has been transmitted to the
user.
UNREACHABLE The user was unreachable. Read the reasonCode (reason values on page 300.)
for a more detailed description of why the user was unreachable.
CANCELLED The OOB notification has been removed from the queue.
EXPIRED The OOB notification has exceeded its time limit for a users response (default =
10 minutes).
reason values
The following values provide more information as to why the customer was
unreachable.
Values Description
NOT_SPEAKING_CLEARLY The customer did not speak clearly enough for the telephony service
provider to understand.
Values Description
Adaptive
Request/
Authentication Data Structure Extends the Structure
Response
Method
OTP Management Structures Allows you to manage a users OTP information, such as updating,
deleting, or adding contact information.
It includes:
OTPManagementRequestPayload
OTPManagementResponsePayload
For more information, see OTP Management Structures on page 305.
Challenge Structures Provides the specific information for when a user is challenged. It includes:
OTPChallengeRequestPayload
OTPChallengeResponsePayload
For more information, see Challenge Structures on page 307.
Authentication Structures Provides the results of the actual OTP authentication. Did the user
successfully pass the OTP challenge? What is the state of the OTP
Adaptive Authentication call?
It includes:
OTPAuthenticationRequestPayload
OTPAuthenticationResponsePayload
For more information, see Authentication Structures on page 308.
Query Structures Allows you to retrieve information according to specific selection criteria.
It includes:
OTPAuthStatusRequestPayload
OTPAuthStatusResponsePayload
For more information, see Query Structures on page 310.
Management Request
OTPManagementRequestPayload
Management Response
OTPManagementResponsePayload
The otpManagementResponse is derived from acspManagementResponse. It is an
actual management payload for OTP and does not contain any data elements.
Challenge Structures
Challenge Request
The following structures contain the specific information for when an OTP challenge
is sent to a user.
OTPChallengeRequestPayload
otpChallengeRequest derives from acspChallengeRequest. It is an actual challenge
payload for OTP. It does not contain any elements. It exists to allow the system to
recognize whether there is an OTP challenge flow.
Challenge Response.
OTPChallengeResponsePayload
otpChallengeResponse derives from acspChallengeResponse. It is an actual challenge
payload for OTP and contains the following field.
Authentication Structures
Authentication Request
The following structures request information regarding the actual authentication of a
users OTP challenge.
OTPAuthenticationRequestPayload
The otpAuthenticationRequest is derived from acspAuthenticationRequest. It is an
actual authentication payload for OTP and contains the following field.
Data
Data Element Description Required
Type
Authentication Response.
OTPAuthenticationResponsePayload
The otpAuthenticationResponse is derived from acspAuthenticationResponse. It is an
actual authentication payload for OTP and does not contain any elements.
Query Structures
QueryAuthStatus Request
OTPAuthStatusRequestPayload
The otpAuthStatusRequest is derived from acspAuthStatusRequest. It is an actual
queryAuthStatus payload for OTP. It does not contain any fields. It exists to allow the
system to recognize whether there is an OTP queryAuthStatus flow.
QueryAuthStatus Response.
OTPAuthStatusResponsePayload
otpAuthStatusResponse derives from acspAuthStatusResponse. It is an actual
queryAuthStatus payload for OTP and does not contain any elements.
Adaptive
Request/
Authentication Data Structure Extends the Structure
Response
Method
Management Structures Allows you to manage a users KBA enrollment data, including adding,
updating, or deleting the data.
It includes:
KBAManagementRequest Payload
KBAManagementResponse Payload
For more information, see Management Structures on page 315.
Challenge Structures Provides the specific information for when a user is challenged.
It includes:
KBAChallengeRequest Payload
KBAChallengeResponse Payload
For more information, see Challenge Structures on page 318.
Authentication Structures Provides the results of the actual KBA authentication. Did the user
successfully pass the challenge? What is the state of the Web Services call?
It includes:
KBAAuthenticationRequest Payload
KBAAuthenticationResponse Payload
For more information, see Authentication Structures on page 320.
Management Structures
The KBA management structures allow you to query, update, and add user contact
information to the users phone contact information.
Management Request
KBAManagementRequest Payload
action Values
The following table lists the kind of actions you can perform in the
KBAManagementRequest.
Action Description
personInfo Values
The following table lists the contact information for the user.
ssnInfo Defines the Social Security information for the user. See
ssnInfo Values on page 316.
ssnInfo Values
The following table lists the fields available when entering the users Social Security
information, and their descriptions.
NameInfo Values
The following table lists the fields available when entering the users name, and their
descriptions.
addressInfo Values
The following table lists the fields available when entering the users address, and
their descriptions.
postCode The 5-digit code for the neighborhood in which the user lives.
birthdayInfo Values
The following table lists the fields available when entering the users date of birth, and
their descriptions.
Management Response
KBAManagementResponse Payload
KBAManagementResponse derives from acspManagementResponse. It is an actual
management payload for KBA and does not contain any data elements.
Challenge Structures
Challenge Request
The following structures contain the specific information for when a KBA challenge is
sent to a user.
KBAChallengeRequest Payload
The KBAChallengeRequest is derived from acspChallengeRequest. It is an actual
challenge payload for KBA. It contains the following element.
Challenge Response.
KBAChallengeResponse Payload
KBAChallengeResponse derives from acspChallengeResponse. It is an actual
challenge payload for KBA and contains the following field.
question Values
The following table lists the information required for the question element.
choices The possible answers from which the user can choose.
choice Values
The following table lists the fields for the choice element.
Authentication Structures
Authentication Request
The following structures request information regarding the actual authentication of a
users KBA challenge.
KBAAuthenticationRequest Payload
KBAAuthenticationRequest derives from acspAuthenticationRequest. It is an actual
authentication payload for KBA and contains the following field.
answer Values
The following table lists the information required for the question element.
Authentication Response.
KBAAuthenticationResponse Payload
kbaAuthenticationResponse derives from acspAuthenticationResponse. It is an actual
authentication payload for KBA and contains the following elements:
Adaptive
Request/
Authentication Data Structure Extends the Structure
Response
Method
Management Structures Allows you to manage a users contact data for use in OOB SMS
authentication. You can add, delete, update, and get the contact data..
It includes:
OOBManagementRequestPayload
For more information, see Management Structures on page 324.
Management Structures
The OOB SMS management structures allow you to query, update, and add user
contact information to the users phone information.
Management Request
OOBManagementRequestPayload
action Values
The following table lists the kind of actions you can perform in the
OOBManagementRequest.
Action Description
OOBPhoneInfo Values
The following table lists the information available in for each phone number in a
contact list.
Action Description
Adaptive
Request/ Implements the
Authentication Data Structure
Response Structure
Method
Response ChallengeQuestionAuthResultPayload
Adaptive
Request/ Implements the
Authentication Data Structure
Response Structure
Method
Activity Structures Informs the AdaptiveAuth Web Services what actions to take with the
request message that you send to it. It includes:
ChallengeQuestionActionTypeList structure
ChallengeQuestionActionType structure
For more information, see Activity Structures on page 329.
Authentication Structures Provides the results of the comparison of the users answer and the answer
from the database.
It includes:
ChallengeQuestionMatchResult payload
ChallengeQuestionAuthResults payload
For more information, see Authentication Structures on page 332.
Challenge Structures Allows you to retrieve challenge questions to present to the user.
ChallengeQuestionChallengeRequest payload
ChallengeQuestionChallenge payload
For more information, see Challenge Structures on page 333.
Question Management Allows you to manage a users challenge information, such as updating,
Structures deleting, or adding questions/answers.
It includes:
ChallengeQuestionData payload
ChallengeQuestionManagementRequest payload
ChallengeQuestionManagementResponse payload
For more information, see Question Management Structures on
page 334.
Activity Structures
ChallengeQuestionActionTypeList structure
This structure defines the specific action to be taken with the challenge questions
The structure may contain no more than one value. Multiple actions are not supported
within the same payload.
actionTypeList Parent class of structure The generic action being taken by the ActionTypeList[ ]
system. See ActionTypeList on page .107
challengeQuestionAc The specific action to be taken for the users challenge questions. ChallengeQuesti
tionType See ChallengeQuestionActionTypeList structure below for a list onActionType
of those values.
ChallengeQuestionActionType structure
The following values are types of management actions. The purpose of these actions is
to maintain each Challenge Question credential:
Action Description
ADD_USER_QUESTION Adds a new question, selected by the user, to the users profile.
BROWSE_QUESTION Allows the user to browse through all the existing questions.
SET_USER_QUESTION Replaces the existing users questions and answers with newly revised
questions and answers selected by the user.
ChallengeQuestionList structure
ChallengeQuestionIdList structure
questionId The identification numbers for a list of challenge questions. Each String[ ]
question has a specific identification number associated with it.
If your institution stores the users answers and provides a value in
actualAnswerOnFile, you need to set this value to Q0.0.
ChallengeQuestionConfig structure
This structure defines the configuration data for the challenge questions.
ChallengeQuestion Structure
This structure defines the specific details about the users chosen challenge questions
and the answers they have provided.
actualAnswer The users answer to their chosen challenge questions, which is String
stored in the Core Database.
questionID The identification number of the question that the user has chosen. String
If your organization stores the users answers and provides a value
in actualAnswerOnFile, you need to set this value to Q0.0.
ChallengeQuestionGroupList structure
ChallengeQuestionGroup structures
Each challenge question belongs to a group. This structure details the group
information for a challenge question.
groupName The name of the group to which the question belongs. String
Authentication Structures
The following structures deal with the authentication results of the challenge
questions.
ChallengeQuestionMatchResult payload
This structure returns the results of the challenge question authentication.
failCount The number of times that the user tried and failed authentication. Integer
matchCount The number of challenge questions that the user successfully Integer
answered.
ChallengeQuestionAuthResults payload
This structure returns the results of the challenge question authentication.
Challenge Structures
ChallengeQuestionChallengeRequest payload
This payload returns the result of the challenge questions.
ChallengeQuestionChallenge payload
This response message payload structure returns the results of the challenge question
authentication.
ChallengeQuestionData payload
If your application requests the users chosen challenge question, this payload returns
it.
ChallengeQuestionManagementRequest payload
This payload is used to perform management actions on the users challenge
questions.
ChallengeQuestionManagementResponse payload
This payload is used to return the results of the request made in
ChallengeQuestionManagementRequest.
WSDL/XSD Additions
The main AdaptiveAuthentication.wsdl includes a reference to ACSP.xsd
containing all the generic payload definitions for each business request. You need to
define your own specific xsd containing the actual implementation definitions. All the
specific xsds should be listed in ACSPImports.xsd.
AdaptiveAuthentication.wsdl:
<xsd:include schemaLocation="ACSP.xsd"/>
<xsd:include schemaLocation="ACSPImports.xsd"/>
Sample.xsd:
<xsd:import
namespace="http://ws.csd.rsa.com"
schemaLocation="ACSP.xsd"/>
ACSPImports.xsd:
<xsd:import
namespace="http://ws.sample.org"
schemaLocation="SampleAcsp.xsd"/>
<complexType name="CredentialDataList">
<complexContent>
<extension base="rsa_csd:CredentialRequestList">
<xsd:annotation>
<xsd:documentation>This is a list of any credentials that the user
has presented as a part of this transaction</xsd:documentation>
</xsd:annotation>
<sequence>
<element name="challengeQuestionData" minOccurs="0"
type="rsa_csd:ChallengeQuestionData" />
<element name="oobEmailData" minOccurs="0"
type="rsa_csd:OobEmailData" />
<element name="oobPhoneData" minOccurs="0"
type="rsa_csd:OobPhoneData" />
<element name="acspAuthenticationRequestData" minOccurs="0"
type="rsa_csd:AcspAuthenticationRequestData" />
</sequence>
</extension>
</complexContent>
</complexType>
This wrapper contains a generic payload. You should derive from this payload to
implement a specific one.
<xsd:complexType name="AcspAuthenticationRequestData">
<xsd:annotation>
<xsd:documentation>This type defines the Credential Data Payload</
xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="payload" minOccurs="0"
type="rsa_csd:AcspAuthenticationRequest" />
</xsd:sequence>
</xsd:complexType>
Generic Section (ACSP.xsd):
<xsd:complexType name="AcspAuthenticationRequest" abstract="true">
<xsd:annotation>
<xsd:documentation>This type defines Interface for Authentication Request</
xsd:documentation>
</xsd:annotation>
</xsd:complexType>
Customized section (Sample.xsd):
<xsd:complexType name="SampleAcspAuthenticationRequest">
<xsd:complexContent>
<xsd:extension base="rsa_csd:AcspAuthenticationRequest">
<xsd:annotation>
<xsd:documentation>This type defines the Specific Authentiaction
Request</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="sampleOtp" minOccurs="0" type="xsd:string" />
<xsd:element name="field1" minOccurs="0" type="xsd:string" />
<xsd:element name="field2" minOccurs="0" type="xsd:string" />
<xsd:element name="field3" minOccurs="0" type="xsd:string" />
<xsd:element name="field4" minOccurs="0" type="xsd:string" />
<xsd:element name="field5" minOccurs="0" type="xsd:double" />
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
<complexType name="CredentialAuthResultList">
<complexContent>
<extension base="rsa_csd:CredentialResponseList">
<xsd:annotation>
<xsd:documentation>This is a list of the authorization results for
each credential</xsd:documentation>
</xsd:annotation>
<sequence>
<element name="challengeQuestionAuthResult" minOccurs="0"
type="rsa_csd:ChallengeQuestionAuthResult" />
<element name="oobEmailAuthResult" minOccurs="0"
type="rsa_csd:OobEmailAuthResult" />
<element name="oobPhoneAuthResult" minOccurs="0"
type="rsa_csd:OobPhoneAuthResult" />
<element name="acspAuthenticationResponseData" minOccurs="0"
type="rsa_csd:AcspAuthenticationResponseData" />
</sequence>
</extension>
</complexContent>
</complexType>
This wrapper contains a generic payload. You should derive from this payload to
implement a specific one.
<xsd:complexType name="SampleAcspAuthenticationResponse">
<xsd:complexContent>
<xsd:extension base="rsa_csd:AcspAuthenticationResponse">
<xsd:annotation>
<xsd:documentation>This type defines the Specific Authentiaction
Response</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="field1" minOccurs="0" type="xsd:string" />
<xsd:element name="field2" minOccurs="0" type="xsd:string" />
<xsd:element name="field3" minOccurs="0" type="xsd:string" />
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
</xsd:complexType>
Customized Section (Sample.xsd):
<xsd:complexType name="SampleAcspAuthenticationResponse">
<xsd:complexContent>
<xsd:extension
base="rsa_csd:AcspAuthenticationResponse">
<xsd:annotation>
<xsd:documentation>This type defines the Specific
Authentiaction Response</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="field1" minOccurs="0"
type="xsd:string" />
<xsd:element name="field2" minOccurs="0"
type="xsd:string" />
<xsd:element name="field3" minOccurs="0"
type="xsd:string" />
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
<complexType name="CredentialManagementRequestList">
<complexContent>
<extension base="rsa_csd:CredentialRequestList">
<xsd:annotation>
<xsd:documentation>This defines the Credential Management Request
List</xsd:documentation>
</xsd:annotation>
<sequence>
<element name="challengeQuestionManagementRequest" minOccurs="0"
type="rsa_csd:ChallengeQuestionManagementRequest" />
<element name="oobEmailManagementRequest"
minOccurs="0" type="rsa_csd:OobEmailManagementRequest" />
<element name="oobPhoneManagementRequest" minOccurs="0"
type="rsa_csd:OobPhoneManagementRequest" />
<element name="acspManagementRequestData" minOccurs="0"
type="rsa_csd:AcspManagementRequestData" />
</sequence>
</extension>
</complexContent>
</complexType>
This wrapper contains a generic payload. You should derive from this payload to
implement a specific one.
<xsd:complexType name="AcspManagementRequestData">
<xsd:annotation>
<xsd:documentation>This type defines the Credential Management Request
Payload</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="credentialProvisioningStatus" minOccurs="0"
type="rsa_csd:CredentialProvisioningStatus" />
<xsd:element name="payload" minOccurs="0"
type="rsa_csd:AcspManagementRequest" />
</xsd:sequence>
</xsd:complexType>
Generic section (ACSP.xsd):
<xsd:complexType name="AcspManagementRequest" abstract="true">
<xsd:annotation>
<xsd:documentation>This type defines Interface for Management Request</
xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="opcode" minOccurs="0" type="xsd:string" />
</xsd:sequence>
</xsd:complexType>
Customized section (Sample.xsd):
<xsd:complexType name="SampleAcspManagementRequest">
<xsd:complexContent>
<xsd:extension base="rsa_csd:AcspManagementRequest">
<xsd:annotation>
<xsd:documentation>This type defines the Specific Management
Request</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="sampleIntEnum" minOccurs="0"
type="sample:SampleIntEnum" />
<xsd:element name="sampleStringEnum" minOccurs="0"
type="sample:SampleStringEnum" />
<xsd:element name="field1" minOccurs="0" type="xsd:string" />
<xsd:element name="field2" minOccurs="0" type="xsd:string" />
<xsd:element name="field3" minOccurs="0" type="xsd:string" />
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
<complexType name="CredentialManagementResponseList">
<complexContent>
<extension base="rsa_csd:CredentialResponseList">
<xsd:annotation>
<xsd:documentation>This defines the Credential Management Response
List</xsd:documentation>
</xsd:annotation>
<sequence>
<element name="challengeQuestionManagementResponse" minOccurs="0"
type="rsa_csd:ChallengeQuestionManagementResponse" />
<element name="oobEmailManagementResponse" minOccurs="0"
type="rsa_csd:OobEmailManagementResponse" />
<element name="oobPhoneManagementResponse"
minOccurs="0" type="rsa_csd:OobPhoneManagementResponse" />
<element name="acspManagementResponseData" minOccurs="0"
type="rsa_csd:AcspManagementResponseData" />
</sequence>
</extension>
</complexContent>
</complexType>
This wrapper contains a generic payload. You should derive from this payload to
implement a specific one.
<xsd:complexType name="AcspManagementResponseData">
<xsd:annotation>
<xsd:documentation>This type defines the Credential Management Response
Payload</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="acspAccountId" minOccurs="0" type="xsd:string"/>
<xsd:element name="callStatus" minOccurs="0" type="rsa_csd:CallStatus"/>
<xsd:element name="payload" minOccurs="0"
type="rsa_csd:AcspManagementResponse" />
</xsd:sequence>
</xsd:complexType>
Generic Section (ACSP.xsd):
<xsd:complexType name="AcspManagementResponse" abstract="true">
<xsd:annotation>
<xsd:documentation>This type defines Interface for Management Response</
xsd:documentation>
</xsd:annotation>
</xsd:complexType>
<xsd:complexType name="SampleAcspManagementResponse">
<xsd:complexContent>
<xsd:extension base="rsa_csd:AcspManagementResponse">
<xsd:annotation>
<xsd:documentation>This type defines the Specific Management
Response</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="sampleIntEnum" minOccurs="0"
type="sample:SampleIntEnum" />
<xsd:element name="sampleStringEnum" minOccurs="0"
type="sample:SampleStringEnum" />
<xsd:element name="field1" minOccurs="0" type="xsd:string" />
<xsd:element name="field2" minOccurs="0" type="xsd:string" />
<xsd:element name="field3" minOccurs="0" type="xsd:string" />
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
Challenge Request
Credential data list contains an object acspChallengeRequestData, which is a wrapper
for the customized Authentication Plug-In payload.
<complexType name="CredentialChallengeRequestList">
<complexContent>
<extension base="rsa_csd:CredentialRequestList">
<xsd:annotation>
<xsd:documentation>This list returns a user's challenge material
from the RSA System</xsd:documentation>
</xsd:annotation>
<sequence>
<element name="challengeQuestionChallengeRequest" minOccurs="0"
type="rsa_csd:ChallengeQuestionChallengeRequest" />
<element name="oobEmailChallengeRequest" minOccurs="0"
type="rsa_csd:OobEmailChallengeRequest" />
<element name="oobPhoneChallengeRequest" minOccurs="0"
type="rsa_csd:OobPhoneChallengeRequest" />
<element name="acspChallengeRequestData" minOccurs="0"
type="rsa_csd:AcspChallengeRequestData" />
</sequence>
</extension>
</complexContent>
</complexType>
This wrapper contains a generic payload. You should derive from this payload to
implement a specific one.
<xsd:complexType name="AcspChallengeRequestData">
<xsd:annotation>
<xsd:documentation>This type defines the Credential Challenge Request
Payload</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="payload" minOccurs="0"
type="rsa_csd:AcspChallengeRequest" />
</xsd:sequence>
</xsd:complexType>
Generic Section (ACSP.xsd):
<xsd:complexType name="AcspChallengeRequest" abstract="true">
<xsd:annotation>
<xsd:documentation>This type defines Interface for Challenge Request</
xsd:documentation>
</xsd:annotation>
</xsd:complexType>
Customized Section (Sample.xsd):
<xsd:complexType name="SampleAcspChallengeRequest">
<xsd:complexContent>
<xsd:extension base="rsa_csd:AcspChallengeRequest">
<xsd:annotation>
<xsd:documentation>This type defines the Specific Challenge
Request</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="field1" minOccurs="0" type="xsd:string" />
<xsd:element name="field2" minOccurs="0" type="xsd:string" />
<xsd:element name="field3" minOccurs="0" type="xsd:string" />
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
Challenge Response
Credential data list contains an object acspChallengeResponseData, which is a
wrapper for the customized Authentication Plug-In payload.
<complexType name="CredentialChallengeList">
<complexContent>
<extension base="rsa_csd:CredentialResponseList">
<xsd:annotation>
<xsd:documentation>This returns the challenge material to be
presented to the user</xsd:documentation>
</xsd:annotation>
<sequence>
<element name="challengeQuestionChallenge" minOccurs="0"
type="rsa_csd:ChallengeQuestionChallenge" />
<element name="oobEmailChallenge" minOccurs="0"
type="rsa_csd:OobEmailChallenge" />
<element name="oobPhoneChallenge" minOccurs="0"
type="rsa_csd:OobPhoneChallenge" />
<element name="acspChallengeResponseData" minOccurs="0"
type="rsa_csd:AcspChallengeResponseData" />
</sequence>
</extension>
</complexContent>
</complexType>
This wrapper contains a generic payload. You should derive from this payload to
implement a specific one.
<xsd:complexType name="AcspChallengeResponseData">
<xsd:annotation>
<xsd:documentation>This type defines the Credential Challenge Payload</
xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="acspAccountId" minOccurs="0" type="xsd:string"/>
<xsd:element name="callStatus" minOccurs="0" type="rsa_csd:CallStatus"/>
<xsd:element name="payload" minOccurs="0"
type="rsa_csd:AcspChallengeResponse" />
</xsd:sequence>
</xsd:complexType>
Generic Section (ACSP.xsd):
<xsd:complexType name="AcspChallengeResponse" abstract="true">
<xsd:annotation>
<xsd:documentation>This type defines Interface for Challenge Response</
xsd:documentation>
</xsd:annotation>
</xsd:complexType>
Customized Section (Sample.xsd):
<xsd:complexType name="SampleAcspChallengeResponse">
<xsd:complexContent>
<xsd:extension base="rsa_csd:AcspChallengeResponse">
<xsd:annotation>
<xsd:documentation>This type defines the Specific Challenge
Response</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="sampleOtp" minOccurs="0" type="xsd:string" />
<xsd:element name="field1" minOccurs="0" type="xsd:string" />
<xsd:element name="field2" minOccurs="0" type="xsd:string" />
<xsd:element name="field3" minOccurs="0" type="xsd:string" />
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
<complexType name="CredentialAuthStatusRequest">
<complexContent>
<extension base="rsa_csd:CredentialRequestList">
<xsd:annotation>
<xsd:documentation>A request to view the status of an asynchronous
credential</xsd:documentation>
</xsd:annotation>
<sequence>
<element name="challengeQuestionAuthStatusRequest" minOccurs="0"
type="rsa_csd:ChallengeQuestionAuthStatusRequest" />
<element name="oobEmailAuthStatusRequest" minOccurs="0"
type="rsa_csd:OobEmailAuthStatusRequest" />
<element name="oobPhoneAuthStatusRequest" minOccurs="0"
type="rsa_csd:OobPhoneAuthStatusRequest" />
<element name="acspAuthStatusRequestData" minOccurs="0"
type="rsa_csd:AcspAuthStatusRequestData" />
</sequence>
</extension>
</complexContent>
</complexType>
This wrapper contains a generic payload. You should derive from this payload to
implement a specific one.
<xsd:complexType name="SampleAcspAuthStatusRequest">
<xsd:complexContent>
<xsd:extension base="rsa_csd:AcspAuthStatusRequest">
<xsd:annotation>
<xsd:documentation>This type defines the Specific
AuthStatus Request</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="sampleOtp" minOccurs="0"
type="xsd:string" />
<xsd:element name="field1" minOccurs="0"
type="xsd:string" />
<xsd:element name="field2" minOccurs="0"
type="xsd:string" />
<xsd:element name="field3" minOccurs="0"
type="xsd:string" />
</xsd:sequence>
</xsd:extension>
</xsd:complexContent
</xsd:complexType>
Generic Section (ACSP.xsd):
<xsd:complexType name="AcspAuthStatusRequest" abstract="true">
<xsd:annotation>
<xsd:documentation>This type defines Interface for AuthStatus Request</
xsd:documentation>
</xsd:annotation>
</xsd:complexType>
<xsd:complexType name="SampleAcspAuthStatusRequest">
<xsd:complexContent>
<xsd:extension base="rsa_csd:AcspAuthStatusRequest">
<xsd:annotation>
<xsd:documentation>This type defines the Specific
AuthStatus Request</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="sampleOtp" minOccurs="0"
type="xsd:string" />
<xsd:element name="field1" minOccurs="0"
type="xsd:string" />
<xsd:element name="field2" minOccurs="0"
type="xsd:string" />
<xsd:element name="field3" minOccurs="0"
type="xsd:string" />
</xsd:sequence>
</xsd:extension>
</xsd:complexContent
</xsd:complexType>
<complexType name="CredentialAuthStatusResponse">
<complexContent>
<extension base="rsa_csd:CredentialResponseList">
<xsd:annotation>
<xsd:documentation>The result of a user's asynchronous credential<
/xsd:documentation>
</xsd:annotation>
<sequence>
<element name="challengeQuestionAuthStatusResponse" minOccurs="0"
type="rsa_csd:ChallengeQuestionAuthStatusResponse" />
<element name="oobEmailAuthStatusResponse" minOccurs="0"
type="rsa_csd:OobEmailAuthStatusResponse" />
<element name="oobPhoneAuthStatusResponse" minOccurs="0"
type="rsa_csd:OobPhoneAuthStatusResponse" />
<element name="acspAuthStatusResponseData" minOccurs="0"
type="rsa_csd:AcspAuthStatusResponseData" />
</sequence>
</extension>
</complexContent>
</complexType>
This wrapper contains a generic payload. You should derive from this payload to
implement a specific one.
<xsd:complexType name="AcspAuthStatusResponseData">
<xsd:annotation>
<xsd:documentation>This type defines the Credential AuthStatus Response
Payload</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="acspAccountId" minOccurs="0" type="xsd:string"/>
<xsd:element name="callStatus" minOccurs="0" type="rsa_csd:CallStatus"/>
<xsd:element name="payload" minOccurs="0"
type="rsa_csd:AcspAuthStatusResponse" />
</xsd:sequence>
</xsd:complexType>
Generic Section (ACSP.xsd):
<xsd:complexType name="AcspAuthStatusResponse" abstract="true">
<xsd:annotation>
<xsd:documentation>This type defines Interface for AuthStatus Response</
xsd:documentation>
</xsd:annotation>
</xsd:complexType>
<xsd:complexType name="SampleAcspAuthStatusResponse">
<xsd:complexContent>
<xsd:extension base="rsa_csd:AcspAuthStatusResponse">
<xsd:annotation>
<xsd:documentation>This type defines the Specific AuthStatus
Response</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="field1" minOccurs="0" type="xsd:string" />
<xsd:element name="field2" minOccurs="0" type="xsd:string" />
<xsd:element name="field3" minOccurs="0" type="xsd:string" />
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
I Authentication Levels
The following table contains the various authentication levels scaled from 1-1000,
where the strength of authentication increases; 1000 is considered the strongest form
of authentication.
If you are using your own authentication methods outside of the RSA Adaptive
Authentication (On Premise) system, you should map your existing authentication to
these levels and pass them to the Adaptive Authentication system when needed. For
example, use a user name and password to authenticate a user before passing the user
to the Adaptive Authentication system for logon authentication.
Authentication
Authentication Type Used Relation to Password
Level
Password NA 500
Authentication
Authentication Type Used Relation to Password
Level
Error Messages
The following table lists the actual error codes, the status description provided in the
response message, as well as an explanation of the error codes and status descriptions.
UNSUPPORTED_METHOD This method is not supported An alert that a method call is not
for this credential. supported for a given credential.
1052 Multiple Warnings In the event where multiple warnings occur, this
warning code is displayed.
1202 Invalid Session Error The session being requested or handled is invalid.
1203 Invalid /Expired Session Id Error The error code is issued when either the session Id is
invalid or the session is expired. As a result, the
processing error prevents successful completion of
the SOAP request .
1252 Multiple locales in a single session Multiple locales are detected in a single session.
1402 User Credential Manager Error Errors thrown by User Credential Manager.
1452 User Credential Missing Warning User does not have any of the required credentials.
1501 User Level Error Generic User level error. For now this is the only
user level error defined.
1502 User not enrolled The user is not enrolled in the Adaptive
Authentication system.
1601 Missing Input Data Error Required data elements are missing in the request.
1602 Input Data Error The data element in the request results in processing
error.
1603 Invalid Action Type Error The ActionType element in the WS request is not
legal.
1605 Data Validation Error Data fields that failed Adaptive Authentications
data validation.
1652 Input Data Replaced Warning The Adaptive Authentication system replaced some
data in the request message with other data.
1653 Input Data Omitted The Adaptive Authentication system omitted some
data from the request message.