HomeProduct documentationGitHubCyberArk developer community

Authentication Mechanisms

This guide helps the user in understanding and configuring the authentication mechanisms supported by CyberArk Identity

Suggest Edits

The authentication profile is where you define the required authentication mechanisms such as password, email confirmation code, mobile authenticator, QR code, FIDO2, and more. Authentication mechanisms are divided into the following primary categories:

  • Something you have
  • Something you are
  • Something you know

Create an authentication profile

Following steps needs to be performed to create an authentication profile on admin portal

  1. Click Settings > Authentication.
  2. Click Add Profile on the Authentication Profiles page.
  3. Enter a unique name for each profile.
  4. Select the authentication mechanism(s) from either Multiple Authentication Mechanisms or Single Authentication Mechanism.
1055

Supported authentication mechanisms

  • Password
  • Security Question(s)
  • Phone call (Carrier/GSM)
  • SMS (Text)
  • Email confirmation (Link / Code)
  • Mobile Authenticator (CyberArk Identity)
  • QR code
  • OATH OTP Client (TOTP/HOTP)
  • FIDO2 Authenticator(s) Single factor
  • FIDO2 Authenticator(s) Multi factor
  • 3rd Party RADIUS Authentication

API endpoint Payloads

User password and Security Question

For User password and Security question, the user needs to use the below end point.

POST https://ABC1234.mycompany.idaptive.app/Security/AdvanceAuthentication

X-IDAP-NATIVE-CLIENT:true
Content-Type: application/json

{
    "SessionId": "1e5214e4-0921-4e9e-8ada-3ef2970f7c1f",
    "MechanismId": "4a23390d-dee9-4ead-aa33-2bacd93f81fa",
    "Action": "Answer",
    "Answer": "Pass1234"                   
}

📘

Prerequisite

For Security Questions, user needs to login to user portal and setup the security Questions inorder to use this authentication method.

Upon successful authentication, user will be logged in with the .ASPXAUTH token which can be further utilized as mentioned in Using the Authentication Token

Phone call, SMS, Mobile Authenticator, QR code, OATH OTP Client and Email authentication

For Phone call, SMS, Mobile Authenticator, QR code, OATH OTP Client and Email authentication user needs to perform Out of Bound Authentication as mentioned in Out of Bound Authentication

POST https://ABC1234.mycompany.idaptive.app/Security/AdvanceAuthentication

X-IDAP-NATIVE-CLIENT:true
Content-Type: application/json

{
    "SessionId": "1e5214e4-0921-4e9e-8ada-3ef2970f7c1f",
    "MechanismId": "4a23390d-dee9-4ead-aa33-2bacd93f81fa",
    "Action": "StartOOB"                   
}

After hitting the above end point, user needs to authenticate using the smart phone or by responding to the Email link. After successful authentication, user needs to hit the below end point to get the success response along with .ASPXAUTH token.

POST https://ABC1234.mycompany.idaptive.app/Security/AdvanceAuthentication

X-IDAP-NATIVE-CLIENT:true
Content-Type: application/json

{
    "SessionId": "1e5214e4-0921-4e9e-8ada-3ef2970f7c1f",
    "MechanismId": "4a23390d-dee9-4ead-aa33-2bacd93f81fa",
    "Action": "Poll"                   
}

OATH OTP Client

After requesting for poll, user needs to enter the OATH OTP to authenticate the user. 

POST https://ABC1234.mycompany.idaptive.app/Security/AdvanceAuthentication

X-IDAP-NATIVE-CLIENT:true
Content-Type: application/json

{
    "SessionId": "1e5214e4-0921-4e9e-8ada-3ef2970f7c1f",
    "MechanismId": "4a23390d-dee9-4ead-aa33-2bacd93f81fa",
    "Action": "Poll",
    "Answer": "604795" 
}

Configure Phone call pin

For Phone call authentication, firstly a pin needs to be set from the user portal or the same can be achieved using API's. For enabling pin, user needs to obtain .ASPXAUTH token using user password or other mechanisms and then hit the below API.

POST https://ABC1234.mycompany.idaptive.app/UserMgmt/SetPhonePin

X-IDAP-NATIVE-CLIENT:true
Content-Type: application/json

{
  "ID": "[email protected]",
  "phonepin": "1234"
}

Enroll Device

Mobile Authenticator and QR code option requires users to have CyberArk Identity mobile app installed on their devices and those devices must be enrolled in CyberArk Identity under the devices section of user portal.

📘

Note

CyberArk Identity mobile application is currently available for iOS and Android devices.

Updated over 1 year ago