Administrator management of user authentication settings#

These endpoints allow an administrator to query or update the authentication settings for a user.
Generally, managing other users settings require the POWER-USER role, however some operations require additional permissions.

API-key management#

These endpoints allow an administrator to manage a users API-keys.

Managing API-keys requires security level default or above.
External users are therefore not allowed to manage API-keys using API-keys.
To manage API-keys via scripts, either use 2FA script authentication, or per-request cryptographic authentication.

Listing a users API-keys#

List active API-keys using:

curl -XGET -H"Argus-API-Key: my/api/key" https://api.mnemonic.no/authentication/v1/user/myuser/apikey

Creating a new API-key#

To create a new API-key:

curl -XPOST -H"Argus-API-Key: my/api/key" https://api.mnemonic.no/authentication/v1/user/myuser/apikey -d
{
  "description": "My read-only case API-key",
  "validSources": "94.127.56.0/24",
  "expirationDays": 30,
  "sessionConstraints": {
    "function": [
      "CASE-SECMON-RO"
    ],
  }
}

Always restrict your api-keys as much as possible, to reduce the risk of misuse.

A key can be constrained by time, source IP, function/role constraints, and customer constraints.

If you only intend to use the key for a very limited set of features, you should limit the key to a suitable role.

If in doubt of which role to use, please contact mss@mnemonic.no

Deleting an existing API-key#

To delete an existing API-key, use the prefix of the key to identify the key.
E.g. for the prefix (userID/keyID) 15a6/1; delete the key by:

curl -XDELETE -H"Argus-API-Key: my/api/key" https://api.mnemonic.no/authentication/v1/user/myuser/apikey/15a6/1

OpenID user configuration management#

Please see External Identity Provider Integration Guide for details

Cryptographic key management#

A user may have enrolled one or multiple public keys, and use the corresponding private key to authenticate a session, or to sign requests.

For a user to enroll new keys, the user must be logged in with a higher security level, and this is not available for normal users to do via API-keys.
This is therefore not covered by this guide.

However, administrators may manage a users keys:

List a users cryptographic keys#

curl -XGET -H"Argus-API-Key: my/api/key" https://api.mnemonic.no/authentication/v1/user/myuser/signature

Evict a users cryptographic key replay cache#

To avoid replay attacks using cryptographic signatures, Argus contains a short-lived replay protection cache, backed by a clock skew detection,
disallowing users to skew their clock to circumvent the replay protection cache.

In a situation where the clients clock is abruptly adjusted, the clock skew detection may prevent a client from authenticating requests until the clock skew cache has timed out. To resolve this situation, delete the “signature session” for the user:

curl -XDELETE -H"Argus-API-Key: my/api/key" https://api.mnemonic.no/authentication/v1/user/signature/session

Authentication settings for other methods#

There are endpoints for SMS, Radius, LDAP and TOTP user management. However, these are not useful to integrate via scripts, and are therefore not documented in this guide.