Administrator management of user authentication settings#
These endpoints allow an administrator to query or update the
authentication settings for a user.
Generally, managing other users settings require the POWER-USER role,
however some operations require additional permissions.
API-key management#
These endpoints allow an administrator to manage a users API-keys.
Managing API-keys requires security level default
or above.
External users are therefore not allowed to manage API-keys using
API-keys.
To manage API-keys via scripts, either use 2FA script authentication, or
per-request cryptographic authentication.
Listing a users API-keys#
List active API-keys using:
curl -XGET -H"Argus-API-Key: my/api/key" https://api.mnemonic.no/authentication/v1/user/myuser/apikey
Creating a new API-key#
To create a new API-key:
curl -XPOST -H"Argus-API-Key: my/api/key" https://api.mnemonic.no/authentication/v1/user/myuser/apikey -d
{
"description": "My read-only case API-key",
"validSources": "94.127.56.0/24",
"expirationDays": 30,
"sessionConstraints": {
"function": [
"CASE-SECMON-RO"
],
}
}
Always restrict your api-keys as much as possible, to reduce the risk of misuse.
A key can be constrained by time, source IP, function/role constraints, and customer constraints.
If you only intend to use the key for a very limited set of features, you should limit the key to a suitable role.
If in doubt of which role to use, please contact mss@mnemonic.no
Deleting an existing API-key#
To delete an existing API-key, use the prefix of the key to identify
the key.
E.g. for the prefix (userID/keyID) 15a6/1
; delete the key by:
curl -XDELETE -H"Argus-API-Key: my/api/key" https://api.mnemonic.no/authentication/v1/user/myuser/apikey/15a6/1
OpenID user configuration management#
Please see External Identity Provider Integration Guide for details
Cryptographic key management#
A user may have enrolled one or multiple public keys, and use the corresponding private key to authenticate a session, or to sign requests.
For a user to enroll new keys, the user must be logged in with a higher
security level, and this is not available for normal users to do via
API-keys.
This is therefore not covered by this guide.
However, administrators may manage a users keys:
List a users cryptographic keys#
curl -XGET -H"Argus-API-Key: my/api/key" https://api.mnemonic.no/authentication/v1/user/myuser/signature
Evict a users cryptographic key replay cache#
To avoid replay attacks using cryptographic signatures, Argus contains a
short-lived replay protection cache, backed by a clock skew detection,
disallowing users to skew their clock to circumvent the replay
protection cache.
In a situation where the clients clock is abruptly adjusted, the clock skew detection may prevent a client from authenticating requests until the clock skew cache has timed out. To resolve this situation, delete the “signature session” for the user:
curl -XDELETE -H"Argus-API-Key: my/api/key" https://api.mnemonic.no/authentication/v1/user/signature/session
Authentication settings for other methods#
There are endpoints for SMS, Radius, LDAP and TOTP user management. However, these are not useful to integrate via scripts, and are therefore not documented in this guide.