Skip to main content

Writing plugin programs for external security questions and authentication

Authentication plugins allow Bravura Security Fabric to interface with any authentication system. Each plugin corresponds to a question set configured in the Bravura Security Fabric system.

An authentication plugin is a PSLang script or console executable that writes input/output as plain text in KVGroup format. For more information about PSLang see the PSLang Manual ( pslang.pdf ) .

CGI programs can execute the authentication plugin to perform one of four tasks. The tasks that an authentication plugin may be asked to perform depend on how the corresponding question set is configured. However, the plugin will only be required to perform one operation each time it is run.

Bravura Security Fabric can issue the following requests to the authentication plugin:

  • Request questions

    Bravura Security Fabric receives questions from the authentication plugin, and displays the questions to the user.

  • Request questions and answers

    Bravura Security Fabric reads the questions and answers from the authentication plugin and internally validates the responses from the user.

    The External program provides answers along with questions option must be enabled for the question set.

  • Validate answers

    The authentication plugin reads the responses provided by the user, and tells Bravura Security Fabric whether or not the answers are valid.

    The External program provides answers along with questions option must be disabled for the question set.

  • Update questions and answers

    When users update existing questions and add new ones, their changes are forwarded to the external system.

    The Users allowed to edit questions/answers option must be enabled for the question set.

Input / output for authentication plugins

This section details input / output requirements for authentication plugins when:

  • Requesting questions

  • Requesting questions and answers

  • Validating answers

  • Editing questions and answers

Requesting questions

When the input information from Bravura Security Fabric includes a task action of "questions", the authentication plugin should write a list of questions back to the CGI program.

Input

"action" "questions" = {
       "state" = "0"
       "userid" = "USER"
     }

The "state" can be any integer.

Output

"action" "questions" = {
       "returnval" = "RETURNVAL"
       "qid" "QID1" = {
         "question" = "QUESTION1"
         "answer" = "ANSWER1" (optional)
       }
       "qid" "QID2" = {
         "question" = "QUESTION2" (optional)
         "answer" = "ANSWER2"
       }
       ...
     }

If the External program provides answers along with questions box is not checked in the question set configuration page, the answers will be ignored by the plugin.

For external pre-defined question sets, the "qid" values are expected to be the same as in the qdef table.

Requesting questions and answers

If the External program provides answers along with questions box is checked in the question set configuration page, then the authentication plugin must supply answers as well as questions. The input / output will be the same as in the above example, but the "answer" value is required.

Validating answers

When the input includes a task action of "validate", the authentication plugin should accept a list of answers in the same form as above. The authentication plugin receives an answer for every question that it supplied.

Input

 "action" "validate" = {
       "state" = "STATE"
       "qid" "QID1" = {
         "answer" = "ANSWER1"
       }
       "qid" "QID2" = {
         "answer" = "ANSWER2"
       }
       ...
     }

Output

"action" "validate" = {
      "returnval" = "RETURNVAL"
       // the following are optional
       "errmsg" = "ERRMSG"
       "state" = "STATE"
       "qid" "QID1" = {
         "answer" = "ANSWER1"
       }
       "qid" "QID2" = {
         "answer" = "ANSWER2"
       }
       ...
     }

Once the authentication plugin receives all of the answers, it should check the answers for correctness. A "returnval" value of 0 means the answers are valid. Any other "returnval" value means the answers are not valid. The "errmsg" tag can be used to indicate the error for a failed operation.

Editing questions and answers

When input includes a task action of "edit", the authentication plugin should accept both questions and answers.

Input

 "action" "edit" = {
      "qid" "QID1" = {
        "question" = "QUESTION1"
        "answer" = "ANSWER1"
      }
      "qid" "QID2" = {
        "question" = "QUESTION2"
        "answer" = "ANSWER2"
      }
      ...
    }

If both question and answers are blank, it indicates that the security question pair was removed. The questions are not provided for pre-defined question sets.

Output

 "action" "edit" = {
      "returnval" = "RETURNVAL"
     }

A "returnval" value of 0 means the update was successful.

In this section: