Skip to content

Administrator management of user authentication settings

These endpoints allow an administrator to query or update the authentication settings for a user.
Generally, managing other users settings require the POWER-USER role, however some operations require additional permissions.

API-key management

These endpoints allow an administrator to manage a users API-keys.

Managing API-keys requires security level default or above.
External users are therefore not allowed to manage API-keys using API-keys.
To manage API-keys via scripts, either use 2FA script authentication, or per-request cryptographic authentication.

Listing a users API-keys

List active API-keys using:

1
curl -XGET -H"Argus-API-Key: my/api/key" https://api.mnemonic.no/authentication/v1/user/myuser/apikey

Creating a new API-key

To create a new API-key:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
curl -XPOST -H"Argus-API-Key: my/api/key" https://api.mnemonic.no/authentication/v1/user/myuser/apikey -d
{
  "description": "My read-only case API-key",
  "validSources": "94.127.56.0/24",
  "expirationDays": 30,
  "sessionConstraints": {
    "function": [
      "CASE-SECMON-RO"
    ],
  }
}

Always restrict your api-keys as much as possible, to reduce the risk of misuse.

A key can be constrained by time, source IP, function/role constraints, and customer constraints.

If you only intend to use the key for a very limited set of features, you should limit the key to a suitable role.

If in doubt of which role to use, please contact mss@mnemonic.no

Deleting an existing API-key

To delete an existing API-key, use the prefix of the key to identify the key.
E.g. for the prefix (userID/keyID) 15a6/1; delete the key by:

1
curl -XDELETE -H"Argus-API-Key: my/api/key" https://api.mnemonic.no/authentication/v1/user/myuser/apikey/15a6/1

OpenID user configuration management

Please see External Identity Provider Integration Guide for details

Cryptographic key management

A user may have enrolled one or multiple public keys, and use the corresponding private key to authenticate a session, or to sign requests.

For a user to enroll new keys, the user must be logged in with a higher security level, and this is not available for normal users to do via API-keys.
This is therefore not covered by this guide.

However, administrators may manage a users keys:

List a users cryptographic keys

1
curl -XGET -H"Argus-API-Key: my/api/key" https://api.mnemonic.no/authentication/v1/user/myuser/signature

Evict a users cryptographic key replay cache

To avoid replay attacks using cryptographic signatures, Argus contains a short-lived replay protection cache, backed by a clock skew detection,
disallowing users to skew their clock to circumvent the replay protection cache.

In a situation where the clients clock is abruptly adjusted, the clock skew detection may prevent a client from authenticating requests until the clock skew cache has timed out. To resolve this situation, delete the "signature session" for the user:

1
curl -XDELETE -H"Argus-API-Key: my/api/key" https://api.mnemonic.no/authentication/v1/user/signature/session

Authentication settings for other methods

There are endpoints for SMS, Radius, LDAP and TOTP user management. However, these are not useful to integrate via scripts, and are therefore not documented in this guide.