Credential refresh rules
Credential refresh involves the generation of a new credential for user identity, followed by an evaluation of the contents of the new credential against the contents of the old credential that was obtained during initial user authentication. The contents of the two credentials are combined into a merged credential according to the following rules:
- When an attribute occurs in the new credential but not the old credential, it is added to the merged credential.
- The following attributes are added to the merged credential based
only on their value in the old credential. These attributes are used
by the authorization API. They are not changed by values in the new
credential.
AZN_CRED_AUTHNMECH_INFO AZN_CRED_BROWSER_INFO AZN_CRED_IP_ADDRESS AZN_CRED_PRINCIPAL_NAME AZN_CRED_AUTH_METHOD AZN_CRED_USER_INFO AZN_CRED_QOP_INFO - For each attribute in the old credential for which there is a
corresponding attribute in the new credential, the following rules
apply:
- When there is an entry in the configuration file that matches it, the attribute in the merged credential is preserved or refreshed according to the value of the entry in the configuration file.
- When there is not an entry in the configuration file that matches it, the attribute in the merged credential is assigned the value from the new credential.
- For each attribute in the old credential for which there is not a
corresponding attribute in the new credential, the following rules
apply:
- When there is a configuration file entry for the attribute specifying
refresh, the attribute is not added to the merged credential. - When there is a configuration file entry for the attribute specifying
preserve, the attribute is added to the merged credential. - When the configuration file does not contain an entry for the attribute, the attribute is not added to the merged credential.
- When there is a configuration file entry for the attribute specifying