Enable Action or Logon Validation Feedback

This section explains how to configure ActivID AS to send feedback when a user approves (or declines) a logon request (or an operation) on the banking application using a device with the HID Approve application.

Enable Validation Feedback using CIBA Notifications

This section explains how to configure ActivID AS to send feedback using CIBA HTTP callback notifications.

Prerequisites:

ActivID AS must be configured for push-based authentication as described in the previous sections, specifically the:
- Push Delivery Gateways
- Authentication Policies
- Device Types
- Direct user (for example, spl-api) with a defined OpenID adapter
If the external application is deployed on a server that requires HTTPS connection, make sure that the application SSL server certificate is trusted on the ActivID AS back-end server.
If your system network requires a forward proxy to perform requests externally, configure the settings of your forward proxy.

Log on to the ActivID Management Console, select the Configuration tab and, under Environment, select User Attributes.
Click Add to create a new User Attribute in which to store the CIBA callback URL (URL of the application callback endpoint).
Enter the attribute information and click Save:
- Name – it is recommended that the name be easily identifiable.
- Code – it is automatically generated but it can be changed (for example, ATR_CIBACB). The code must be unique, a minimum of three characters, and a maximum of 10 characters. It cannot be changed once the attribute is created.
- Description (optional).
To add the new attribute to the Systems User Type, select the Access Administration tab and, under User Organization, select User Types.
Click on the name of the Systems User Type and then select the User Attributes tab.

Select the check box for the user attribute you created previously and click Save.
To add a new process adapter definition, select the Configuration tab and, under Environment, select Adapters and then click Add.

This adapter is triggered when operation is approved or denied on a mobile device.

This adapter retrieves the CIBA callback URL from the attribute (ATR_CIBACB) of the direct user that initiated the operation (usually, spl-api).

It then forwards the result of the approval and the callback URL to the CIBA delivery adapter.

Configure the adapter:
- Name – mandatory and should be unique for ease of administration.
- Description – a user-friendly description of the adapter (optional).
- Adapter Type – select Process to send notifications of operational events.
- Adapter Category – select CIBA HTTP callback process Adapter the definition of the adapter.
- In the Parameters section:
  - Authentication policies codes that will trigger a notification – keep the default values (AT_TDS and AT_PASA)
  - Attribute code for push-based authentication CIBA callback URL – enter the code for the attribute you created previously
Select the Channels tab.
1. Select post-authentication as the position of the adapter.
2. Move the Mobile push-based Action and Validation channels to the Activate on channel list.
3. Click Save.
To add a new delivery adapter, under Environment, select OOB Delivery Gateway and then click Add.

This adapter notifies the application of the result by calling the CIBA callback URL of the application.
Configure the adapter:
1. Enter a Name and meaningful Description.
2. From the Delivery Provider drop-down list, select CIBA Callback Delivery Adapter.
3. Keep the default values of the parameters and click Save.
4. To test configuration, enter the callback URL (<%application URL%>/CB/getApprovalStatus) in the Test CallBack URL field, and then click Save and test connection.
5. Under Authentication, select Authentication Policies.
6. Assign this Delivery Adapter to the following authentication policies:
  - Mobile push-based Logon Validation (AT_PASA)
  - Mobile push-based Action Validation (AT_TDS)
To configure spl-api direct user, select the Help Desk tab and go to the spl-api details page (using the search function).
1. If necessary, click Display Attributes.
2. In the ATR_CIBACB field, enter the CIBA callback URL of your application.
  
  For example, with the CIBADemoPortal sample application, use the following format:
  
  <%application URL%>/CB/getApprovalStatus
  
  (https://demohidapp1.activid-as.com:8445/CIBADemoPortal/CB/getApprovalStatus)
3. If necessary, create a static password for the spl-api direct user.
Complete the configuration:

Option 1: If your application server is also configured to support JMS, see Interoperability Between JMS Notifications and HTTP Callback (CIBA).

Option 2: If your application server is not configured to support JMS (that is, a JMS Topic is not configured in the system), remove the JMS Topic notifications:
1. Under Environment, select Adapters.
2. Select the Action or logon notification adapter.
3. Remove the mobile operation channels from the Activate on channel list.
4. Click Save.

Enable Validation Feedback using JMS Notifications

This section explains how to configure ActivID AS to send feedback using JMS notifications.

The configuration uses the following internal components:

An audit adapter to send a feedback regarding mobile devices registrations.
A process adapter to send a feedback regarding operations (Logon or Action) validation.

Note:

The adapters described in this section exist by default in the dataset so you do not need to create them. You can edit the adapter configuration to specify custom channels or authentication policies.
The Application Topic Identifier attribute is should be configured when service registration and push operations are performed from an external application that relies on a direct user such as spl-api (see jms-Listener Sample).
However, if you are using the ActivID Self-Service Portal (for service registration and push-based logon operations), the JMS Topic ActivIDAuthPortal is pre-configured for the Self-Service Portal Direct user, you do not need to configure it.

Prerequisites:

If you migrated from a previous version of ActivID AS, review the configuration of the Action or Logon notification adapter and verify that the adapter is configured to activate on the push-based channels:
- Mobile push-based Logon validation channel (CH_PASA)
- Mobile push-based Action validation channel (CH_TDS)
Edit the Application Topic Identifier attribute of your direct user (spl-api). This attribute is used to compute in which topic the notifications of user approval/decline will be sent.

To enable device Action or Logon validation feedback:

Log on to the ActivID Management Console, select the Access Administration tab and, under User Organization, select User Types.
Click on the name of the Systems User Type and then select the User Attributes tab.
Select the check box for the Application Topic Identifier (ATR_TOPIC) and click Save.
Select the Configuration tab and, under Environment, select Adapters.
Create a new process adapter with the following configuration:
1. Enter a Name for the adapter.
2. Select Process as the Adapter type.
3. Select Mobile Action or Logon validation feedback Adapter as the Adapter Category.
4. Use the default parameters values (or update the authentication policies code parameter if you have defined custom authentication policies for action/logon validation).
Select the Channels tab.
Select post-authentication as the adapter’s position.

Important: The position must be ‘post-authentication’. If not, authentications will be blocked on the channel.

Move the Mobile push-based Action validation channel (CH_TDS) and Mobile push-based Logon validation channel (CH_PASA) to the Activate on channel list.
Click Save.
Configure spl-api direct user:
1. Select the Help Desk tab and go to the spl-api details page (using the search function).
2. In the Identity tab, click on the Display More Attributes link.
3. Enter the value for the JMS topic in the Application Topic Identifier field and click Save.

If you are using an external application, the Application Topic also needs to be correctly defined in the external application configuration allowing it to listen for messages (see jms-Listener Sample).

Interoperability Between JMS Notifications and HTTP Callback (CIBA)

If your application server is configured to support both JMS notifications and HTTP callback (CIBA), you can choose one of the following options:

Option 1 - Simultaneous Feedback:

Make sure that the spl-api user has a JMS Topic defined (see Configure the Push System Direct User)
The message will be delivered to the client application both through JMS notifications and CIBA Callback

Option 2 - CIBA Feedback only:

You must remove the JMS Topic notifications by editing the Action or logon notification adapter as described in Enable Validation Feedback using HTTP Callback (CIBA) Notifications
The message will be delivered to the client application through CIBA Callback only