Validate an Operation with Push

The sample to validate an operation via a push notification integrates the ActivID AS OAuth/OpenID Connect API and ActivID AS SCIM API to:

  1. Authenticate to the ActivID AS using the spl-api user.

  2. Generate an operation approval message.

  3. Request that ActivID AS send a message to the HID Approve application on the registered device.

  4. ActivID AS pushes the message to the HID Approve application through the Microsoft Windows Push Notification Service.

    You can then approve or decline the validation request using the HID Approve application.

  5. ActivID AS notifies the result of the validation (approve or decline the request) on the JMS topic.

Prerequisites:

Configure the Sample

  1. Create the truststore file in the config subfolder using the Java keytool located on your client machine in <JAVA_HOME>\bin.

    • For JBoss, retrieve <JBOSS_HOME>\ssl-server.truststore and copy it to your client system under Request-operation-validation-sample\config
    • For WebSphere:
      • Retrieve your server SSL certificate (as described in the ActivID AS installation guide).
      • Create the truststore file using Java keytool

        Copy
        keytool -import -file ssl-server.cer -alias <serverName> -keystore truststore.jks -storepass <mypassword> -noprompt
      • Where <mypassword> is the password you set to protect the certificate.

  2. Edit the <SAMPLES Path>\config\deliverChallenge.properties configuration file by updating the properties with information from your deployment.

    Property Description
    server.url The URL of your ActivID AS in the format
    https://<ActivID AS hostname>:443
    server.domain The name (ID) of the domain
    direct.user.code The ID of the OpenID client
    direct.user.password The OpenID client password (secret)
  3. Edit the <SAMPLES Path>\scripts\ script for your operating system by updating the parameters with the path and password of the truststore:

    • RequestOperationValidation.bat for Microsoft Windows

    • RequestOperationValidation.sh for Linux

Run the Sample

Prerequisites: You have successfully registered a device for your sample user.
  1. Retrieve the device ID value (did) of the registered device.

    For example, from the output of the provisioning request for the device registration sample (or using the ActivID Management Console) this value is 14780:

  2. Note: The provisioning message is available in the <SAMPLES Path>\scripts\request.txt file.
  3. Open the HID Approve Application.
  4. Open a terminal on the <SAMPLES Path>\scripts folder.

  5. Run the following command to trigger the request to send a push notification to the device:

    Copy

    On Microsoft Windows systems

    RequestOperationValidation.bat -u myuser -did <did value> -ci correlationID1234 -t testLogonMessage
    Copy

    On Linux systems

    RequestOperationValidation.sh -u myuser -did <did value> -ci correlationID1234 -t testLogonMessage
  6. Where:

    Parameter Description
    <did value> The device ID value for the registered device
    correlationID1234 A sample value for the ID of this operation
    testLogonMessage A sample value for the message that will be displayed on the HID Approve application for approval

    The script outputs the processing information and the specified device receives a notification.

  7. Click Approve to validate the request.

The sample then outputs the Status of the Request, and specifies if it is APPROVED or DENIED.

REST API Request Samples for Operation Validation

  • Search the user myTestUser1 to get its userid (13274):

    Copy
    POST https://myServer:8445/scim/ONLINEBANK/v2/Users/.search
    Headers:
    	Authorization: Bearer RTp7HwAAAWAMlL+hho0qmFlEndOxkGDGKhMOCPjA
    	Content-Type: application/scim+json
    	Accept: application/scim+json
    Body:
    	{"schemas":["urn:ietf:params:scim:api:messages:2.0:SearchRequest"],"filter":"username eq myTestUser1"}
     
    Response: HTTP/1.1 200 OK
    Headers:
    	Cache-Control: no-cache
    	X-Powered-By: Undertow/1
    	Server: JBoss-EAP/7
    	Pragma: no-cache
    	Date: Thu, 30 Nov 2017 10:59:23 GMT
    	Connection: keep-alive
    	Strict-Transport-Security: max-age=16070400; includeSubDomains
    	X-Content-Type-Options: nosniff
    	Transfer-Encoding: chunked
    	Content-Type: application/scim+json;charset=utf-8
    	{"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"totalResults":1,"resources":[{"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:hid:scim:api:idp:2.0:UserDevice","urn:hid:scim:api:idp:2.0:UserAttribute","urn:hid:scim:api:idp:2.0:UserAuthenticator"],"id":"13274","externalId":"myTestUser1","meta":{"resourceType":"User","created":"2017-11-29T23:00:00Z","location":"https://myServer:8445/scim/ONLINEBANK/v2/Users/13274","version":"1"},"userName":"myTestUser1","active":true,"groups":[{"type":"Group","display":"Consumer Online Banking","value":"USG_CUST1","$ref":"https://myServer:8445/scim/ONLINEBANK/v2/Groups/USG_CUST1"}],"roles":[],"urn:hid:scim:api:idp:2.0:UserAttribute":{"attributes":[]},"urn:hid:scim:api:idp:2.0:UserAuthenticator":{"authenticators":[{"display":"AT_TDS","value":"13274.AT_TDS","$ref":"https://myServer:8445/scim/ONLINEBANK/v2/Authenticator/13274.AT_TDS"},{"display":"AT_PASA","value":"13274.AT_PASA","$ref":"https://myServer:8445/scim/ONLINEBANK/v2/Authenticator/13274.AT_PASA"},{"display":"AT_SMK","value":"13274.AT_SMK","$ref":"https://myServer:8445/scim/ONLINEBANK/v2/Authenticator/13274.AT_SMK"},{"display":"AT_CUSTOTP","value":"13274.AT_CUSTOTP","$ref":"https://myServer:8445/scim/ONLINEBANK/v2/Authenticator/13274.AT_CUSTOTP"}]},"urn:hid:scim:api:idp:2.0:UserDevice":{"devices":[{"display":"SN_1019003681","value":"13275","$ref":"https://myServer:8445/scim/ONLINEBANK/v2/Device/13275"}]}}]}
  • Creation of the logon validation request (value myTransactionContent  for user 13274 on authenticator of type AT_PASA for device 13275):

    Copy
    POST https://myServer:8445/scim/ONLINEBANK/v2/Authenticator/13274.AT_PASA
    Headers:
    	Authorization: Bearer RTp7HwAAAWAMlL+hho0qmFlEndOxkGDGKhMOCPjA
    	Content-Type: application/scim+json
    	Accept: application/scim+json
    Body:
    	{"schemas":["urn:hid:scim:api:idp:2.0:Authenticator","urn:hid:scim:api:idp:2.0:Action"],"id":"13274.AT_PASA","urn:hid:scim:api:idp:2.0:Action":{"schemas":["urn:hid:scim:api:idp:2.0:Action"],"attributes":[{"name":"tds","type":"string","value":"myTransactionContent","readOnly":false},{"name":"createSession","type":"string","value":"0","readOnly":false},{"name":"correlationid","type":"string","value":"123456789","readOnly":false},{"name":"DEVICE.ID","type":"string","value":"13275","readOnly":false}],"action":"DELIVER-CHALLENGE"}}
     
    Response: HTTP/1.1 200 OK
    Headers:
    	Cache-Control: no-cache
    	X-Powered-By: Undertow/1
    	Server: JBoss-EAP/7
    	Pragma: no-cache
    	Date: Thu, 30 Nov 2017 10:59:24 GMT
    	Connection: keep-alive
    	Strict-Transport-Security: max-age=16070400; includeSubDomains
    	X-Content-Type-Options: nosniff
    	Transfer-Encoding: chunked
    	Content-Type: application/scim+json;charset=utf-8
    	{"schemas":["urn:hid:scim:api:idp:2.0:Action"],"attributes":[{"name":"CHALLENGE","type":"string","value":"eyJ6aXAiOiJERUYiLCJraWQiOiJLRVkxIiwiY3R5IjoidGV4dFwvcGxhaW4iLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwiY29udGFpbmVyaWQiOiIyIiwidmVyc2lvbiI6InY2IiwiYWxnIjoiZGlyIiwiY2lkIjoxMzI4OX0..5uY-eQRZyzGMhWR5G-I9uQ.urP9G2mbHYyLnDIJaM7s2HLsh97SwHAwmsr9qKkkm6YVZOSS-X3s2yE_o2CzHg4hF3seXG0jTI7UD0kS7c6fovaY0azaYHrJyeWLg22ghWk.wGetw2zz-0jiA8VsIMzvi8rQ7zsbnCEYfGNH8loAe0g","readOnly":false},{"name":"CHALLENGE.ID","type":"string","value":"13289","readOnly":false},{"name":"REQUEST.STATUS","type":"string","value":"1","readOnly":false},{"name":"REQUEST.REASON","type":"string","value":"-1","readOnly":false},{"name":"REQUEST.ERROR_MESSAGE","type":"string","readOnly":false}]}