Creating New Application

In order to create an application, the administrator needs to register one or more Re-direct URLs for the application for security purposes.

Note: To configure the application and its related activities, the administrator needs the required endpoint URLs. Refer to Viewing Well-known Endpoints for more details.
Note: To know more about the REST API support provided for clientID, visit Integrating the HID Authentication Service APIs.
Field Description
Name

Name of the application.
Re-direct URL (optional)

An URL for an application where authentication server redirects the user, along with the authorization code, once authentication is completed from the user.

You can enter multiple URLs separated by a comma.
Client secret

Password or JWT or mTLS certificate for Client/Application authentication.
Microsoft tenant ID

This is a unique identifier associated with your Microsoft Entra ID application.

Typically this ID should be in the format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Authentication journey

The Authentication journey is a feature where you can manage the authentication workflow configuration for applications.

Refer to Configuring Authentication Journey for more details.
Brand

You can display your brand or a custom look of your application by selecting your customized brand.

Create a customized brand based on the default brand theme such as logo, background color, and background image to match your company’s branding. Refer to Customizing the Brand and Content for more details.
Privileged role

The role assigned for the client/application to perform certain operations.

The privileged role is RL_CLIENTIDM2M role.
Refresh token (optional) A type of token that can be used to get new access token.
Token duration (seconds) The time period or validity of the refresh token. Must be between 100 and 3600 seconds.
Scopes

Scope is a group of user claims which provides a way to limit the amount of access that is granted to an access token. Scopes can be customized based on customer requirement, It can include the custom attributes as well.

For more details about Scopes, refer to Using OPENID Scopes.

Client ID

An unique identifier for the client or user.

Client ID is auto-generated.

Discovery endpoint

The URL of the 'Well-known' endpoint for your tenant.

Discovery endpoint is auto-generated.

To create an application (client), follow the below procedures based on the types of application.

Creating New API Integration Application

API integrating applications are used for user authentication, managing the user identity lifecycle and identity information.

  1. Sign in to Administration portal.

  2. Click Applications in the left navigation bar to open the Applications page.

  3. Click ADD APPLICATION, select API Integration option and then click NEXT.

  4. Add API Integration page opens, enter Name and Re-direct URL (optional).

    Note: For details of these below shown fields, refer to Fields used to create an application.

  5. You can select any one of the Client secret (Password/JWT/mTLS). By default, Password is selected.

    If you want to use certificate for Client/Application authentication, then click JWT or mTLS radio button and upload a certificate by drag-and-drop or by browsing to local file explorer.

    Note:

    If the certificate is not trusted, an error message is displayed “No issuer certificate for certificate in certification path found”.

    In order to solve this error, upload a certificate chain as follows:

    • Import a certificate chain which includes root, intermediate, and end-entity (user) certificates. Root certificate is mandatory for mTLS and optional for JWT.

    • The certificate chain must start with root certificate and then intermediate certificate followed by end-entity certificate. The certificate chain can contain number of intermediate certificates.

    • The format of the certificate must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

  6. (Optional) Switch on the Privileged role toggle button to assign the Application with privileged role.

    Note: The privileged role is RL_CLIENTIDM2M role, while a non-privileged role is RL_OPENIDCLIENT role.

  7. (Optional) You can enable automatic refresh of the access token, switch on the Refresh token toggle button. You will be prompted to enter the Token duration (must be between 100 and 3600 seconds).

  8. The script for the Scopes field is based on the requirement of an application configuration. For example: {"scopes":["openid","profile"]}.

    For more details about Scopes, refer to Using OPENID Scopes.

  9. Click SAVE to save the new application and added into the list of applications.

    Note:

    • After saving the new application, API Integration page opens in which the Client ID is automatically generated, you can copy it using the copy icon.

    • If Password is selected as your Client secret, which is generated automatically, you can copy it using the copy icon.

    • If JWT or mTLS certificate is selected as your Client secret, you can view the details of your existing certificate by clicking VIEW CERTIFICATE.

Creating New Entra ID EAM Application

The HID Authentication Service seamless integration with Microsoft® Entra ID, providing a robust External Authentication Method (EAM) for federated authentication.

Configure the authentication journey workflow with Microsoft® Entra ID EAM application to securely access protected applications from Microsoft® Windows workstations using HID authenticators, including existing contactless cards.

Note: For configuration and integration process, refer to Configuring Support for Microsoft Entra ID.

  1. Sign in to Administration portal.

  2. Click Applications in the left navigation bar to open the Applications page.

  3. Click ADD APPLICATION, select Entra ID EAM Application option and then click NEXT.

  4. Add Entra ID EAM Application page opens, enter Name, Re-direct URL (optional), and Microsoft tenant ID.

    Note: For details of these below shown fields, refer to Fields used to create an application.

  5. From the Authentication journey drop-down list, select an applicable workflow that uses contactless card as an authenticator. Refer to Configuring Authentication Journey for details.

  6. From the Brand drop-down list, select an applicable brand. Refer to Customizing the Brand for details.

    Note: By default, the "Default" custom brand will be selected automatically.

  7. Click SAVE to save the new application and added into the list of applications.

    Note:

    • After saving, please wait for a few minutes to open a pop-up Your Microsoft Entra ID Summary page, which will provide information about Client ID, Discovery endpoint, and Microsoft tenant ID.

    • The Client ID and Discovery endpoint are auto-generated, you can copy these using the copy icon.

Creating New OpenID Federated Application

Configure the authentication journey workflow with OpenID Federated Application to authenticate the user authentication, managing the user identity lifecycle and identity information.

Note: The OpenID Federated Applications are for new applications only, not for the existing customer created applications.

  1. Sign in to Administration portal.

  2. Click Applications in the left navigation bar to open the Applications page.

  3. Click ADD APPLICATION, select OpenID Federated Application option and then click NEXT.

  4. Add OpenID Federated Application page opens, enter Name and Re-direct URL (optional).

    Note: For details of these below shown fields, refer to Fields used to create an application.

  5. You can select any one of the Client secret (Password/JWT/mTLS). By default, Password is selected.

    If you want to use certificate for Client/Application authentication, then click JWT or mTLS radio button and upload a certificate by drag-and-drop or by browsing to local file explorer.

    Note:

    If the certificate is not trusted, an error message is displayed “No issuer certificate for certificate in certification path found”.

    In order to solve this error, upload a certificate chain as follows:

    • Import a certificate chain which includes root, intermediate, and end-entity (user) certificates. Root certificate is mandatory for mTLS and optional for JWT.

    • The certificate chain must start with root certificate and then intermediate certificate followed by end-entity certificate. The certificate chain can contain number of intermediate certificates.

    • The format of the certificate must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

  6. From the Authentication journey drop-down list, select an applicable authentication journey workflow. Refer to Configuring Authentication Journey for details.

  7. From the Brand drop-down list, select an applicable brand. Refer to Customizing the Brand for details.

    Note: By default, the "Default" custom brand will be selected automatically.

  8. (Optional) Switch on the Privileged role toggle button to assign the Application with privileged role.

    Note: The privileged role is RL_CLIENTIDM2M role, while a non-privileged role is RL_OPENIDCLIENT role.

  9. (Optional) You can enable automatic refresh of the access token, switch on the Refresh token toggle button. You will be prompted to enter the Token duration (must be between 100 and 3600 seconds).

  10. The script for the Scopes field is based on the requirement of an application configuration. For example: {"scopes":["openid","profile"]}.

    For more details about Scopes, refer to Using OPENID Scopes.

  11. Click SAVE to save the new application and added into the list of applications.

    Note:

    • After saving, OpenID Federated Application page opens in which the Client ID is automatically generated, you can copy it using the copy icon.

    • If Password is selected as your Client secret, which is generated automatically, you can copy it using the copy icon.

    • If JWT or mTLS certificate is selected as your Client secret, you can view the details of your existing certificate by clicking VIEW CERTIFICATE.

Creating New RADIUS Application

RADIUS applications are used for remote user authentication.

  1. Sign in to Administration portal.

  2. Click Applications in the left navigation bar to open the Applications page.

  3. Click ADD APPLICATION, select RADIUS Application option and then click NEXT.

  4. Add RADIUS Application page opens, enter the Name and Re-direct URL (optional).

    Note: For details of these below shown fields, refer to Fields used to create an application.

  5. By default, Password is selected as Client secret.

  6. (Optional) Switch on the Privileged role toggle button to assign the Application with privileged role.

    Note: The privileged role is RL_CLIENTIDM2M role, while a non-privileged role is RL_OPENIDCLIENT role.

  7. Click SAVE to save the new application and added into the list of applications.

    Note: After saving, RADIUS Application page opens in which the Client ID and Client secret password are automatically generated, you can copy it using the copy icon.