Creating New Application

In order to create an application, the administrator needs to register one or more Re-direct URLs for the application for security purposes.

Note: To configure the application and its related activities, the administrator needs the required endpoint URLs. Refer to Viewing Well-known Endpoints for more details.
Note: To know more about the REST API support provided for clientID, visit Integrating the HID Authentication Service APIs.
Field Description
Name

A unique name to identify the Application in the authentication service.
Re-direct URL

An URL for an application where authentication server redirects the user, along with the authorization code, once authentication is completed from the user.

You can enter multiple URLs separated by a comma.

Logout URL

(Optional)

An URL for an application where authentication server redirects the user after logging out.

You can enter multiple URLs separated by a comma.
Client secret

Password or JWT or mTLS certificate for Client/Application authentication.
Microsoft tenant ID

This is a unique identifier associated with your Microsoft Entra ID application.

Typically this ID should be in the format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Authentication journey

The Authentication journey is a feature where you can manage the authentication workflow configuration for applications.

Refer to Configuring Authentication Journey for more details.
Brand

You can display your brand or a custom look of your application by selecting your customized brand.

Create a customized brand based on the default brand theme such as logo, background color, and background image to match your company’s branding. Refer to Customizing the Brand and Content for more details.
Privileged role

The role assigned for the client/application to perform certain operations.

The privileged role is RL_CLIENTIDM2M role.
Refresh token (optional) A type of token that can be used to get new access token.
Token duration (seconds) The time period or validity of the refresh token. Must be between 100 and 3600 seconds.
Scopes

Scope is a group of user claims which provides a way to limit the amount of access that is granted to an access token. Scopes can be customized based on customer requirement, It can include the custom attributes as well.

For more details about Scopes, refer to Using OPENID Scopes.
Claims

Claims allow the client to trust user attributes by supplying authenticated user details such as user group, user type, email, name, and mobile number etc upon request.

For OpenID Connect, scopes can be used to request that specific sets of information be made available as Claim Values.

Client ID

An unique identifier for the client or user.

Client ID is auto-generated.

Discovery endpoint

The URL of the 'Well-known' endpoint for your tenant.

Discovery endpoint is auto-generated.

To create an application (client), follow the below procedures based on the types of application.

Creating New Service API Integration Application

Service API integration applications are used for user authentication, managing the user identity lifecycle and identity information. Securely integrate your backend service or application with our API using the Client Credentials.

You can create an M2M client for secure, automated API access using the Client Credentials flow.

  1. Sign in to Administration portal.

  2. Click Applications in the left navigation bar to open the Applications page.

  3. Click ADD APPLICATION, select Service API Integration option and then click NEXT.

  4. Add Application page opens, enter the Name of the service API integration application.

    Note: For details of these below shown fields, refer to Fields used to create an application.

  5. Enable/Disable the Privileged role toggle button to assign the application with full privileged role or least privileged role.

  6. To get the automatic new access token, enable the Refresh token toggle button. You will be prompted to enter the Token duration (must be between 100 and 3600 seconds).

  7. You can select any one of the Client secret (Password/JWT/mTLS). By default, Password is selected.

    If you want to use certificate for Client/Application authentication, then click JWT or mTLS radio button and upload a certificate by drag-and-drop or by browsing to local file explorer.

    Note:

    If the certificate is not trusted, an error message is displayed “No issuer certificate for certificate in certification path found”.

    In order to solve this error, upload a certificate chain as follows:

    • Import a certificate chain which includes root, intermediate, and end-entity (user) certificates. Root certificate is mandatory for mTLS and optional for JWT.

    • The certificate chain must start with root certificate and then intermediate certificate followed by end-entity certificate. The certificate chain can contain number of intermediate certificates.

    • The format of the certificate must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

  8. The HID Authentication Service push-based authentication solution (HID Approve) supports the Client Initiated Backchannel Authentication (CIBA) method for client applications to receive feedback regarding the end user’s actions.

    The CIBA feedback method can be configured by setting the parameter to poll or push (callback):

    • Polling:The client retrieves the authentication result by polling the HID Authentication Service token endpoint URL using the authentication request ID.

    • Callback: Receive HID Approve authentication status updates via a callback to the specified URL.

    Using the authentication request ID, HID Authentication Service sends the feedback via the CIBA callback URL defined for your OpenID client.

  9. The Scopes allow you to control the data that is returned to your application when using OpenID endpoints. Create your Scopes for the Application configuration based on your requirements.

    You may use both the default and custom attributes to configure scopes. The 'Open ID' and 'Profile' scopes are the default scopes that the HID Authentication service implicitly defines:

    • Open ID is the default scope for any OpenID endpoint.

    • Profile is to be used to fetch data about the user's profile (basically used to get an ID Token along with an access token).

    For advanced scope configurations, edit the JSON using the EDIT JSON button.

    Note: For more details about configuring the scopes and advanced scopes, refer to Using OPENID Scopes.

  10. For OpenID Connect, scopes can be used to request that specific sets of information be made available as "Claim" values.

    You can add claims (default and custom) to the existing scopes to meet the specific client requirements. Refer to Adding Claim in the existing Scopes for instructions on how to add claims.

    If required, you can delete the already added claims by clicking delete icon ().

  11. Click CONSENT MANAGEMENT button and enable the Consent toggle button if your applications require explicit user consent to retrieve user data (claims) within the specified scopes.

    If required, you can update the user prompt for Open ID and Profile scopes. Click SAVE to save the changes.

  12. Click SAVE to save the new application and added into the list of applications.

    Note:

    • After saving the new application, view application page opens in which the Client ID is automatically generated, you can copy it using the copy icon.

    • If Password is selected as your Client secret, an auto-generated password will be created, you can copy it using the copy icon.

    • If JWT or mTLS certificate is selected as your Client secret, you can view the details of your existing certificate by clicking VIEW CERTIFICATE.

Creating New Microsoft Entra ID EAM Application

The HID Authentication Service seamless integration with Microsoft® Entra ID, providing a robust External Authentication Method (EAM) for federated authentication.

Configure the authentication journey workflow with Microsoft® Entra ID EAM application to securely access protected applications from Microsoft® Windows workstations using HID authenticators, including existing contactless cards.

Note: For configuration and integration process, refer to Configuring Support for Microsoft Entra ID.

  1. Sign in to Administration portal.

  2. Click Applications in the left navigation bar to open the Applications page.

  3. Click ADD APPLICATION, select Microsoft Entra ID EAM option and then click NEXT.

  4. Add Application page opens, enter Name, Re-direct URL, and Microsoft tenant ID.

    Note: For details of these below shown fields, refer to Fields used to create an application.

  5. From the Authentication journey drop-down list, select an applicable workflow that uses contactless card as an authenticator. Refer to Configuring Authentication Journey for details.

  6. From the Brand drop-down list, select an applicable brand configuration to apply to this application's login experience. Refer to Customizing the Brand for details.

    Note: By default, the "Default" custom brand will be selected automatically.

  7. Click SAVE to save the new application and added into the list of applications.

    Note:

    • After saving the new application, please wait for a few minutes to open a pop-up Your Microsoft Entra ID Summary page, which will provide information about Client ID and Discovery endpoint.

    • The Client ID and Discovery endpoint are auto-generated, you can copy them using the copy icon for use during integration with Microsoft Entra ID.

Creating New Web Application

Configure the authentication journey workflow with Web Application to authenticate the user authentication, managing the user identity lifecycle and identity information.

You can enable user logins for your web applications with OpenID Connect (OIDC) using the authorization code flow.

Note: The Web Applications are for new applications only, not for the existing customer created applications.

  1. Sign in to Administration portal.

  2. Click Applications in the left navigation bar to open the Applications page.

  3. Click ADD APPLICATION, select Web Application option and then click NEXT.

  4. Add Application page opens, enter Name, Re-direct URL, and Logout URL (optional).

    Note: For details of these below shown fields, refer to Fields used to create an application.

  5. You can select any one of the Client secret (Password/JWT/mTLS). By default, Password is selected.

    If you want to use certificate for Client/Application authentication, then click JWT or mTLS radio button and upload a certificate by drag-and-drop or by browsing to local file explorer.

    Note:

    If the certificate is not trusted, an error message is displayed “No issuer certificate for certificate in certification path found”.

    In order to solve this error, upload a certificate chain as follows:

    • Import a certificate chain which includes root, intermediate, and end-entity (user) certificates. Root certificate is mandatory for mTLS and optional for JWT.

    • The certificate chain must start with root certificate and then intermediate certificate followed by end-entity certificate. The certificate chain can contain number of intermediate certificates.

    • The format of the certificate must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

  6. From the Authentication journey drop-down list, select an applicable authentication journey workflow. Refer to Configuring Authentication Journey for details.

  7. From the Brand drop-down list, select an applicable brand configuration to apply to this application's login experience. Refer to Customizing the Brand for details.

    Note: By default, the "Default" custom brand will be selected automatically.

  8. Enable/Disable the Privileged role toggle button to assign the Application with full privileged role or least privileged role.

  9. To get the automatic new access token, enable the Refresh token toggle button. You will be prompted to enter the Token duration (must be between 100 and 3600 seconds).

  10. The Scopes allow you to control the data that is returned to your application when using OpenID endpoints. Create your Scopes for the application configuration based on your requirements.

    You may use both the default and custom attributes to configure scopes. The 'Open ID' and 'Profile' scopes are the default scopes that the HID Authentication service implicitly defines:

    • Open ID is the default scope for any OpenID endpoint.

    • Profile is to be used to fetch data about the user's profile (basically used to get an ID Token along with an access token).

    For advanced scope configurations, edit the JSON using the EDIT JSON button.

    Note: For more details about configuring the scopes and advanced scopes, refer to Using OPENID Scopes.

  11. For OpenID Connect, scopes can be used to request that specific sets of information be made available as "Claim" values.

    You can add claims (default and custom) to the existing scopes to meet the specific client requirements. Refer to Adding Claim in the existing Scopes task for instructions on how to add claims.

    If required, you can delete the already added claims by clicking delete icon ().

  12. Click CONSENT MANAGEMENT button and enable the Consent toggle button if your applications require explicit user consent to retrieve user data (claims) within the specified scopes.

    If required, you can update the user prompt for Open ID and Profile scopes. Click SAVE to save the changes.

  13. Click SAVE to save the new application and added into the list of applications.

    Note:

    • After saving the new application, view application page opens in which the Client ID is automatically generated, you can copy it using the copy icon.

    • If Password is selected as your Client secret, an auto-generated password will be created, you can copy it using the copy icon.

    • If JWT or mTLS certificate is selected as your Client secret, you can view the details of your existing certificate by clicking VIEW CERTIFICATE.