Integrating with Ory

Prerequisites: Before configuring the service, you must have:

  • A valid license for Ory services

  • The Administrator or Device Service Administrator role

    Alternatively, you can use a custom role with the Create Configuration privilege for Ory.

Create a Client Application

  1. Log on to the Ory Console (https://console.ory.sh/) as an administrator for your Ory workspace and select the required project.

  2. Select OAuth 2 in the top menu and then select Clients and applications in the left menu.

  3. Select Create a new client or edit an existing custom application.

    create ory custom application

  4. Select the Custom template and click Next.

    Ory client request data

  5. Define the application's Request data parameters:

    • Client name - enter a name for your application

    • Scope - enter the following scopes:

      • offline_access

      • offline

      • openid

  6. Define the application's Supported OAuth2 flows:

    • Grant types - select Client credentials

    • Response types - select Access token

    • Access token type - select Inherit from global configuration

    Ory client flows

  7. In the application's Client authentication mechanism parameters, select HTTP Body as the Authentication Method:

    Ory client authentication method

  8. Click Create.

    Ory application details

  9. Make a note of the Issuer URL (later referred to as the API Endpoint) which Customer Central will use as the base URL to communicate with the Ory Network APIs for user identity management.

    For further information, see SDK configuration | Ory documentation.

    Note: This information is required when configuring the connection to Ory in Customer Central.

Generate an API Key

The API Key (Personal Access Token) allows Customer Central to interact with the administrative Ory APIs on behalf of your project.

  1. In the Ory Console, select Project settings in the top menu and then select API Keys in the left menu.

  2. Select Create new API key.

    Ory API Key create

  3. Enter a descriptive name for the key and click Create.

    Ory API key details

  4. Make a note of the key as it is required when configuring the connection to Ory in Customer Central.

Note: This key is displayed only at the time of generation and cannot be viewed again.

If you do not know the key's value, delete the original key and then generate a new key.

For further information, see Ory Network API Keys | Ory Documentation.

Create the Identity Schema

The Identity Schema allows you to define the mapping between the user data (such as names and email addresses) in your Ory project and the attributes to define a user's identity when provisioning passkeys in Customer Central.

  1. In the Ory Console, select User management in the top menu and then select Identity schema in the left menu.

  2. Create a schema with a descriptive name and the required traits (attributes) to map in the Passkey Management user fields:

    For example:

    • Username - either traits.username or traits.email

    • Display Name - either traits.name or a custom traits.display_name

  3. Click Save.

  4. Make a note of the schema ID as it is required when configuring the connection to Ory in Customer Central.

For further information, see Identity schema | Ory Documentation.

Configure the Connection to Ory

Before you can provision and enroll FIDO devices for your users, you must configure the connection between your Ory application and Customer Central.

Prerequisites: To configure the directory, you must have:

  • A valid license for the FIDO Provisioning service

    To purchase new licenses or renew existing ones, contact your HID Account Manager.

  • The Administrator or Device Service Administrator role

    Alternatively, you can use a custom role with the Create Configuration privilege for Ory.

  • Created the application in Ory, created the API key and defined the identity schema for the service

  • The following information that was obtained when you prepared your Ory project above:

    • API endpoint - the URL to communicate with the Ory Network APIs for user identity management

      This is the same as the Issuer URL generated when you created the application and can be retrieved from the Project settings in the Ory Console.

    • API Key - the key allowing Passkey Management to interact with the administrative Ory APIs on behalf of your project

      Note: This key is only displayed when generated and cannot be displayed again.

      If you do not know the key's value, delete the original key and then generate a new key.

      For further information, see Ory Network API Keys | Ory Documentation.

    • Identity schema ID - the identifier for the identity schema you created to map the user attributes

  1. Sign in to Customer Central.

  2. Expand Service Settings service settings icon in the left menu and select Directory Configuration.

    directory configuration empty

  3. Click NEW.

    directory configuration type ory

  4. Select Ory as the directory type and click CONTINUE.

    Ory directory configuration

  5. Enter a Configuration name for the configuration.

  6. Enter the following information:

    • API Endpoint- the URL to communicate with the Ory Network APIs for user identity management

      This is the same as the Issuer URL generated when you created the application and can be retrieved from the Project settings in the Ory Console.

    • API Key - the key allowing Passkey Management to interact with the administrative Ory APIs on behalf of your project

      Note: This key is only displayed when generated and cannot be displayed again.

      If you do not know the key's value, delete the original key and then generate a new key.

      For further information, see Ory Network API Keys | Ory Documentation.

  7. Click CONNECT.

    Customer Central verifies that the configuration is correct and fetches the identity schemas configured in your Ory project.

    Ory directory configuration connection ok

  8. Select the Identity Schema that you created in the Ory Console.

    Ory directory identity schema

  9. Map the schema's trait attributes to the corresponding user fields.

    For example:

    • Username - either traits.username or traits.email

    • Display Name - either traits.name or a custom traits.display_name

    Note: If you do not select a Display Name attribute, you can define the format of the display name using the First, Middle, or Last Name attributes.

    Ory directory configuration name attributes

    A preview of the display name is automatically generated.

  10. Click Add.

Customer Central is now connected to your Ory application and your users are available for provisioning.

Ory directory configuration complete

Test a Connection

Prerequisites: You must have the Administrator, Device Service Administrator, or View Only role.
Alternatively, you can use a custom role with the Test Configuration privilege for the directory type.

  1. Sign in to Customer Central.

  2. Expand Service Settings Service Settings icon in the left menu and select Directory Configuration.

    Ory directory configuration menu

  3. Click the menu icon Device Management menu icon for the configuration and select Test Connection.

Edit a Configuration

Prerequisites: You must have the Administrator or Device Service Administrator role.
Alternatively, you can use a custom role with the Edit Configuration privilege for the directory type.

  1. Sign in to Customer Central.

  2. Expand Service Settings Service Settings icon in the left menu and select Directory Configuration.

    directory configuration menu

  3. Click the menu icon Device Management menu icon for the configuration and select Edit.

    directory configuration edit

    Note: The UPDATE button is unavailable until you have entered the required information.

    You can update the:

    • Configuration Name

    • API Key - the key allowing Passkey Management to interact with the administrative Ory APIs on behalf of your project

      Note: This key is only displayed when generated and cannot be displayed again.

      If you do not know the key's value, delete the original key and then generate a new key.

      For further information, see Ory Network API Keys | Ory Documentation.

  4. Edit the configuration as required and click UPDATE.

Delete a Configuration

Prerequisites:
  • You must have the Administrator or Device Service Administrator role

    Alternatively, you can use a custom role with the Delete Configuration privilege for the directory type.

  • You can only delete a configuration if there are no associated pending provisioning requests

    directory configuration delete error

    Complete or delete the requests before deleting the configuration.

  1. Sign in to Customer Central.

  2. Expand Service Settings Service Settings icon in the left menu and select Directory Configuration.

    directory configuration menu

  3. Click the menu icon Device Management menu icon for the configuration and select Delete.

    Delete Ory configuration

  4. Enter permanently delete in the field and click CONFIRM.