Applications (HIDApprove) REST API

GET

Read

/configuration/{tenant}/v2/Application/HIDApprove

Retrieve the list of all HIDApprove Applications

GET

Read

/configuration/{tenant}/v2/ Application/HIDApprove/{uid}

Retrieve a HIDApprove Application

POST

Create

/configuration/{tenant}/v2/ Application/HIDApprove

Create a HIDApprove Application

PUT

Replace

/configuration/{tenant}/v2/ Application/HIDApprove/{uid}

Fully replace a known HIDApprove Application

DELETE

Delete

/configuration/{tenant}/v2/ Application/HIDApprove/{uid}

Delete a HIDApprove Application

schemas

• urn:hid:scim:api:idp:2.0:application:HIDApprove

• urn:hid:scim:api:idp:2.0:application:HIDApprove:APP

Schemas of the application

Possible values:

• urn:hid:scim:api:idp:2.0:application:HIDApprove

• One of:

  • urn:hid:scim:api:idp:2.0:application:HIDApprove:APP

  • urn:hid:scim:api:idp:2.0:application:HIDApprove:SDK

The schema, if used, MUST be consistent with the extension used.

If you want to use the:

• APP extension - you do not need to put any schema in the list of schema. APP extension is the default one.

• SDK extension AND want to use the default parameter, you MUST put urn:hid:scim:api:idp:2.0:application:HIDApprove:SDK in the schema list

id

None

Unique ID of the application

• Mandatory for POST

• MUST NOT contains ANY special characters (including underscores "_", spaces, "-", "\"etc...)

• Can be alphanumeric upper and lowercase.

• Maximum length is 25 characters

• Returned by POST / GET / PUT

name

None

Common name of the application

• Mandatory for POST

• Maximum length is 100 characters

• This is the ONLY required parameter for the minimal payload

notes

None

Description of the application

Maximum length is 500 characters

deviceTypeCode

None

Unique Device type created for the push application

• Returns a value with the maximum length of 30 characters

• The value is auto-generated based on the application ID if it is not present

• The value is fixed and will be <application_id>_DTX

  Where X is the index of the latest device type created + 1 (first X will be 1 for a dedicated application)

  For example, idapp_DT_1

deviceAuthenticationTypeCode

None

Unique Authentication shared policy for device authentication of the application

• Returns a value with the maximum length of 30 characters

• The value is auto-generated based on the application ID if it is not present

• The value is fixed and will be <application_id>_SHARED_ATX

  Where X is the index of the latest device type created + 1 (first X will be 1 for a dedicated application)

  For example, idapp_AT1

maximumDevicePerUser

5

The maximum number of this type of device that can be assigned to a user.

opMode

default

Operation mode used

Possible values:

• default

• fips_strict

• fips_devbinding

keysRefreshPeriod

365

Validity of keys before renewal

challengeLength

8

Default value for challenge length of each OCRA credential

This value is READ ONLY and is returned based on the challengeLength of the first OATH OCRA CHALLENGE_RESPONSE SIGNATURE OCRA suite encountered

If no OCRA suites are provided, the default value will be used as a placeholder

registrationSecret

See RegistrationSecret Payload

Registration parameters for QR code information secret

rules

See Rules Payload

Rules for provisioning and authentication

containersProtectionPolicy

See ContainersProtectionPolicy Payload

Configuration of containers protection policy

oathKeys

See OATHKey Payload

OATH credentials configuration

Array of OATHKey object

publicKeys

See PublicKey Payload

PUSH PKI credentials configuration

Array of PKIKEY

urn:hid:scim:api:idp:2.0:application:HIDApprove:APP

OR

urn:hid:scim:api:idp:2.0:application:HIDApprove:SDK

HIDApproveAPPExtension

Extension for this application

Only one of the extensions is supported

See HIDApproveAPPExtension Payload and HIDApproveSDKExtension Payload

registrationAuthenticationTypeCode

None

Unique Authentication Policy created for the push application device registration.

• Returns a value with the maximum length of 30 characters

• The value is auto-generated based on the application ID if it is not present

• The value is fixed and will be <application_id>_ATX

  Where X is the index of the latest device type created + 1 (first X will be 1 for a dedicated application)

  For example, idapp_AT1

length

10

QR code secret length: mobile/device authentication for registration, kdflen parameter on Devicetype

charset

ALPHA

Alphanumeric only or ASCII with a length of 94 characters

Possible values are :

• ALPHA

• ASCII

validityPeriod

1200

Validity of QR code secret

retries

1

Number of times the QR code secret can be used for registration

registrationCredTypeCode

None

Unique Registration Credential Type code

The value is auto-generated based on the application ID if it is not present

registrationDeviceTypeCode

None

Unique Registration Device Type code

The value is auto-generated based on the application ID if it is not present

version

1

Version of the rules

provisioning

List of provisioning rules

authentication

None

List of authentication rules

ruleid

See Rules Payload

Unique ID for the rule

phonestates

See Rules Payload

A list of platform characteristics containing one or more of the optional parameters

See PhoneStates payload

outcome

See Rules Payload

Outcome of the rule

message

See Rules Payload

Message for the rule

bioclass

See Customize the HID Approve Application

Biometric class for authentication

os

Android

The targeted operating system

Possible values are:

• Android

• iOS

• macOS

• Windows

osversion

See Customize the Devices Allowed for Service Registration

The major version of the targeted OS

isRooted

true

The rooted/jailbroken state of the mobile device (Android and iOS only)

Possible values are:

• true

• false

keystore

sw

The key store mode (Android only)

Possible values are:

• sw for software

• hw for hardware

minosversion

None

Minimum OS version

maxosversion

None

Maximum OS version

type

biometricorpassword

Type of key protection

Possible values:

• password

• device

• devicelockorpassword

• biometricorpassword

lockPolicy

See LockPolicy Payload

Lock policy settings

passwordPolicy

See PasswordPolicy Payload

Password policy settings

cachingPolicy

See CachingPolicy Payload

Caching policy settings

type

Delay

Type of lock policy

Possible values are:

• Delay

• NoLock

• Lock

• SILENT

initialDelay

2

Initial delay for lock policy

maxCounterValue

6

Maximum counter value for lock policy

minLength

8

Minimum length for password

maxLength

64

Maximum length for password

restriction

See PasswordPolicyRestrictions Payload

Password restrictions

historyPolicy

See HistoryPolicy Payload

Password history policy

minUpperCase

0

Minimum number of uppercase letters

minLowerCase

0

Minimum number of lowercase letters

minNumeric

0

Minimum number of numeric characters

minAlpha

0

Minimum number of alphabetic characters

minNonAlpha

0

Minimum number of non-alphabetic characters

maxUpperCase

64

Maximum number of uppercase letters

maxLowerCase

64

Maximum number of lowercase letters

maxNumeric

64

Maximum number of numeric characters

maxAlpha

64

Maximum number of alphabetic characters

maxNonAlpha

64

Maximum number of non-alphabetic characters

sequence

deny

Allow or deny sequence of number / characters

Possible values are:

• allow

• deny

A sequence is a determined suite of numbers (1234 or 4321 or 1357) or letters (abc or ABC or aBc or cba)

maxHistory

1

Maximum number of previous passwords to remember

minAge

0

Minimum age for password reuse

maxAge

0

Maximum age for password reuse

enabled

true

Whether caching is enabled

timeout

30

Timeout for the caching policy

protectionPolicyType

container

Specifies the type of protection policy for the key

Possible values are:

• container

• password

• devicelockorpassword

• biometricorpassword

keyLabel

totpkey

A unique label for the key, used for identification

• Mandatory

• Minimum length is 1 characters

• Maximum length is 15 characters

algo

totp

Algorithm used for the key

Possible values are:

• hotp

• totp

• ocra

otpLen

8

Length of the OTP (One-Time Password).

Valid for:

• TOTP

• HOTP

Ignored for other use cases.

validityWindow

30

Time window in seconds during which the OTP is valid

authenticatorPolicyId

None

Unique identifier for the authentication policy

• Returns a value with the maximum length of 30 characters

• The value is auto-generated based on the application ID if it is not present

• The value is fixed and will be <application_id>_ATX

  Where X is the index of the latest device type created + 1 (first X will be 1 for a dedicated application)

  For example, idapp_AT1

sessionValidPeriod

3600000

Duration in milliseconds for which the session remains valid

levelOfAssurance

None

Level of assurance for the authenticator, typically an ACR (Authentication Context Class Reference) value

timestep

30

Time step in seconds for TOTP (Time-based One-Time Password)

>= 1

Valid for:

• TOTP

Ignored for other use cases.

modes

if algo=ocra; and no value passed here:

• [CHALLENGE_RESPONSE"]

Modes of operation for OCRA keys

Possible values are:

• CHALLENGE_RESPONSE

• SIGNATURE

Valid for:

• OCRA

Ignored for other use cases.

ocraSuite

if algo=ocra and no value passed here:

• OCRA-1:HOTP-SHA1-8:QN08-T30S

Specifies the OCRA suite used for the key

Valid for:

• OCRA

Ignored for other use cases.

For a CHALLENGE_RESPONSE OCRA suite, the challenge length provided at the end of the suite will be used in the challengeLength payload field.

protectionPolicyType

container

Specifies the type of protection policy for the key

Possible values are:

• container

• password

• devicelockorpassword

• biometricorpassword

keyLabel

authkey

A unique label for the key, used for identification

• Mandatory

• Minimum length is 1 characters

• Maximum length is 15 characters

keyUsage

authentication

Usage of the key, either for signature or authentication

Possible values are:

• signature

• authentication

otpLen

8

Length of the OTP (One-Time Password).

authenticatorPolicyId

None

Unique identifier for the authentication policy

• Returns a value with the maximum length of 30 characters

• The value is auto-generated based on the application ID if it is not present

• The value is fixed and will be <application_id>_ATX

  Where X is the index of the latest device type created + 1 (first X will be 1 for a dedicated application)

  For example, idapp_AT1

approvalStatus

accept|deny|report

The default approval status to be sent to the device

Any string items are separated by |

sessionValidPeriod

3600000

Duration in milliseconds for which the session remains valid

levelOfAssurance

None

Level of assurance for the authenticator, typically an ACR (Authentication Context Class Reference) value

challengeTimeoutPeriod

3600

Time in seconds during which a push request can be approved or denied

challengeDisableThreshold

8

Maximum number of unsigned requests before the authenticator's counter must be reset

flaggedTransaction

{ blockAuthenticator: true, autoUnblockCooldownPeriod: 900}

Flagged transaction properties

See FlaggedTransaction Payload

blockAuthenticator

true

If the authenticator is blocked when the user flags a transaction as suspicious

autoUnblockCooldownPeriod

• If blockAuthenticator = true and autoUnblockCooldownPeriod is not specified, the default value is -1

• If blockAuthenticator = false then autoUnblockCooldownPeriod is not allowed in the payload
  The default value is 0

Number of seconds (the cool-down period) after which a temporarily blocked authenticator will be automatically unblocked where:

• -1 is blocked until the authenticator is reset

• 0 is not blocked

hidApproveCustomization

See HIDApproveCustomization Payload

Approve APP customization.

uiCustomization

See UICutsomization

Customization settings for the user interface

contactDetails

See ContactDetails

Contact details configuration

fileName

None

Store the customization JSON filename if a file is used instead of a JSON payload

version

Version of the UI customization.

label

Label customization.

label.id

ID for the label.

label.value

Value for the label.

color

Color customization.

color.id

ID for the color.

color.value

Value for the color.

bitmap

Bitmap customization.

bitmap.id

ID for the bitmap.

bitmap.value

Value for the bitmap.

fontColor

Font color customization.

fontColor.id

ID for the font color.

fontColor.value

Value for the font color.

ocrafields

List of OCR fields.

ocrafields[x].label

Label for each OCR field.

ocrafields[x].label.id

ID for each OCR field label.

ocrafields[x].label.value

Value for each OCR field label.

ocraAllowScan

Whether OCR scanning is allowed.

phoneNumber

Phone number for contact.

email

Email configuration.

email.address

Email address.

email.subject

Email subject template.

website

Website URL.

deviceId

Whether to include device ID.

deviceSN

Whether to include device serial number.

pushNotifications

See PushNotifications Payload

Default push notifications messages, titles and Azure hub configuration

notificationTitle

HID Approve notification

Customization of the delivery gateway template for the notification title

notificationMessage

Validate transaction

Customization of the delivery gateway template for the notification message

AzureHub

See AzureHub Payload

Configuration for Azure hub credentials

• Only for SDK integrations as the APP extension uses the default gateways

• If present, new delivery gateways are created for this appid, and push policies are bound to these gateways

hub

<APP_ID>_azurehub

The name of the Azure hub

connectionString

None

The connection string for the Azure hub

Mandatory

ttl

0

Time To Live for the Azure hub configuration