Configuring the Identity Portal Workflow

To configure the new IdP, you need to define the authentication configuration and the interface customization/localization.

You can then register the OpenID client for your application and set the required configuration and interface.

Several sample workflows are provided for illustration purposes.

Create the Authentication Workflow

You can create and customize authentication workflows using the Custo/IDPWorkflows endpoint.

In the configuration payload, you define the various flow elements:

Specify the theme to apply a customized interface and labels
Define the criteria to filter access
Define the actions available to the user
Define the authentication methods (first and second factors) available to the user
Define the enrollment actions and factors

To update the template, use:

PUT https://[base-server-url]/configuration/<tenant>/v2/Custo/IDPWorkflows/{id}

To delete the template, use:

DELETE https://[base-server-url]/configuration/<tenant>/v2/Custo/IDPWorkflows/{id}

Define the Theme

The theme defines the design and customization of the interface (including labels).

The "theme_id": "ID_THEME1" is the unique identifier for the theme configuration.

If it is not present or empty, the portal uses the default design and labels.

For further information about the default theme and create a customized theme, see Customizing the Identity Portal.

Note: If you want to apply a customized theme (design and/or labels), it is recommended that you create it before creating the authentication workflow.

Filter Based on Access Criteria

You can define the authentication factors to display based on the authorization request and user context (such as the user's available authenticators, groups membership, etc.).

The filters can be used with actions, authentication factors and enrollment factors defined in the authentication workflow template.

View an accessCriteria example

Copy

Access Criteria Parameters

"accessCriteria": [
	{
		"accessCriteriaId": "access_criteria.ssp",
		"authenticators": {
			"firstFactorsFiltering": true,
			"secondFactorsFiltering": true,
			"acrFiltering": false
		}
	}
],

Where accessCriteria is a JSON array with descriptions of the filtering parameters:

Parameter	Description	Status
accessCriteriaId	The unique criteria identifier	Mandatory
authenticators	Define how access should be filtered based on the user's existing authenticators: firstFactorsFiltering - access to the authentication flow is allowed only if the user has an authenticators matching one of the first authenticator factors defined in the template. Possible values are true or false. secondFactorsFiltering - access to the authentication flow is allowed only if the user has an authenticators matching one of the second authenticator factors defined in the template. Possible values are true or false. acrFiltering - allows filtering the authentication flow templates based on the ACR claim (if part of the authentication request) and the template's authentication policies. Possible values are true or false.	Mandatory

Parameter

Description

Status

accessCriteriaId

The unique criteria identifier

Mandatory

authenticators

Define how access should be filtered based on the user's existing authenticators:

firstFactorsFiltering - access to the authentication flow is allowed only if the user has an authenticators matching one of the first authenticator factors defined in the template.

Possible values are true or false.
secondFactorsFiltering - access to the authentication flow is allowed only if the user has an authenticators matching one of the second authenticator factors defined in the template.

Possible values are true or false.
acrFiltering - allows filtering the authentication flow templates based on the ACR claim (if part of the authentication request) and the template's authentication policies.

Possible values are true or false.

Mandatory

Define the Actions

The actions define how the IdP will display and handle the actions a user can perform based on those available in the template.

View an actions example

Copy

Actions Parameters

"actions": [
	{
		"actionId": "action.change_password",
		"accessCriteriaId": "access_criteria.common_to_all",
		"type": "CHANGE_PWD",
		"retry": 3,
		"input.old_password": {
			"constraints": {
				"minLength": 1,
				"maxLength": 50
			}
		},
		"input.new_password": {
			"constraints": {
				"minLength": 1,
				"maxLength": 50
			}
		},
		"input.confirm_new_password": {
			"constraints": {
				"minLength": 1,
				"maxLength": 50
			}
		},
		"localizationKeyRedefinition": {
			"LOGIN.name": "LOGIN.name.customer",
			"LOGIN.tooltip": "LOGIN.tooltip.customer",
			"LOGIN.input.password.label": "LOGIN.input.customer_password.label",
			"LOGIN.input.password.placeholder": "LOGIN.input.customer_password.placeholder"
		}
	},
	{
		"actionId": "action.forgot_password",
		"accessCriteriaId": "access_criteria.ssp",
		"type": "FORGOT_PWD",
		"validityPeriod" : 900,
		"retry": 3,
		"resetPasswordMethods": {
			"email": {
				"template": "MESSAGE_en=Use the following OTP to complete the authentication process {$secret}\r MESSAGE_fr=Utilisez ce code pour continuer {$secret}",
				"templateHtml": false
			},
			"sms": {
				"template": "MESSAGE_en=Use the following OTP to complete the authentication process {$secret}\r MESSAGE_fr=Utilisez ce code pour continuer {$secret}"
			},
			"actionProtection": {
				"mode": "automatic",
				"factors": "factor.otp_token, factor.push_authentication"
			}
		}
	}	
]

Where actions is a JSON array with descriptions of the actions available in the workflow and the array is then dynamically filtered using the defined accessCriteria.

The array can be configured with the following parameters (mandatory and optional):

Parameter	Description	Status
actionId	The unique identifier of the action	Mandatory
name	The name of the action (for internal reference only)	Optional
description	The description of the action (for internal reference only)	Optional
accessCriteriaId	The unique identifier of the criteria to apply (action is available only if the user matches the criteria)	Mandatory
type	The type of action that can be performed	Mandatory
	CHANGE_PWD - the user can click the 'Change your Password' link if the action.change_password action is defined for the factor The user is redirected to the 'Change Password' flow.
	FORGOT_PWD - the user can click the 'Forgot your Password?' link if the action.request_reset_password action is defined for the factor The user is redirected to the 'Reset Password' flow. The user can select the temporary password delivery method if resetPasswordMethods is present/defined.
validityPeriod	For FORGOT_PWD only, the validity (in seconds) of the temporary password The default value is 900 seconds.	Mandatory
retry	The maximum number of failed action attempts allowed with this factor before the user is redirected back to the authorization request initiator (service provider) The try count is kept per action. Selecting another authenticator does not reset the retry count.	Optional
resetPasswordMethods	Define the temporary password delivery methods (email and/or SMS) available to the user when they have forgotten their password If not defined, the server will select the delivery adapter based on the user information and authentication policy. You can select either email, SMS or both, as well as specify the message content: email: template - define the content of the email message: "MESSAGE=Use the following temporary password to complete the authentication process {$secret}", templateHtml - define if the email format is HTML(possible values are true or false) sms: template - define the content of the SMS message: "MESSAGE=Use the following temporary password to complete the authentication process {$secret}" If you want to localize the message, update the content with the required language codes and separate each localized message with a carriage return character (\r). For example: "MESSAGE_en=Use the following temporary password to complete the authentication process {$secret}\r MESSAGE_fr=Utilisez ce mot de passe temporaire pour continuer {$secret}"	Optional

The password input field is validated with the following constraints dynamically applied by the server:

minLength - minimum number of the characters required for the password
maxLength - maximum number of the characters allowed for the password

If constraints are not defined, the IdP uses the following default values:

minLength - 1 characters
maxLength - 50 characters

Define the Authentication Factors

The authentication factors define how the IdP will display and handle the authentication templates.

View an authentication factors example

Copy

Authentication Factor Parameters

"firstFactors": [
	{
		"factorId": "factor.user_pasword",
		"accessCriteriaId": "access_criteria.common_to_all",
		"code": "AT_CUSTPWD",
		"type": "LOGIN",
		"acr": "acr_up",
		"stepUp": "automatic",
		"retry": 3,
		"actions": [
			"action.change_password",
			"action.forgot_password"
		]
		"localizationKeyRedefinition": {
			"LOGIN.name": "LOGIN.name.customer",
			"LOGIN.tooltip": "LOGIN.tooltip.customer",
			"LOGIN.input.password.label": "LOGIN.input.customer_password.label",
			"LOGIN.input.password.placeholder": "LOGIN.input.customer_password.placeholder"
		},
	},
	{
		"factorId": "factor.pki",
		"accessCriteriaId": "access_criteria.common_to_all",
		"code": "AT_EMPPKI",
		"type": "PKI",
		"stepUp": "notRequired",
	},
	{
		"factorId": "factor.oob_user_accode",
		"accessCriteriaId": "access_criteria.common_to_all",
		"code": "AT_EMPOOB",
		"type": "CODE",
		"stepUp": "required",
		"retry": 3,
		"oobMethods": {
			"email": {
				"template": "<myemailtemplatevalue>",
				"templateHtml": false
			},
			"sms": {
				"template": "<mysmstemplatevalue>"
			}
		}
	},
	{
		"factorId": "factor.user_pasword_ldap",
		"accessCriteriaId": "access_criteria.ssp",
		"code": "AT_LDAP",
		"type": "LDAP",
		"acr": "acr_up",
		"stepUp": "automatic",
		"retry": 3,
		"automaticOOBEnrollment": "factor.otp_oob_adt",
		"localizationKeyRedefinition": {
			"LDAP.name": "LDAP.name.user_pasword_ldap",
			"LDAP.tooltip": "LDAP.tooltip.user_pasword_ldap"
		}
	},
	{
		"factorId": "factor.qrcode",
		"accessCriteriaId": "access_criteria.common_to_all",
		"code": "AT_PASA",
		"type": "QRCODE",
		"acr": "3",
		"forceDisplay": true,
		"deviceType":"DT_TDSV4",
		"cal": "accept|deny",
		"tds": "Logon to portal"
	},
	{
		"factorId": "factor.fido",
		"accessCriteriaId": "access_criteria.common_to_all",
		"type": "FIDO",
		"code": "AT_FIDO",
		"acr": "acr_fido",
		"stepUp": "notRequired",
		"rpId":"hostname",
		"retry": 3,
		"userVerification": "required",
		"discoverCredentialsInDevice": "true",
		"enrollActions": [
			"enroll_action.fido"
		]
	}
],
"secondFactors": [
	{
		"factorId": "factor.push_authentication",
		"accessCriteriaId": "access_criteria.common_to_all",
		"code": "AT_PASA-2FA",
		"type": "PUSH",
		"acr": "acr_push",
		"retry": 3,
		"pollTimeout": 30,
		"okStatus": "approved",
		"upon": "factor.user_pasword,factor.user_pasword_ldap",
		"allowUserDeviceSelection": true,
		"tds": "Logon to portal",
		"device": {
		}
	},
	{
		"factorId": "factor.otp_token",
		"accessCriteriaId": "access_criteria.common_to_all",
		"code": "AT_CUSTOTP-2FA",
		"type": "OTP",
		"acr": "acr_otp",
	},
	{
		"factorId": "factor.fido_u2f",
		"accessCriteriaId": "access_criteria.common_to_all",
		"code": "AT_FIDO_U2F",
		"type": "FIDO",
		"acr": "acr_fido_uaf",
		"rpId":"hostname",
		"retry": 3,
		"userVerification": "required",
		"upon": "factor.user_pasword"
	},
	{
		"factorId": "factor.otp_user_accode",
		"accessCriteriaId": "access_criteria.common_to_all",
		"code": "AT_EMPOOB",
		"type": "OTP",
		"retry": 3,
		"upon": "factor.oob_user_accode"
	},
	{
		"factorId": "factor.otp_oob_adt",
		"accessCriteriaId": "access_criteria.common_to_all",
		"code": "AT_OOBADT",
		"type": "OOB",
		"retry": 3,
		"upon": [
			"factor.user_password_ldap"
			],
        "oobMethods": {
			"email": {
				"template": "MESSAGE_en=Please use the OTP below to complete the authentication process: {$secret}.",
				"templateHtml": false
			}
		}
	}
],

Where firstFactors and secondFactors are JSON arrays with descriptions of the authentication template and the array is then dynamically filtered using the defined accessCriteria.

The factor arrays can be configured with the following parameters (mandatory and optional):

Parameter	Description	Status
factorId	The unique identifier of the authentication factor	Mandatory
name	The name of the factor (for internal reference only)	Optional
description	The description of the factor (for internal reference only)	Optional
accessCriteriaId	The unique identifier of the criteria to apply (authentication factor available only if user match criteria)	Mandatory
code	The code of the authentication policy to use for this specific factor	Mandatory
type	The type of authenticator for this specific factor	Mandatory
	LOGIN - the user enters their static password For this type, you can also add the optional actions parameter to define the links available to the user for the authentication factor. Possible values are: action.change_password - a link is displayed allowing the user to change their password action.request_reset_password - a link is displayed allowing the user to reset their password if they have forgotten it
	OTP - the user enters an OTP generated using a registered device
	OOB - the server triggers the delivery of an OTP The user can select the OTP delivery method if oobMethods is present/defined.
	CODE - the user enters their activation code to trigger the delivery of an OTP The user can select the OTP delivery method if oobMethods is present/defined. Important: When combining the CODE type with another type as part of a step-up workflow, the authentication policy must be the same for the first and second factors.
	PKI - the user authenticates using their digital certificate
	FIDO - the user authenticates with a FIDO passkey For this type, you can also define: rpId - (optional) defines the customer back-end hostname for integrations using the API If users will authenticate to different applications in multiple sub-domains with their FIDO passkey, specify the root domain. The value must match the hostname for the FIDO enrollment factor. userVerification - (mandatory) defines if the user is required to verify their presence by performing an action on the passkey (such as providing the PIN, biometric credential or touching the device-bound passkey) to access the authenticator. Possible values are: required preferred discouraged discoverCredentialsInDevice - (optional) defines the credentials made available to the user. Possible values are: true - the user will only be able to choose from a list of discoverable keys false - the workflow returns the list of all the credentials available for the user (default) enrollActions - (mandatory) a comma-separated list of the enrollment action identifiers for which the workflow should be triggered if the user does not have a corresponding authenticator
	PUSH - the user authenticates by approving a push notification received on their registered device For this type, you can also define: pollTimeout - specify the timeout (in seconds) to wait for the push result (to exit the loop of polling the back end) allowUserDeviceSelection - specify if the user is allowed to select the device on which to receive the push notification if they have more than one registered device (possible values are true or false) If set to true, the list of devices is displayed for this factor (with the device's friendly name if defined) tds - specify the message displayed on the HID Approve application to prompt the user to approve or deny the authentication (by default, "Logon to portal") device - server-populated list of available devices for push authentication for the user
	QRCODE - the user authenticates by scanning a QR code without needing to provide their User ID (userID-less authentication) Important: This method is only supported for first factor authentication. If they do not want (or are unable) to scan the QR code and the: login_hint is present in the authentication request - the IdP retrieves a workflow adapted for the user so they can select an alternative authentication method from their list of enrolled authenticators without needing to provide their User ID login_hint is NOT present - the IdP displays the default workflow and the user will be required to provide their User ID to generate the list of available authenticators For this type, you can also define: forceDisplay - define (true or false) if the QR code should be displayed directly as the proposed authentication method pollTimeout - specify the timeout (by default, 30 seconds) to wait for the user to scan the QR code before it expires cal - specify a subset of the credential type's default approval status sent to the device for a userID-less QR code operation (by default, "accept\|deny") For mobile applications built using the HID Approve SDK, this value must match that defined for the cal parameter of the bcauthorize endpoint. tds - specify the message displayed on the HID Approve application to prompt the user to approve or deny the scanned QR code authentication (by default, "Logon to portal") Note: The following parameters are not currently supported: firstFactorsFiltering retry stepUp allowUserDeviceSelection
	LDAP - the LDAP federated user (Microsoft Azure AD or AD FS) authenticates with their directory-based password For this type, you can also define: automaticOOBEnrollment - specify the factorId of the OOB factor/authenticator to be used for auto-enrollment (for example, factor.otp_oob_adt) This OOB factor should be defined as a secondFactor with the corresponding LDAP factor defined in its upon parameter. If automaticOOBEnrollment is not defined, OOB auto-enrollment is disabled. Note: For federated LDAP authentication: The users must already be registered in HID Authentication Service The registered users must not have an existing authenticator (device/credentials) as the LDAP authenticator will be automatically created The workflow must be configured with LDAP as the first factor and OOB as the second factor LDAP Fallback is implicitly allowed if the workflow includes an LDAP authentication factor
acr	The default HID Authentication Service authentication policies include an ACR value that defines the level of assurance (LoA) provided by the identity authentication process. You can use this parameter to override the acrvalue defined in the authentication policy associated with the factor by setting a string value that corresponds to your organization’s requirements. For example, if you define the same authentication method as both a first and second authentication factor, you can set a higher level of assurance when it is used as a second authentication factor. Note: If multiple values are defined, they must be separated by a comma and listed by preference (most important first).	Optional
stepUp	Defines if the user needs to provide a second authentication factor as part of the step-up workflow: notRequired - if a second factor is not defined, then authentication with this first factor is sufficient automatic - (default if parameter is present but not defined) if the user has a second and compatible authentication method available, then step up is enforced. Otherwise, authentication with this first factor is sufficient required - (default if parameter not present) a second factor is required. Otherwise, authentication will fail. Note: For security reasons, it is recommended to implement step-up authentication. However, if step-up is required but the user does not have a second authentication factor, the authentication will fail.	Optional
retry	The maximum number of failed authentication attempts allowed with this factor before the user is redirected back to the authorization request initiator (service provider) The default value is 1 if the parameter is not present/defined. Note: The try count is kept per authenticator (or action). Selecting another authenticator does not reset retry count of current authenticator.	Mandatory
oobMethods	Defines the OTP delivery methods (email and/or SMS) available to the user for OOB authentication If not defined, the server will select the delivery adapter based on the user information and authentication policy. You can select either email, SMS or both as well as define the message content: email: template - define the content of the email message: "MESSAGE=Use the following OTP to complete the authentication process {$secret}", templateHtml - define if the email format is HTML(possible values are true or false) sms: template - define the content of the SMS message: "MESSAGE=Use the following OTP to complete the authentication process {$secret}" If you want to localize the message, update the content with the required language codes and separate each localized message with a carriage return character (\r). For example: "MESSAGE_en=Use the following OTP to complete the authentication process {$secret}\r MESSAGE_fr=Utilisez ce code pour continuer {$secret}" Note: The OOB method must have a defined message. For the default English and French locales, the predefined messages are applied. If you add an additional localization to the workflow, make sure you define the corresponding message with the locale code in the format illustrated above.	Optional
expirationWarningThreshold	The threshold (in seconds) after which a warning that the authenticator will expire is displayed For further information, see Manage the Authenticators in the Authentication Flow.	Optional
For secondFactors arrays ONLY
upon	A comma-separated list of the first factor authenticator identifiers for which the second factor authentication should be triggered For example, when a user authenticates with their static password as the first factor and you want to enforce push authentication as the second factor, specify the factorId of the static password authenticator that should trigger the push authentication step. Note: Make sure the first authentication factor is not defined as a second factor trigger (for example, do not set factor.user_pasword to be trigger upon factor.user_pasword).	Optional

Add an Enrollment Workflow

You can add enrollment protection factors and actions to the authentication workflow allowing you to drive the user enrollment process.

This process can also include a level of protection requiring user verification as well as successful authentication before a user can access the enrollment process.

Note:

Configuring the enrollment workflow is currently only supported for FIDO authenticators.
FIDO passkey support and the user experience during enrollment and authentication varies according to the browser.

Define the Enrollment Actions

The enrollActions is a JSON array with descriptions of the enrollment actions available in the workflow and the array is then dynamically filtered using the defined accessCriteria.

View an enrollment actions example

Copy

Enrollment Action Parameters

"enrollActions": [
	{
		"enrollId": "enroll_action.fido",
		"accessCriteriaId": "access_criteria.common_to_all",
		"type": "FIDO",
		"code": "AT_FIDO",
		"rpId": "hostname",					
		"userVerification": "required",
		"residentKey": "required",
		"authenticatorAttachment": "cross-platform",
		"allowedAAGUIDs": ["b93fd961-f2e6-462f-b122-82002247de78","ea9b8d66-4d01-1d21-3ce4-b6b48cb575d4"],
		"retry": 3,
		"deviceType": "DT_FIDO",
		"credentialType": "CT_FIDOU2F",
		"deviceBinding": "required",
		"attestationVerification": "direct",  
		"enrollValidation": false,
		"protectionFactor": "enroll_protection.user_password"
	},
	{
		"enrollId": "enroll_action.fido_uaf",
		"accessCriteriaId": "access_criteria.common_to_all",
		"type": "FIDO",
		"code": "AT_FIDO_UAF",
		"rpId": "hostname",
		"userVerification": "required",
		"deviceType": "DT_FIDO",
		"credentialType": "CT_FIDO",
		"deviceBinding": "required",
		"attestationVerification": "direct",  
		"enrollValidation": true,
		"protectionFactor": "enroll_protection.user_password"
	},
	{
		"enrollId": "enroll_action.push",
		"accessCriteriaId": "access_criteria.common_to_all",
		"type": "PUSH",
		"code": "AT_SMK",
		"manual": true,
		"userVerification": "required",
		"deviceType": "DT_TDSV4",
		"deviceBinding": "required",
		"enrollValidation": true,
		"protectionFactor": "enroll_protection.user_password"
	},
	{
		"enrollId": "enroll_action.hw_token",
		"accessCriteriaId": "access_criteria.common_to_all",
		"type": "TOKEN",
		"code": "AT_OTP",
		"userVerification": "required",
		"deviceType": "DT_TK1V2",
		"deviceBinding": "required",
		"enrollValidation": true,
		"protectionFactor": "enroll_protection.user_password"
	}
]

Where:

Parameter	Description	Status
enrollId	The unique identifier of the enrollment action	Mandatory
name	The name of the action (for internal reference only)	Optional
description	The description of the action (for internal reference only)	Optional
accessCriteriaId	The unique identifier of the criteria to apply (factor is available only if the user matches the criteria)	Mandatory
code	Code of the authentication policy to use for this specific enrollment	Mandatory
type	Type of authenticator for this specific enrollment action: FIDO (U2F or UAF (FIDO2))	Mandatory
rpId	For FIDO factors only, defines the customer back-end hostname for integrations using the API If users will authenticate to different applications in multiple sub-domains with their FIDO passkey, specify the root domain. For example, if the FIDO enrollment application is in enroll.companydomain.com and the FIDO authentication application is in auth.companydomain.com, the root domain value is companydomain.com The FIDO authentication factor also supports multi-domain configuration and the root domain value must match the value defined for the FIDO enrollment action.	Optional
userVerification	For FIDO factors only, defines if the user is required to verify their presence by performing an action on the passkey (such as providing the PIN, biometric credential or touching the device-bound passkey) to access the authenticator Possible values are: required preferred discouraged	Mandatory
residentKey	Defines if a discoverable resident key should created on the FIDO passkey during enrollment Possible values are: discouraged - a non-resident key is preferred (that is, the user information and credential ID is stored on the server) but HID Authentication Service will accept a resident key preferred - the resident key is preferred (that is, the user information and credential ID is stored on the FIDO passkey) but HID Authentication Service will accept a non-resident key required - the resident key is required (that is, the user information and credential ID is stored on the FIDO passkey) If the request is denied by the FIDO passkey, enrollment will fail. The default value is preferred.	Optional
authenticatorAttachment	Defines the FIDO platform that will be proposed during enrollment Possible values are: platform - only the passkey platform will be proposed (such as Microsoft Windows Hello, Google Android or Apple iOS platform keys) Roaming keys and or external security keys will not be proposed cross-platform - all platforms will be proposed (default)	Optional
allowedAAGUIDs	A JSON array of FIDO AAGUID (Authenticator Attestation Global Unique Identifier) to specify the passkeys that users are allowed to enroll If present, only the specified passkeys can be enrolled If not present, no restriction (all passkeys can be enrolled)	Optional
retry	The maximum number of failed attempts to launch a passkey allowed with this factor before the user is redirected back to the authorization request initiator (service provider) The default value is 1.	Optional
deviceType	Code of the device type to use for this specific enrollment action	Mandatory
credentialType	Code of the credential type to use for this specific enrollment action	Mandatory
deviceBinding	Defines if the user must have a "pending" device of the specified device type to be able to enroll their passkey Possible values are: required notRequired If absent or undefined, the value is considered to be notRequired If you set this to required, you must create and assign a FIDO device authenticator for the user before they can enroll their passkey.	Optional
attestationVerification	Defines if the user's FIDO passkey is required to provide an attestation statement for verification at enrollment Possible values are: none - the attestation statement is not required direct - the attestation statement should generated by the passkey For further information, see Enable Attestation.	Optional
enrollValidation	Defines if the enrollment should be validated by a successful authentication using the newly enrolled authenticator Possible values are true or false.	Optional
protectionFactor	Defines the protection factor applied for the enrollment action	Optional
localizationKeyRedefinition	List of redefined localization label keys Allows to redefine (override) the default label keys present in the localization configuration. The left part is the default key. The right part is the redefined key. Copy `"localizationKeyRedefinition": { "enroll.fido.uaf.label": "enroll.fido.cust_uaf.label", "enroll.fido.uaf.placeholder": "enroll.fido.cust_uaf.placeholder" }` Note: The redefined key (as the default one) must be present in the localization configuration in order to be translated to the desired label. For further information, see Customizing the Labels.	Optional

Enable Enrollment Protection

The enrollProtectionFactors JSON array contains descriptions of the authentication factors to protect the enrollment process. If defined, the user must first authenticate using the specific authenticator before accessing the enrollment process.

View an enrollment protection factor example

Copy

Enrollment Protection Factor Parameters

"enrollProtectionFactors": [
	{
		"protectionFactorId": "enroll_protection.user_password",
		"code": "AT_CUSTPWD",
		"type": "LOGIN",
		"retry": 3
	}
]

Where:

Parameter	Description	Status
protectionFactorId	The unique identifier of the protection factor	Mandatory
name	The name of the protection factor (for internal reference only)	Optional
description	The description of the protection factor (for internal reference only)	Optional
code	The code of the authentication policy to use for this protection factor	Mandatory
type	The type of authenticator for this protection factor	Mandatory
	LOGIN - the user enters their static password
	PKI - the user authenticates using their digital certificate
	FIDO - the user authenticates with a FIDO passkey
	PUSH - the user authenticates by approving a push notification received on their registered device
retry	The maximum number of failed authentication attempts allowed with this factor before the user is redirected back to the authorization request initiator (service provider). The default value is 1 if the parameter is not present/defined. Note: The try count is kept per authenticator (or action). Selecting another authenticator does not reset retry count of current authenticator.	Optional

Apply Customized Labels

For each authentication factor and action, you can define customize labels to display in the interface instead of the default label keys present in the configuration.

Copy

Example of customized labels for an authentication factor

"localizationKeyRedefinition": {
	"LOGIN.name": "LOGIN.name.customer",
	"LOGIN.tooltip": "LOGIN.tooltip.customer",
	"LOGIN.input.password.label": "LOGIN.input.customer_password.label",
	"LOGIN.input.password.placeholder": "LOGIN.input.customer_password.placeholder"
}

Copy

Example of customized labels for an action

"localizationKeyRedefinition": {
	"CHANGE_PWD.title": "CHANGE_PWD.customer_title",
	"CHANGE_PWD.tooltip": "CHANGE_PWD.customer_tooltip"
}

For further information, see Customizing the Labels.

Apply Your IdP Configuration

You can apply your configuration and customization by registering the OpenID client with the required authentication flow and theme configuration dynamically using the API.

View a sample request and response

Copy

Sample client registration request

POST https://[base-server-url]/{tenant}/authn/register HTTP/1.1
Connection: close
Content-Type: application/json
Authorization: Bearer RTp7HwAAAX7pKILI4bo5OxW08phxBTRYLrz1Gn8R
Content-Length: 914
Host: host.com
User-Agent: Apache-HttpClient/4.5.5 (Java/16.0.1)
{
	"redirect_uris": ["http://localhost", "http://localhost:4200"],
	"client_name": "OpenID Client New IdP",
	"client_id": "spl-idp",
	"client_secret": "password01",
	"hid_client_channel": "CH_DIRECT",
	"hid_client_pwd_policy": "AT_SYSLOG",
	"hid_client_pki_policy": "AT_SYSPKI",
	"hid_user_channel": "CH_CSTPORT",
	"hid_user_authn_policy": "AT_CUSTPW",
	"hid_sessiontransfer_type": "NUM001",
	"hid_client_group": "USG_SYS",
	"backchannel_token_delivery_mode": "poll",
	"hid_client_scopes": {
		"scopes":[
			{
				"openid":{
					"description":"Description of your scope here","claims":{
						"userinfo":{
							"usr.TITLE":{
								"essential":true
							},
							"usr.DOB":{
								"essential":false
							}
						},
						"id_token":{
							"usr.groupids":{
								"essential":true
							},
							"usr.roles":{
								"essential":false
							},
							"acr":{
								"essential":true
							}
						}
					}
				}
			},
				"profile"
		]
	},
	"initiate_login_uri": "",
	"authn_portal_configuration": {
		"workflow_id": "ID_FLOW_PUSH_STEPUP",
		"theme_id": "ID_THEME_CUSTO"
	},
	"hid_sso_session_validity": "1200",
	"hid_federation_audiences": "client_ID1|client_ID2"
}

Copy

Sample Response

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
{
	"hid_sessiontransfer_type": "NUM001",
	"initiate_login_uri": "",
	"authn_portal_configuration": {
		"workflow_id": "ID_FLOW_PUSH_STEPUP",
		"theme_id": "ID_THEME_CUSTO"
	},
	"hid_sso_session_validity": "1200",
	"hid_federation_audiences": "client_ID1|client_ID2",
	"registration_client_uri": https://[base-server-url]/{tenant}/authn/register/spl-idp,
	"userinfo_signed_response_alg": "RS256",
	"token_endpoint_auth_method": "client_secret_post",
	"client_id": "spl-idp",
	"hid_federation_roles": ".*",
	"hid_client_consentprompt": "true",
	"hid_client_scopes": "{\"scopes\":[{\"email\":{\"description\":\"Email Address\",\"claims\":{\"userinfo\":{\"usr.ATR_EMAIL\":{\"essential\":true}}}}},{\"phone\":{\"description\":\"Phone Number\",\"claims\":{\"userinfo\":{\"usr.PHONE\":{\"essential\":true}}}}},{\"profile\":{\"description\":\"User profile\",\"claims\":{\"userinfo\":{\"usr.DOB\":{\"essential\":true}}}}},\"openid\"]}",
	"hid_ciba_callback_format_plain": "false",
	"require_pushed_authorization_requests": "false",
	"hid_user_authn_policy": "AT_CUSTPW",
	"client_id_issued_at": 1655716755,
	"tls_client_certificate_bound_access_tokens": false,
	"backchannel_token_delivery_mode": "poll",
	"client_name": "OpenID Client New IdP",
	"grant_types": [
		"client_credentials",
		"password",
		"authorization_code"
	],
	"hid_refresh_token_validity": "3600",
	"redirect_uris": [
		http://localhost,
		http://localhost:4200
	],
	"hid_client_channel": "CH_DIRECT",
	"hid_client_pwd_policy": "AT_SYSLOG",
	"hid_ciba_poll_interval": "5",
	"hid_client_pki_policy": "AT_SYSPKI",
	"hid_user_channel": "CSTPORT",
	"pushed_authorization_request_validity": "600"
}

Define the Portal Parameters

The authn_portal_configuration is an array of the IdP portal parameters in the JSON format (the format is validated during the register and update operations).

If the parameters are present, the new IdP will be used based on the defined values
If empty, (set the value to " " when empty), the standard HID Authentication Service interface is displayed

It contains the following parameters:

Parameter	Description	Status
workflow_id	The unique identifier of the authentication configuration definition to be used for the client The content of configuration defines the flow and authentication factors. See Create the Authentication Workflow If absent or contains an incorrect ID, the OpenID client registration returns error.	Mandatory
theme_id	The unique identifier for theme definition The content of the theme defines the customization for application interface such as titles and labels. See Customizing the Identity Portal If empty, the default theme is used.	Optional

Parameter

Description

Status

workflow_id

The unique identifier of the authentication configuration definition to be used for the client

The content of configuration defines the flow and authentication factors. See Create the Authentication Workflow

If absent or contains an incorrect ID, the OpenID client registration returns error.

Mandatory

theme_id

The unique identifier for theme definition

The content of the theme defines the customization for application interface such as titles and labels. See Customizing the Identity Portal

If empty, the default theme is used.

Optional

Note: The initiate_login_uri parameter is reserved for future use and should be left empty to allow use of the default HID portal.

It defines the URI where the login page will be redirected (optional):

If present, the value must be the URI of interface handling the IdP flow.
HID Authentication Service checks it is a valid URI format (should be absolute URI path) and the login page will be redirected to this URI.
If empty, the new portal URL will be computed with the deployment URI and tenant

Configure Support for SSO

The IdP supports single sign-on (SSO) with the either the same or different clients/applications on multiple platforms.

If the authentication session is still valid, and the end user is already logged in, a new authentication request can be sent with specific parameters to log on again without being prompted to authenticate. The HID Authentication Service reuses the initial authentication session to generate an authorization code.

The SSO session is valid only if the user's login session is still valid and for the configured SSO period. The user will be prompted to log on again if either of the sessions has expired.

You can implement SSO by either:

Leveraging the browser's HTTP session cookie - the session token is stored in the browser's cookie

For subsequent authentication requests, the browser sends the cookie in the request header.

Note: The user's browser must allow cookies.
Sharing the id_token between the relevant clients - the second application's login page is launched by invoking the authentication endpoint with the id_token_hint as a parameter

Depending on the client (same or different as in the initial authentication request), the HID Authentication Service returns a new id_token with the "aud" claim set to the client.
Note:
- The id_token_hint takes precedence over the session cookie
- The sharing mechanism is out of the scope of the HID Authentication Service)

To enable SSO support, configure the following OpenID client parameters:

Parameter	Description
hid_federation_audiences	To allow other applications to use the user's authenticated session for this client application (for example, client_INIT), add the OpenID client ID of the allowed application(s), where the format of the value should be a regular expression. For example, in the following use cases: To allow access for one or more applications, use the format client_ID1\|client_ID2 To allow access for all clients with a specific ID (for example, starting with 'HID'), set the value to ^HID.*
hid_sso_session_validity	In the configuration of the client application(s) that will use the SSO session, define the maximum age limit of the existing SSO session (in seconds and greater than 0). If a user tries to log on after this limit is reached, and even if the initial authenticated session is still valid, they will be required to re-authenticate. The default value is 0 and if the parameter is not present (or set to 0), SSO support is disabled.

Parameter

Description

hid_federation_audiences

To allow other applications to use the user's authenticated session for this client application (for example, client_INIT), add the OpenID client ID of the allowed application(s), where the format of the value should be a regular expression.

For example, in the following use cases:

To allow access for one or more applications, use the format client_ID1|client_ID2
To allow access for all clients with a specific ID (for example, starting with 'HID'), set the value to ^HID.*

hid_sso_session_validity

In the configuration of the client application(s) that will use the SSO session, define the maximum age limit of the existing SSO session (in seconds and greater than 0).

If a user tries to log on after this limit is reached, and even if the initial authenticated session is still valid, they will be required to re-authenticate.

The default value is 0 and if the parameter is not present (or set to 0), SSO support is disabled.

For example, to support SSO between client_INIT and client_ID1:

For client_INIT, add client_ID1 as an allowed client in the hid_federation_audiences parameter.
On client_ID1, define that the session of client_INIT must be less than 600 seconds (that is, 10 minutes) in the hid_sso_session_validity parameter.

If the initial authenticated session of the client_INIT application is less than 10 minutes, SSO is available and users will not be prompted to authenticate to use the client_ID1 application
If the initial session is longer than 10 minutes, SSO is not possible and users will be prompted to authenticate to use the client_ID1 application

You can then control the SSO behavior using the parameters defined in the second authentication request:

prompt

The following is the behavior when a session cookie is present, the corresponding session context is for the same user and the user is already authenticated.

If one of these conditions is not met, the user is prompted for their credentials.

Value	SSO Behavior
Not present	If a valid SSO session exists, no prompt for credentials Otherwise, the normal logon process is applied and the user is prompted for the credentials If a valid SSO exists, but the consent is not signed for the current requesting client, only prompt for the consent
none (silent login)	No prompt for credentials If no valid SSO exists, returns an error (login_required) No prompt for consent If no consent signed, returns an error (consent_required)
login	Always prompt for credentials Only prompt for consent if the original consent is not signed
consent	Prompt for credentials if necessary Always prompt for consent

max_age

Value	SSO Behavior
Not present	Use the value of the SSO validity period configured for the client
Defined value	If the existing session is older than the max_age value (even if it is still valid), the user needs to log on again The value should not be higher than the value of the SSO validity configured for the client. If it is, the HID Authentication Service will apply the max_age value configured for the client.

Value

SSO Behavior

Not present

Use the value of the SSO validity period configured for the client

Defined value

If the existing session is older than the max_age value (even if it is still valid), the user needs to log on again

The value should not be higher than the value of the SSO validity configured for the client. If it is, the HID Authentication Service will apply the max_age value configured for the client.

id_token_hint

Value	SSO Behavior
Not present	Search for SSO sessions based on the session cookie
Present	If the user's session corresponding to the id_token_hint is still valid, no prompt for credentials

You can also refine the behavior using the prompt and max_age parameters.

login_hint

Value	SSO Behavior
Not present	Prompt for a user name or use the user in an SSO session if it exists and is valid
Present	If a SSO session exists and is still valid, and the session's user is the same as in the original login_hint, no prompt for credentials If the user is different, or the SSO session has expired, prompt for credentials (or return an error depending on the prompt parameter)

Important: SSO Support for Multiple Applications with Different Workflow Configurations

Any application that wants to access the SSO session of an authenticated application should have a compatible workflow configuration where the SSO session's authentication type should be one of the requesting application's authentication factors.

SSO is possible if the required authentication type is:

One of requesting application's second authentication factors
One of requesting application's first authentication factors and this factor does not require step-up authentication

Otherwise, the user will be prompted:

For step-up authentication if the required type is one of requesting application's first authentication factors and this factor does require step-up authentication

To re-authenticate if the required type is not one of requesting application's authentication factors (first or second)

View sample requests

Copy

Sample request for cookie-based SSO where the user can access the resource without being prompted to log on or sign the consent again

https://[base-server-url]/{tenant}/authn/login?client_id=client_ID1&response_type=code&scope=openid+profile&redirect_uri=http://localhost:8080&prompt=none

Copy

Sample request for cookie-based SSO where the user is prompted to sign the consent (with or without being prompted to log on again)

https://[base-server-url]/{tenant}/authn/login?client_id=client_ID1&response_type=code&scope=openid+profile&redirect_uri=http://localhost:8080&prompt=consent

Copy

Sample request for id_token-based SSO where the user can access the resource without being prompted to log on or sign the consent again

https://[base-server-url]/{tenant}/authn/login?client_id=client_ID1&response_type=id_token&scope=openid+profile&redirect_uri=http://localhost:8080&prompt=none&id_token_hint=eyJraWQiOiIxNjQ2OTMxNzgwNjYzIiwidHlwIjoiSldUIiwiYW..aX7OPI2IWbsC3NsniVH18rWBr2bGKlVB53gAypM2-IAoQWksnlcM9wvHp_eQefZnbqung

Where the returned id_token is that of the first request if id_token is in the response_type, or id_token can be obtained at the token endpoint and introspect endpoint later on

Copy

Sample request for id_token-based SSO where the user can access the resource without being prompted to log on but always prompt for consent

https://[base-server-url]/{tenant}/authn/login?client_id=client_ID1&response_type=code&scope=openid+profile&redirect_uri=http://localhost:8080&prompt=consent

Where a new id_token is returned. For example, to get an id_token via the hybrid flow:

https://[base-server-url]/\{tenant}/authn/login?client_id=client_ID1&response_type=code+id_token&scope=openid+profile&redirect_uri=http://localhost:8080

Manage the Authenticators in the Authentication Flow

Already Expired

When the password has expired and the Change Password action is allowed by the current authenticator, the user is redirected to the Change Password flow with an error notification.

If the Change Password action is not allowed, user is redirected to back end with an error message.