Configuring the Identity Portal Workflow

To configure the new IdP, you need to define the authentication configuration and the interface customization/localization.

You can then register the OpenID client for your application and set the required configuration and interface.

Several sample workflows are provided for illustration purposes.

Create the Authentication Workflow

You can create and customize authentication workflows using the Custo/IDPWorkflows endpoint.

In the configuration payload, you define the various flow elements:

To update the template, use:

PUT https://[base-server-url]/configuration/<tenant>/v2/Custo/IDPWorkflows/{id}

To delete the template, use:

DELETE https://[base-server-url]/configuration/<tenant>/v2/Custo/IDPWorkflows/{id}

Define the Theme

The theme defines the design and customization of the interface (including labels).

The "theme_id": "ID_THEME1" is the unique identifier for the theme configuration.

If it is not present or empty, the portal uses the default design and labels.

For further information about the default theme and create a customized theme, see Customizing the Identity Portal.

Note: If you want to apply a customized theme (design and/or labels), it is recommended that you create it before creating the authentication workflow.

Filter Based on Access Criteria

You can define the authentication factors to display based on the authorization request and user context (such as the user's available authenticators, groups membership, etc.).

The filters can be used with actions, authentication factors and enrollment factors defined in the authentication workflow template.

Where accessCriteria is a JSON array with descriptions of the filtering parameters:

Parameter Description Status

accessCriteriaId

The unique criteria identifier

Mandatory

authenticators

Define how access should be filtered based on the user's existing authenticators:

  • firstFactorsFiltering - access to the authentication flow is allowed only if the user has an authenticators matching one of the first authenticator factors defined in the template.

    Possible values are true or false.

  • secondFactorsFiltering - access to the authentication flow is allowed only if the user has an authenticators matching one of the second authenticator factors defined in the template.

    Possible values are true or false.

  • acrFiltering - allows filtering the authentication flow templates based on the ACR claim (if part of the authentication request) and the template's authentication policies.

    Possible values are true or false.

Mandatory

Define the Actions

The actions define how the IdP will display and handle the actions a user can perform based on those available in the template.

Where actions is a JSON array with descriptions of the actions available in the workflow and the array is then dynamically filtered using the defined accessCriteria.

The array can be configured with the following parameters (mandatory and optional):

Parameter Description Status

actionId

The unique identifier of the action

Mandatory

name

The name of the action (for internal reference only)

Optional

description

The description of the action (for internal reference only)

Optional

accessCriteriaId

The unique identifier of the criteria to apply (action is available only if the user matches the criteria)

Mandatory

type

The type of action that can be performed

Mandatory

CHANGE_PWD - the user can click the 'Change your Password' link if the action.change_password action is defined for the factor

The user is redirected to the 'Change Password' flow.

FORGOT_PWD - the user can click the 'Forgot your Password?' link if the action.request_reset_password action is defined for the factor

The user is redirected to the 'Reset Password' flow.

The user can select the temporary password delivery method if resetPasswordMethods is present/defined.

validityPeriod

For FORGOT_PWD only, the validity (in seconds) of the temporary password

The default value is 900 seconds.

Mandatory

retry

The maximum number of failed action attempts allowed with this factor before the user is redirected back to the authorization request initiator (service provider)

The try count is kept per action. Selecting another authenticator does not reset the retry count.

Optional

resetPasswordMethods

Define the temporary password delivery methods (email and/or SMS) available to the user when they have forgotten their password

If not defined, the server will select the delivery adapter based on the user information and authentication policy.

You can select either email, SMS or both, as well as specify the message content:

  • email:

    • template - define the content of the email message:

      "MESSAGE=Use the following temporary password to complete the authentication process {$secret}",

    • templateHtml - define if the email format is HTML(possible values are true or false)

  • sms:

    • template - define the content of the SMS message:

      "MESSAGE=Use the following temporary password to complete the authentication process {$secret}"

If you want to localize the message, update the content with the required language codes and separate each localized message with a carriage return character (\r). For example:

"MESSAGE_en=Use the following temporary password to complete the authentication process {$secret}\r MESSAGE_fr=Utilisez ce mot de passe temporaire pour continuer {$secret}"

Optional

The password input field is validated with the following constraints dynamically applied by the server:

  • minLength - minimum number of the characters required for the password

  • maxLength - maximum number of the characters allowed for the password

If constraints are not defined, the IdP uses the following default values:

  • minLength - 1 characters

  • maxLength - 50 characters

Define the Authentication Factors

The authentication factors define how the IdP will display and handle the authentication templates.

Where firstFactors and secondFactors are JSON arrays with descriptions of the authentication template and the array is then dynamically filtered using the defined accessCriteria.

Note: For Microsoft Entra ID integrations, the authentication methods must be configured as firstFactors.

The factor arrays can be configured with the following parameters (mandatory and optional):

Parameter Description Status

factorId

The unique identifier of the authentication factor

Mandatory

name

The name of the factor (for internal reference only)

Optional

description

The description of the factor (for internal reference only)

Optional

accessCriteriaId

The unique identifier of the criteria to apply (authentication factor available only if user match criteria)

Mandatory

code

The code of the authentication policy to use for this specific factor

Mandatory

type

The type of authenticator for this specific factor

Mandatory

LOGIN - the user enters their static password

For this type, you can also add the optional actions parameter to define the links available to the user for the authentication factor.

Possible values are:

  • action.change_password - a link is displayed allowing the user to change their password

  • action.request_reset_password - a link is displayed allowing the user to reset their password if they have forgotten it

OTP - the user enters an OTP generated using a registered device

OOB - the server triggers the delivery of an OTP

The user can select the OTP delivery method if oobMethods is present/defined.

CODE - the user enters their activation code to trigger the delivery of an OTP

The user can select the OTP delivery method if oobMethods is present/defined.

Important: When combining the CODE type with another type as part of a step-up workflow, the authentication policy must be the same for the first and second factors.

PKI - the user authenticates with their digital certificate

FIDO - the user authenticates with a FIDO passkey

For this type, you can also define:

  • rpId - (optional) defines the customer back-end hostname for integrations using the API

    If users will authenticate to different applications in multiple sub-domains with their FIDO passkey, specify the root domain. The value must match the hostname for the FIDO enrollment factor.

  • userVerification - (mandatory) defines if the user is required to verify their presence by performing an action on the passkey (such as providing the PIN, biometric credential or touching the device-bound passkey) to access the authenticator. Possible values are:

    • required

    • preferred

    • discouraged

  • discoverCredentialsInDevice - (optional) defines the credentials made available to the user. Possible values are:

    • true - the user will only be able to choose from a list of discoverable keys

      In the enrollment flow, residentKey must be set to required.

    • false - the workflow returns the list of all the credentials available for the user (default)

  • enrollActions - (optional) a comma-separated list of the enrollment action identifiers for which the workflow should be triggered if the user does not have a corresponding authenticator

CARD - the user authenticates with their contactless smart card

For this type, you can also define:

  • enrollActions - (optional) a comma-separated list of the enrollment action identifiers for which the workflow should be triggered if the user does not have a corresponding authenticator

    • If defined as a first-factor authentication, the enrollment must be protected (see Enable Enrollment Protection)

    • If defined as second-factor authentication, enrollment protection is optional

Note: This factor is not available in the default workflow and must be added manually. A sample workflow is provided in Contactless Card Enrollment and Authentication.

PUSH - the user authenticates by approving a push notification received on their registered device

For this type, you can also define:

  • pollTimeout - specify the timeout (in seconds) to wait for the push result (to exit the loop of polling the back end)
  • allowUserDeviceSelection - specify if the user is allowed to select the device on which to receive the push notification if they have more than one registered device (possible values are true or false)

    If set to true, the list of devices is displayed for this factor (with the device's friendly name if defined)

  • tds - specify the message displayed on the HID Approve application to prompt the user to approve or deny the authentication (by default, "Logon to portal")

  • device - server-populated list of available devices for push authentication for the user

Note: This factor is not supported for Microsoft Entra ID integrations.

QRCODE - the user authenticates by scanning a QR code without needing to provide their User ID (userID-less authentication)

Important: This method is only supported for first factor authentication.

If they do not want (or are unable) to scan the QR code and the:

  • login_hint is present in the authentication request - the IdP retrieves a workflow adapted for the user so they can select an alternative authentication method from their list of enrolled authenticators without needing to provide their User ID

  • login_hint is NOT present - the IdP displays the default workflow and the user will be required to provide their User ID to generate the list of available authenticators

For this type, you can also define:

  • forceDisplay - define (true or false) if the QR code should be displayed directly as the proposed authentication method

  • pollTimeout - specify the timeout (by default, 30 seconds) to wait for the user to scan the QR code before it expires
  • cal - specify a subset of the credential type's default approval status sent to the device for a userID-less QR code operation (by default, "accept|deny")

    For mobile applications built using the HID Approve SDK, this value must match that defined for the cal parameter of the bcauthorize endpoint.

  • tds - specify the message displayed on the HID Approve application to prompt the user to approve or deny the scanned QR code authentication (by default, "Logon to portal")

Note: The following parameters are not currently supported:
  • firstFactorsFiltering

  • retry

  • stepUp

  • allowUserDeviceSelection

LDAP - the LDAP federated user (Microsoft Azure AD or AD FS) authenticates with their directory-based password

For this type, you can also define:

  • automaticOOBEnrollment - specify the factorId of the OOB factor/authenticator to be used for auto-enrollment (for example, factor.otp_oob_adt)

    This OOB factor should be defined as a secondFactor with the corresponding LDAP factor defined in its upon parameter.

    If automaticOOBEnrollment is not defined, OOB auto-enrollment is disabled.

Note: For federated LDAP authentication:
  • The users must already be registered in HID Authentication Service

  • The registered users must not have an existing authenticator (device/credentials) as the LDAP authenticator will be automatically created

  • The workflow must be configured with LDAP as the first factor and OOB as the second factor

  • LDAP Fallback is implicitly allowed if the workflow includes an LDAP authentication factor

acr

The default HID Authentication Service authentication policies include an ACR value that defines the level of assurance (LoA) provided by the identity authentication process.

You can use this parameter to override the acr value defined in the authentication policy associated with the factor by setting a string value that corresponds to your organization’s requirements.

For example, if you define the same authentication method as both a first and second authentication factor, you can set a higher level of assurance when it is used as a second authentication factor.

For Microsoft Entra ID integrations, the value should be possessionorinherence.

Note: If multiple values are defined, they must be separated by a comma and listed by preference (most important first).

Mandatory for Microsoft Entra ID

Otherwise optional

amr Defines the authentication factor code that will be returned in the id_token

Supported values are:

  • fido - FIDO2

  • hwk - hardware-secured key

  • otp - one-time password

  • pop - proof of possession

  • sc - smart card

  • sms - text to registered number

  • swk - software-secured key

Mandatory for Microsoft Entra ID

Otherwise optional

stepUp

Defines if the user needs to provide a second authentication factor as part of the step-up workflow:

  • notRequired - if a second factor is not defined, then authentication with this first factor is sufficient

  • automatic - (default if parameter is present but not defined) if the user has a second and compatible authentication method available, then step up is enforced. Otherwise, authentication with this first factor is sufficient

  • required - (default if parameter not present) a second factor is required. Otherwise, authentication will fail

Note: For security reasons, it is recommended to implement step-up authentication. However, if step-up is required but the user does not have a second authentication factor, the authentication will fail.

Optional

retry

The maximum number of failed authentication attempts allowed with this factor before the user is redirected back to the authorization request initiator (service provider)

The default value is 1 if the parameter is not present/defined.

Note: The try count is kept per authenticator (or action). Selecting another authenticator does not reset retry count of the current authenticator.

Mandatory

oobMethods

Defines the OTP delivery methods (email and/or SMS) available to the user for OOB authentication

If not defined, the server will select the delivery adapter based on the user information and authentication policy.

You can select either email, SMS or both as well as define the message content:

  • email:

    • template - define the content of the email message:

      "MESSAGE=Use the following OTP to complete the authentication process {$secret}",

    • templateHtml - define if the email format is HTML(possible values are true or false)

  • sms:

    • template - define the content of the SMS message:

      "MESSAGE=Use the following OTP to complete the authentication process {$secret}"

If you want to localize the message, update the content with the required language codes and separate each localized message with a carriage return character (\r). For example:

"MESSAGE_en=Use the following OTP to complete the authentication process {$secret}\r MESSAGE_fr=Utilisez ce code pour continuer {$secret}"

Note: The OOB method must have a defined message. For the default English and French locales, the predefined messages are applied. If you add an additional localization to the workflow, make sure you define the corresponding message with the locale code in the format illustrated above.

Optional

expirationWarningThreshold

The threshold (in seconds) after which a warning that the authenticator will expire is displayed

For further information, see Manage the Authenticators in the Authentication Flow.

Optional

For secondFactors arrays ONLY

upon

A comma-separated list of the first factor authenticator identifiers for which the second factor authentication should be triggered

For example, when a user authenticates with their static password as the first factor and you want to enforce push authentication as the second factor, specify the factorId of the static password authenticator that should trigger the push authentication step.

Note: Make sure the first authentication factor is not defined as a second factor trigger (for example, do not set factor.user_pasword to be trigger upon factor.user_pasword).

Optional

Add an Enrollment Workflow

You can add enrollment protection factors and actions to the authentication workflow allowing you to drive the user enrollment process.

This process can also include a level of protection requiring user verification as well as successful authentication before a user can access the enrollment process.

Note:
  • Configuring the enrollment workflow is currently only supported for FIDO and Contactless card authenticators

  • FIDO passkey support and the user experience during enrollment and authentication varies according to the browser

Define the Enrollment Actions

The enrollActions is a JSON array with descriptions of the enrollment actions available in the workflow and the array is then dynamically filtered using the defined accessCriteria.

Where:

Parameter Description Status

enrollId

The unique identifier of the enrollment action

Mandatory

name

The name of the action (for internal reference only)

Optional

description

The description of the action (for internal reference only)

Optional

accessCriteriaId

The unique identifier of the criteria to apply (factor is available only if the user matches the criteria)

Mandatory

code

Code of the authentication policy to use for this specific enrollment

Mandatory

type

Type of authenticator for this specific enrollment action:

  • FIDO (U2F or UAF (FIDO2))

  • CARD

Mandatory

rpId

For FIDO factors only, defines the customer back-end hostname for integrations using the API

If users will authenticate to different applications in multiple sub-domains with their FIDO passkey, specify the root domain.

For example, if the FIDO enrollment application is in enroll.companydomain.com and the FIDO authentication application is in auth.companydomain.com, the root domain value is companydomain.com

The FIDO authentication factor also supports multi-domain configuration and the root domain value must match the value defined for the FIDO enrollment action.

Optional

userVerification

For FIDO factors only, defines if the user is required to verify their presence by performing an action on the passkey (such as providing the PIN, biometric credential or touching the device-bound passkey) to access the authenticator

Possible values are:

  • required

  • preferred

  • discouraged

Mandatory

residentKey

For FIDO factors only, defines if a discoverable resident key should created on the FIDO passkey during enrollment

Possible values are:

  • discouraged - a non-resident key is preferred (that is, the user information and credential ID is stored on the server) but HID Authentication Service will accept a resident key

  • preferred - the resident key is preferred (that is, the user information and credential ID is stored on the FIDO passkey) but HID Authentication Service will accept a non-resident key

  • required - the resident key is required (that is, the user information and credential ID is stored on the FIDO passkey)

    If the request is denied by the FIDO passkey, enrollment will fail.

The default value is preferred.

Optional

authenticatorAttachment

For FIDO factors only, defines the FIDO platform that will be proposed during enrollment

Possible values are:

  • platform - only the passkey platform will be proposed (such as Microsoft Windows Hello, Google Android or Apple iOS platform keys)

    Roaming keys and or external security keys will not be proposed

  • cross-platform - all platforms will be proposed (default)

Optional
allowedAAGUIDs

For FIDO factors only, a JSON array of FIDO AAGUID (Authenticator Attestation Global Unique Identifier) to specify the passkeys that users are allowed to enroll

  • If present, only the specified passkeys can be enrolled

  • If not present, no restriction (all passkeys can be enrolled)

Optional

allowedCards

For CARD factors only, a a comma-separated list of the IDs of the allowed card applications

If none are specified, all existing card applications are allowed

Optional
defaultCard For CARD factors only, the ID of a generic card application to use for unknown cards Optional
retry

The maximum number of failed attempts to communicate with the device with this factor before the user is redirected back to the authorization request initiator (service provider)

The default value is 1.

Optional

deviceType

For FIDO factors only, code of the device type to use for this specific enrollment action

Mandatory

credentialType

For FIDO factors only, code of the credential type to use for this specific enrollment action

Mandatory

deviceBinding

Defines if the user must have a "pending" device of the specified device type to be able to enroll their credential

Possible values are:

  • required

  • notRequired

  • If absent or undefined, the value is considered to be notRequired

If you set this to required, you must:

Optional

attestationVerification

 

For FIDO factors only, defines if the user's FIDO passkey is required to provide an attestation statement for verification at enrollment

Possible values are:

  • none - the attestation statement is not required

  • direct - the attestation statement should generated by the passkey

For further information, see Enable Attestation.

Optional

enrollValidation

Defines the if enrollment should be validated by a successful authentication using the newly enrolled authenticator

Possible values are true or false.

Note: This parameter is not currently supported.

Optional

protectionFactor

Defines the protection factor applied for the enrollment action

Note: This parameter is not recommended for Microsoft Entra ID integrations.

Optional

localizationKeyRedefinition

List of redefined localization label keys

Allows to redefine (override) the default label keys present in the localization configuration.

The left part is the default key. The right part is the redefined key.

For example:

Copy
"localizationKeyRedefinition": {
	"enroll.fido.uaf.label": "enroll.fido.cust_uaf.label",
	"enroll.fido.uaf.placeholder": "enroll.fido.cust_uaf.placeholder"
}
Note: The redefined key (as the default one) must be present in the localization configuration in order to be translated to the desired label. For further information, see Customizing the Labels.

Optional

Enable Enrollment Protection

The enrollProtectionFactors JSON array contains descriptions of the authentication factors to protect the enrollment process. If defined, the user must first authenticate using the specific authenticator before accessing the enrollment process.

Where:

Parameter Description Status

protectionFactorId

The unique identifier of the protection factor

Mandatory

name

The name of the protection factor (for internal reference only)

Optional

description

The description of the protection factor (for internal reference only)

Optional

code

The code of the authentication policy to use for this protection factor

Mandatory

type

The type of authenticator for this protection factor:

LOGIN - the user enters their static password

PKI - the user authenticates using their digital certificate

FIDO - the user authenticates with a FIDO passkey

PUSH - the user authenticates by approving a push notification received on their registered device

Mandatory

retry

The maximum number of failed authentication attempts allowed with this factor before the user is redirected back to the authorization request initiator (service provider).

The default value is 1 if the parameter is not present/defined.

Note: The try count is kept per authenticator (or action). Selecting another authenticator does not reset retry count of current authenticator.

Optional

Apply Customized Labels

For each authentication factor and action, you can define customize labels to display in the interface instead of the default label keys present in the configuration.

Copy

Example of customized labels for an authentication factor

"localizationKeyRedefinition": {
	"LOGIN.name": "LOGIN.name.customer",
	"LOGIN.tooltip": "LOGIN.tooltip.customer",
	"LOGIN.input.password.label": "LOGIN.input.customer_password.label",
	"LOGIN.input.password.placeholder": "LOGIN.input.customer_password.placeholder"
}
Copy

Example of customized labels for an action

"localizationKeyRedefinition": {
	"CHANGE_PWD.title": "CHANGE_PWD.customer_title",
	"CHANGE_PWD.tooltip": "CHANGE_PWD.customer_tooltip"
}

For further information, see Customizing the Labels.

Apply Your IdP Configuration

You can apply your configuration and customization by registering the OpenID client with the required authentication flow and theme configuration dynamically using the API.

Define the Portal Parameters

The authn_portal_configuration is an array of the IdP portal parameters in the JSON format (the format is validated during the register and update operations).

  • If the parameters are present, the new IdP will be used based on the defined values

  • If empty, (set the value to " " when empty), the standard HID Authentication Service interface is displayed

It contains the following parameters:

Parameter Description Status

workflow_id

The unique identifier of the authentication configuration definition to be used for the client

The content of configuration defines the flow and authentication factors. See Create the Authentication Workflow

If absent or contains an incorrect ID, the OpenID client registration returns error.

Mandatory

theme_id

The unique identifier for theme definition

The content of the theme defines the customization for application interface such as titles and labels. See Customizing the Identity Portal

If empty, the default theme is used.

Optional

Note: The initiate_login_uri parameter is reserved for future use and should be left empty to allow use of the default HID portal.

It defines the URI where the login page will be redirected (optional):

  • If present, the value must be the URI of interface handling the IdP flow.

    HID Authentication Service checks it is a valid URI format (should be absolute URI path) and the login page will be redirected to this URI.

  • If empty, the new portal URL will be computed with the deployment URI and tenant

Configure Support for SSO

The IdP supports single sign-on (SSO) with the either the same or different clients/applications on multiple platforms.

If the authentication session is still valid, and the end user is already logged in, a new authentication request can be sent with specific parameters to log on again without being prompted to authenticate. The HID Authentication Service reuses the initial authentication session to generate an authorization code.

The SSO session is valid only if the user's login session is still valid and for the configured SSO period. The user will be prompted to log on again if either of the sessions has expired.

You can implement SSO by either:

  • Leveraging the browser's HTTP session cookie - the session token is stored in the browser's cookie

    For subsequent authentication requests, the browser sends the cookie in the request header.

    Note: The user's browser must allow cookies.
  • Sharing the id_token between the relevant clients - the second application's login page is launched by invoking the authentication endpoint with the id_token_hint as a parameter

    Depending on the client (same or different as in the initial authentication request), the HID Authentication Service returns a new id_token with the "aud" claim set to the client.

    Note:
    • The id_token_hint takes precedence over the session cookie
    • The sharing mechanism is out of the scope of the HID Authentication Service)

To enable SSO support, configure the following OpenID client parameters:

Parameter Description

hid_federation_audiences

To allow other applications to use the user's authenticated session for this client application (for example, client_INIT), add the OpenID client ID of the allowed application(s), where the format of the value should be a regular expression.

For example, in the following use cases:

  • To allow access for one or more applications, use the format client_ID1|client_ID2

  • To allow access for all clients with a specific ID (for example, starting with 'HID'), set the value to ^HID.*

hid_sso_session_validity

In the configuration of the client application(s) that will use the SSO session, define the maximum age limit of the existing SSO session (in seconds and greater than 0).

If a user tries to log on after this limit is reached, and even if the initial authenticated session is still valid, they will be required to re-authenticate.

The default value is 0 and if the parameter is not present (or set to 0), SSO support is disabled.

For example, to support SSO between client_INIT and client_ID1:

  1. For client_INIT, add client_ID1 as an allowed client in the hid_federation_audiences parameter.

  2. On client_ID1, define that the session of client_INIT must be less than 600 seconds (that is, 10 minutes) in the hid_sso_session_validity parameter.

  • If the initial authenticated session of the client_INIT application is less than 10 minutes, SSO is available and users will not be prompted to authenticate to use the client_ID1 application

  • If the initial session is longer than 10 minutes, SSO is not possible and users will be prompted to authenticate to use the client_ID1 application

You can then control the SSO behavior using the parameters defined in the second authentication request:

Important: SSO Support for Multiple Applications with Different Workflow Configurations

Any application that wants to access the SSO session of an authenticated application should have a compatible workflow configuration where the SSO session's authentication type should be one of the requesting application's authentication factors.

SSO is possible if the required authentication type is:

  • One of requesting application's second authentication factors

  • One of requesting application's first authentication factors and this factor does not require step-up authentication

Otherwise, the user will be prompted:

  • For step-up authentication if the required type is one of requesting application's first authentication factors and this factor does require step-up authentication

  • To re-authenticate if the required type is not one of requesting application's authentication factors (first or second)

Manage the Authenticators in the Authentication Flow

Already Expired

When the password has expired and the Change Password action is allowed by the current authenticator, the user is redirected to the Change Password flow with an error notification.

If the Change Password action is not allowed, user is redirected to back end with an error message.