Configuring the Identity Portal Workflow
To configure the new IdP, you need to define the authentication configuration and the interface customization/localization.
You can then register the OpenID client for your application and set the required configuration and interface.
Several sample workflows are provided for illustration purposes.
Create the Authentication Workflow
You can create and customize authentication workflows using the Custo/IDPWorkflows endpoint.
In the configuration payload, you define the various flow elements:
-
Specify the theme to apply a customized interface and labels
-
Define the authentication methods (first and second factors) available to the user
To update the template, use:
PUT https://[base-server-url]/configuration/<tenant>/v2/Custo/IDPWorkflows/{id}
To delete the template, use:
DELETE https://[base-server-url]/configuration/<tenant>/v2/Custo/IDPWorkflows/{id}
Define the Theme
The theme defines the design and customization of the interface (including labels).
The "theme_id": "ID_THEME1" is the unique identifier for the theme configuration.
If it is not present or empty, the portal uses the default design and labels.
For further information about the default theme and create a customized theme, see Customizing the Identity Portal.
Filter Based on Access Criteria
You can define the authentication factors to display based on the authorization request and user context (such as the user's available authenticators, groups membership, etc.).
The filters can be used with actions, authentication factors and enrollment factors defined in the authentication workflow template.
Access Criteria Parameters
"accessCriteria": [
{
"accessCriteriaId": "access_criteria.ssp",
"authenticators": {
"firstFactorsFiltering": true,
"secondFactorsFiltering": true,
"acrFiltering": false
}
}
],
Where accessCriteria is a JSON array with descriptions of the filtering parameters:
Define the Actions
The actions define how the IdP will display and handle the actions a user can perform based on those available in the template.
Actions Parameters
"actions": [
{
"actionId": "action.change_password",
"accessCriteriaId": "access_criteria.common_to_all",
"type": "CHANGE_PWD",
"retry": 3,
"input.old_password": {
"constraints": {
"minLength": 1,
"maxLength": 50
}
},
"input.new_password": {
"constraints": {
"minLength": 1,
"maxLength": 50
}
},
"input.confirm_new_password": {
"constraints": {
"minLength": 1,
"maxLength": 50
}
},
"localizationKeyRedefinition": {
"LOGIN.name": "LOGIN.name.customer",
"LOGIN.tooltip": "LOGIN.tooltip.customer",
"LOGIN.input.password.label": "LOGIN.input.customer_password.label",
"LOGIN.input.password.placeholder": "LOGIN.input.customer_password.placeholder"
}
},
{
"actionId": "action.forgot_password",
"accessCriteriaId": "access_criteria.ssp",
"type": "FORGOT_PWD",
"validityPeriod" : 900,
"retry": 3,
"resetPasswordMethods": {
"email": {
"template": "MESSAGE_en=Use the following OTP to complete the authentication process {$secret}\r MESSAGE_fr=Utilisez ce code pour continuer {$secret}",
"templateHtml": false
},
"sms": {
"template": "MESSAGE_en=Use the following OTP to complete the authentication process {$secret}\r MESSAGE_fr=Utilisez ce code pour continuer {$secret}"
},
"actionProtection": {
"mode": "automatic",
"factors": "factor.otp_token, factor.push_authentication"
}
}
}
]
Where actions is a JSON array with descriptions of the actions available in the workflow and the array is then dynamically filtered using the defined accessCriteria.
The array can be configured with the following parameters (mandatory and optional):
Parameter | Description | Status |
---|---|---|
actionId |
The unique identifier of the action |
Mandatory |
name |
The name of the action (for internal reference only) |
Optional |
description |
The description of the action (for internal reference only) |
Optional |
accessCriteriaId |
The unique identifier of the criteria to apply (action is available only if the user matches the criteria) |
Mandatory |
type |
The type of action that can be performed |
Mandatory |
CHANGE_PWD - the user can click the 'Change your Password' link if the action.change_password action is defined for the factor The user is redirected to the 'Change Password' flow. |
||
FORGOT_PWD - the user can click the 'Forgot your Password?' link if the action.request_reset_password action is defined for the factor The user is redirected to the 'Reset Password' flow. The user can select the temporary password delivery method if resetPasswordMethods is present/defined. |
||
validityPeriod |
For FORGOT_PWD only, the validity (in seconds) of the temporary password The default value is 900 seconds. |
Mandatory |
retry |
The maximum number of failed action attempts allowed with this factor before the user is redirected back to the authorization request initiator (service provider) The try count is kept per action. Selecting another authenticator does not reset the retry count. |
Optional |
Define the temporary password delivery methods (email and/or SMS) available to the user when they have forgotten their password If not defined, the server will select the delivery adapter based on the user information and authentication policy. You can select either email, SMS or both, as well as specify the message content:
If you want to localize the message, update the content with the required language codes and separate each localized message with a carriage return character (\r). For example: "MESSAGE_en=Use the following temporary password to complete the authentication process {$secret}\r MESSAGE_fr=Utilisez ce mot de passe temporaire pour continuer {$secret}" |
Optional |
The password input field is validated with the following constraints dynamically applied by the server:
-
minLength - minimum number of the characters required for the password
-
maxLength - maximum number of the characters allowed for the password
If constraints are not defined, the IdP uses the following default values:
-
minLength - 1 characters
-
maxLength - 50 characters
Define the Authentication Factors
The authentication factors define how the IdP will display and handle the authentication templates.
Authentication Factor Parameters
"firstFactors": [
{
"factorId": "factor.user_pasword",
"accessCriteriaId": "access_criteria.common_to_all",
"code": "AT_CUSTPWD",
"type": "LOGIN",
"acr": "acr_up",
"stepUp": "automatic",
"retry": 3,
"actions": [
"action.change_password",
"action.forgot_password"
]
"localizationKeyRedefinition": {
"LOGIN.name": "LOGIN.name.customer",
"LOGIN.tooltip": "LOGIN.tooltip.customer",
"LOGIN.input.password.label": "LOGIN.input.customer_password.label",
"LOGIN.input.password.placeholder": "LOGIN.input.customer_password.placeholder"
},
},
{
"factorId": "factor.pki",
"accessCriteriaId": "access_criteria.common_to_all",
"code": "AT_EMPPKI",
"type": "PKI",
"stepUp": "notRequired",
},
{
"factorId": "factor.oob_user_accode",
"accessCriteriaId": "access_criteria.common_to_all",
"code": "AT_EMPOOB",
"type": "CODE",
"stepUp": "required",
"retry": 3,
"oobMethods": {
"email": {
"template": "<myemailtemplatevalue>",
"templateHtml": false
},
"sms": {
"template": "<mysmstemplatevalue>"
}
}
},
{
"factorId": "factor.user_pasword_ldap",
"accessCriteriaId": "access_criteria.ssp",
"code": "AT_LDAP",
"type": "LDAP",
"acr": "acr_up",
"stepUp": "automatic",
"retry": 3,
"automaticOOBEnrollment": "factor.otp_oob_adt",
"localizationKeyRedefinition": {
"LDAP.name": "LDAP.name.user_pasword_ldap",
"LDAP.tooltip": "LDAP.tooltip.user_pasword_ldap"
}
},
{
"factorId": "factor.qrcode",
"accessCriteriaId": "access_criteria.common_to_all",
"code": "AT_PASA",
"type": "QRCODE",
"acr": "3",
"forceDisplay": true,
"deviceType":"DT_TDSV4",
"cal": "accept|deny",
"tds": "Logon to portal"
},
{
"factorId": "factor.fido",
"accessCriteriaId": "access_criteria.common_to_all",
"type": "FIDO",
"code": "AT_FIDO",
"acr": "acr_fido",
"stepUp": "notRequired",
"rpId":"hostname",
"retry": 3,
"userVerification": "required",
"discoverCredentialsInDevice": "true",
"enrollActions": [
"enroll_action.fido"
]
},
{
"factorId": "factor.cardauth",
"accessCriteriaId": "access_criteria.common_to_all",
"code": "AT_CARD",
"type": "CARD",
"acr": "possession",
"amr": "pop",
"stepUp": "notRequired",
"retry": 3
},
{
"factorId": "factor.cardentra",
"accessCriteriaId": "access_criteria.common_to_all",
"code": "AT_CARD",
"type": "CARD",
"acr": "possessionorinherence",
"amr": "pop",
"stepUp": "notRequired",
"retry": 3
}
],
"secondFactors": [
{
"factorId": "factor.push_authentication",
"accessCriteriaId": "access_criteria.common_to_all",
"code": "AT_PASA-2FA",
"type": "PUSH",
"acr": "acr_push",
"retry": 3,
"pollTimeout": 30,
"okStatus": "approved",
"upon": "factor.user_pasword,factor.user_pasword_ldap",
"allowUserDeviceSelection": true,
"tds": "Logon to portal",
"device": {
}
},
{
"factorId": "factor.otp_token",
"accessCriteriaId": "access_criteria.common_to_all",
"code": "AT_CUSTOTP-2FA",
"type": "OTP",
"acr": "acr_otp",
},
{
"factorId": "factor.fido_u2f",
"accessCriteriaId": "access_criteria.common_to_all",
"code": "AT_FIDO_U2F",
"type": "FIDO",
"acr": "acr_fido_uaf",
"rpId":"hostname",
"retry": 3,
"userVerification": "required",
"upon": "factor.user_pasword"
},
{
"factorId": "factor.otp_user_accode",
"accessCriteriaId": "access_criteria.common_to_all",
"code": "AT_EMPOOB",
"type": "OTP",
"retry": 3,
"upon": "factor.oob_user_accode"
},
{
"factorId": "factor.otp_oob_adt",
"accessCriteriaId": "access_criteria.common_to_all",
"code": "AT_OOBADT",
"type": "OOB",
"retry": 3,
"upon": [
"factor.user_password_ldap"
],
"oobMethods": {
"email": {
"template": "MESSAGE_en=Please use the OTP below to complete the authentication process: {$secret}.",
"templateHtml": false
}
}
}
],
Where firstFactors and secondFactors are JSON arrays with descriptions of the authentication template and the array is then dynamically filtered using the defined accessCriteria.
The factor arrays can be configured with the following parameters (mandatory and optional):
Parameter | Description | Status |
---|---|---|
factorId |
The unique identifier of the authentication factor |
Mandatory |
name |
The name of the factor (for internal reference only) |
Optional |
description |
The description of the factor (for internal reference only) |
Optional |
accessCriteriaId |
The unique identifier of the criteria to apply (authentication factor available only if user match criteria) |
Mandatory |
code |
The code of the authentication policy to use for this specific factor |
Mandatory |
The type of authenticator for this specific factor |
Mandatory |
|
LOGIN - the user enters their static password For this type, you can also add the optional actions parameter to define the links available to the user for the authentication factor. Possible values are:
|
||
OTP - the user enters an OTP generated using a registered device |
||
OOB - the server triggers the delivery of an OTP The user can select the OTP delivery method if oobMethods is present/defined. |
||
CODE - the user enters their activation code to trigger the delivery of an OTP The user can select the OTP delivery method if oobMethods is present/defined. Important: When combining the CODE type with another type as part of a step-up workflow, the authentication policy must be the same for the first and second factors.
|
||
PKI - the user authenticates with their digital certificate |
||
FIDO - the user authenticates with a FIDO passkey For this type, you can also define:
|
||
CARD - the user authenticates with their contactless smart card For this type, you can also define:
Note: This factor is not available in the default workflow and must be added manually. A sample workflow is provided in Contactless Card Enrollment and Authentication.
|
||
PUSH - the user authenticates by approving a push notification received on their registered device For this type, you can also define:
Note: This factor is not supported for Microsoft Entra ID integrations.
|
||
QRCODE - the user authenticates by scanning a QR code without needing to provide their User ID (userID-less authentication) Important: This method is only supported for first factor authentication.
If they do not want (or are unable) to scan the QR code and the:
For this type, you can also define:
Note: The following parameters are not currently supported:
|
||
LDAP - the LDAP federated user (Microsoft Azure AD or AD FS) authenticates with their directory-based password For this type, you can also define:
Note: For federated LDAP authentication:
|
||
acr |
The default HID Authentication Service authentication policies include an ACR value that defines the level of assurance (LoA) provided by the identity authentication process. You can use this parameter to override the acr value defined in the authentication policy associated with the factor by setting a string value that corresponds to your organization’s requirements. For example, if you define the same authentication method as both a first and second authentication factor, you can set a higher level of assurance when it is used as a second authentication factor. For Microsoft Entra ID integrations, the value should be possessionorinherence. Note: If multiple values are defined, they must be separated by a comma and listed by preference (most important first).
|
Mandatory for Microsoft Entra ID Otherwise optional |
amr | Defines the authentication factor code that will be returned in the id_token Supported values are:
|
Mandatory for Microsoft Entra ID Otherwise optional |
stepUp |
Defines if the user needs to provide a second authentication factor as part of the step-up workflow:
Note: For security reasons, it is recommended to implement step-up authentication. However, if step-up is required but the user does not have a second authentication factor, the authentication will fail.
|
Optional |
retry |
The maximum number of failed authentication attempts allowed with this factor before the user is redirected back to the authorization request initiator (service provider) The default value is 1 if the parameter is not present/defined. Note: The try count is kept per authenticator (or action). Selecting another authenticator does not reset retry count of the current authenticator.
|
Mandatory |
Defines the OTP delivery methods (email and/or SMS) available to the user for OOB authentication If not defined, the server will select the delivery adapter based on the user information and authentication policy. You can select either email, SMS or both as well as define the message content:
If you want to localize the message, update the content with the required language codes and separate each localized message with a carriage return character (\r). For example: "MESSAGE_en=Use the following OTP to complete the authentication process {$secret}\r MESSAGE_fr=Utilisez ce code pour continuer {$secret}" Note: The OOB method must have a defined message. For the default English and French locales, the predefined messages are applied. If you add an additional localization to the workflow, make sure you define the corresponding message with the locale code in the format illustrated above.
|
Optional |
|
expirationWarningThreshold |
The threshold (in seconds) after which a warning that the authenticator will expire is displayed For further information, see Manage the Authenticators in the Authentication Flow. |
Optional |
For secondFactors arrays ONLY | ||
A comma-separated list of the first factor authenticator identifiers for which the second factor authentication should be triggered For example, when a user authenticates with their static password as the first factor and you want to enforce push authentication as the second factor, specify the factorId of the static password authenticator that should trigger the push authentication step. Note: Make sure the first authentication factor is not defined as a second factor trigger (for example, do not set factor.user_pasword to be trigger upon factor.user_pasword).
|
Optional |
Add an Enrollment Workflow
You can add enrollment protection factors and actions to the authentication workflow allowing you to drive the user enrollment process.
This process can also include a level of protection requiring user verification as well as successful authentication before a user can access the enrollment process.
Configuring the enrollment workflow is currently only supported for FIDO and Contactless card authenticators
FIDO passkey support and the user experience during enrollment and authentication varies according to the browser
Define the Enrollment Actions
The enrollActions is a JSON array with descriptions of the enrollment actions available in the workflow and the array is then dynamically filtered using the defined accessCriteria.
Enrollment Action Parameters
"enrollActions": [
{
"enrollId": "enroll_action.fido",
"accessCriteriaId": "access_criteria.common_to_all",
"type": "FIDO",
"code": "AT_FIDO",
"rpId": "hostname",
"userVerification": "required",
"residentKey": "required",
"authenticatorAttachment": "cross-platform",
"allowedAAGUIDs": ["b93fd961-f2e6-462f-b122-82002247de78","ea9b8d66-4d01-1d21-3ce4-b6b48cb575d4"],
"retry": 3,
"deviceType": "DT_FIDO",
"credentialType": "CT_FIDOU2F",
"deviceBinding": "required",
"attestationVerification": "direct",
"protectionFactor": "enroll_protection.user_password"
},
{
"enrollId": "enroll_action.fido_uaf",
"accessCriteriaId": "access_criteria.common_to_all",
"type": "FIDO",
"code": "AT_FIDO_UAF",
"rpId": "hostname",
"userVerification": "required",
"deviceType": "DT_FIDO",
"credentialType": "CT_FIDO",
"deviceBinding": "required",
"attestationVerification": "direct",
"protectionFactor": "enroll_protection.user_password"
},
{
"enrollId": "enroll_action.push",
"accessCriteriaId": "access_criteria.common_to_all",
"type": "PUSH",
"code": "AT_SMK",
"manual": true,
"userVerification": "required",
"deviceType": "DT_TDSV4",
"deviceBinding": "required",
"protectionFactor": "enroll_protection.user_password"
},
{
"enrollId": "enroll_action.card",
"accessCriteriaId": "access_criteria.common_to_all",
"type": "CARD",
"code": "enrollaction1",
"allowedCards": [
"APP_CARD"
],
"retry": 3,
"deviceBinding": "notRequired",
"protectionFactor": "enroll_protection.user_password"
},
{
"enrollId": "enroll_action.hw_token",
"accessCriteriaId": "access_criteria.common_to_all",
"type": "TOKEN",
"code": "AT_OTP",
"userVerification": "required",
"deviceType": "DT_TK1V2",
"deviceBinding": "required",
"protectionFactor": "enroll_protection.user_password"
}
]
Where:
Parameter | Description | Status |
---|---|---|
enrollId |
The unique identifier of the enrollment action |
Mandatory |
name |
The name of the action (for internal reference only) |
Optional |
description |
The description of the action (for internal reference only) |
Optional |
accessCriteriaId |
The unique identifier of the criteria to apply (factor is available only if the user matches the criteria) |
Mandatory |
code |
Code of the authentication policy to use for this specific enrollment |
Mandatory |
type |
Type of authenticator for this specific enrollment action:
|
Mandatory |
For FIDO factors only, defines the customer back-end hostname for integrations using the API If users will authenticate to different applications in multiple sub-domains with their FIDO passkey, specify the root domain. For example, if the FIDO enrollment application is in enroll.companydomain.com and the FIDO authentication application is in auth.companydomain.com, the root domain value is companydomain.com The FIDO authentication factor also supports multi-domain configuration and the root domain value must match the value defined for the FIDO enrollment action. |
Optional |
|
userVerification |
For FIDO factors only, defines if the user is required to verify their presence by performing an action on the passkey (such as providing the PIN, biometric credential or touching the device-bound passkey) to access the authenticator Possible values are:
|
Mandatory |
For FIDO factors only, defines if a discoverable resident key should created on the FIDO passkey during enrollment Possible values are:
The default value is preferred. |
Optional |
|
authenticatorAttachment |
For FIDO factors only, defines the FIDO platform that will be proposed during enrollment Possible values are:
|
Optional |
allowedAAGUIDs |
For FIDO factors only, a JSON array of FIDO AAGUID (Authenticator Attestation Global Unique Identifier) to specify the passkeys that users are allowed to enroll
|
Optional |
allowedCards |
For CARD factors only, a a comma-separated list of the IDs of the allowed card applications If none are specified, all existing card applications are allowed |
Optional |
defaultCard | For CARD factors only, the ID of a generic card application to use for unknown cards | Optional |
retry |
The maximum number of failed attempts to communicate with the device with this factor before the user is redirected back to the authorization request initiator (service provider) The default value is 1. |
Optional |
deviceType |
For FIDO factors only, code of the device type to use for this specific enrollment action |
Mandatory |
credentialType |
For FIDO factors only, code of the credential type to use for this specific enrollment action |
Mandatory |
deviceBinding |
Defines if the user must have a "pending" device of the specified device type to be able to enroll their credential Possible values are:
If you set this to required, you must:
|
Optional |
attestationVerification
|
For FIDO factors only, defines if the user's FIDO passkey is required to provide an attestation statement for verification at enrollment Possible values are:
For further information, see Enable Attestation. |
Optional |
enrollValidation |
Defines the if enrollment should be validated by a successful authentication using the newly enrolled authenticator Possible values are true or false. Note: This parameter is not currently supported.
|
Optional |
protectionFactor |
Defines the protection factor applied for the enrollment action Note: This parameter is not recommended for Microsoft Entra ID integrations.
|
Optional |
localizationKeyRedefinition |
List of redefined localization label keys Allows to redefine (override) the default label keys present in the localization configuration. The left part is the default key. The right part is the redefined key. For example: Copy
Note: The redefined key (as the default one) must be present in the localization configuration in order to be translated to the desired label. For further information, see Customizing the Labels.
|
Optional |
Enable Enrollment Protection
The enrollProtectionFactors JSON array contains descriptions of the authentication factors to protect the enrollment process. If defined, the user must first authenticate using the specific authenticator before accessing the enrollment process.
Enrollment Protection Factor Parameters
"enrollProtectionFactors": [
{
"protectionFactorId": "enroll_protection.user_password",
"code": "AT_CUSTPWD",
"type": "LOGIN",
"retry": 3
}
]
Where:
Parameter | Description | Status |
---|---|---|
protectionFactorId |
The unique identifier of the protection factor |
Mandatory |
name |
The name of the protection factor (for internal reference only) |
Optional |
description |
The description of the protection factor (for internal reference only) |
Optional |
code |
The code of the authentication policy to use for this protection factor |
Mandatory |
type |
The type of authenticator for this protection factor: LOGIN - the user enters their static password PKI - the user authenticates using their digital certificate FIDO - the user authenticates with a FIDO passkey PUSH - the user authenticates by approving a push notification received on their registered device |
Mandatory |
retry |
The maximum number of failed authentication attempts allowed with this factor before the user is redirected back to the authorization request initiator (service provider). The default value is 1 if the parameter is not present/defined. Note: The try count is kept per authenticator (or action). Selecting another authenticator does not reset retry count of current authenticator.
|
Optional |
Apply Customized Labels
For each authentication factor and action, you can define customize labels to display in the interface instead of the default label keys present in the configuration.
Example of customized labels for an authentication factor
"localizationKeyRedefinition": {
"LOGIN.name": "LOGIN.name.customer",
"LOGIN.tooltip": "LOGIN.tooltip.customer",
"LOGIN.input.password.label": "LOGIN.input.customer_password.label",
"LOGIN.input.password.placeholder": "LOGIN.input.customer_password.placeholder"
}
Example of customized labels for an action
"localizationKeyRedefinition": {
"CHANGE_PWD.title": "CHANGE_PWD.customer_title",
"CHANGE_PWD.tooltip": "CHANGE_PWD.customer_tooltip"
}
For further information, see Customizing the Labels.
Apply Your IdP Configuration
You can apply your configuration and customization by registering the OpenID client with the required authentication flow and theme configuration dynamically using the API.
Sample client registration request
POST https://[base-server-url]/{tenant}/authn/register HTTP/1.1
Connection: close
Content-Type: application/json
Authorization: Bearer RTp7HwAAAX7pKILI4bo5OxW08phxBTRYLrz1Gn8R
Content-Length: 914
Host: host.com
User-Agent: Apache-HttpClient/4.5.5 (Java/16.0.1)
{
"redirect_uris": ["http://localhost", "http://localhost:4200"],
"client_name": "OpenID Client New IdP",
"client_id": "spl-idp",
"client_secret": "password01",
"hid_client_channel": "CH_DIRECT",
"hid_client_pwd_policy": "AT_SYSLOG",
"hid_client_pki_policy": "AT_SYSPKI",
"hid_user_channel": "CH_CSTPORT",
"hid_user_authn_policy": "AT_CUSTPW",
"hid_sessiontransfer_type": "NUM001",
"hid_client_group": "USG_SYS",
"backchannel_token_delivery_mode": "poll",
"hid_client_scopes": {
"scopes":[
{
"openid":{
"description":"Description of your scope here","claims":{
"userinfo":{
"usr.TITLE":{
"essential":true
},
"usr.DOB":{
"essential":false
}
},
"id_token":{
"usr.groupids":{
"essential":true
},
"usr.roles":{
"essential":false
},
"acr":{
"essential":true
}
}
}
}
},
"profile"
]
},
"initiate_login_uri": "",
"authn_portal_configuration": {
"workflow_id": "ID_FLOW_PUSH_STEPUP",
"theme_id": "ID_THEME_CUSTO"
},
"hid_sso_session_validity": "1200",
"hid_federation_audiences": "client_ID1|client_ID2"
}
Sample Response
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
{
"hid_sessiontransfer_type": "NUM001",
"initiate_login_uri": "",
"authn_portal_configuration": {
"workflow_id": "ID_FLOW_PUSH_STEPUP",
"theme_id": "ID_THEME_CUSTO"
},
"hid_sso_session_validity": "1200",
"hid_federation_audiences": "client_ID1|client_ID2",
"registration_client_uri": https://[base-server-url]/{tenant}/authn/register/spl-idp,
"userinfo_signed_response_alg": "RS256",
"token_endpoint_auth_method": "client_secret_post",
"client_id": "spl-idp",
"hid_federation_roles": ".*",
"hid_client_consentprompt": "true",
"hid_client_scopes": "{\"scopes\":[{\"email\":{\"description\":\"Email Address\",\"claims\":{\"userinfo\":{\"usr.ATR_EMAIL\":{\"essential\":true}}}}},{\"phone\":{\"description\":\"Phone Number\",\"claims\":{\"userinfo\":{\"usr.PHONE\":{\"essential\":true}}}}},{\"profile\":{\"description\":\"User profile\",\"claims\":{\"userinfo\":{\"usr.DOB\":{\"essential\":true}}}}},\"openid\"]}",
"hid_ciba_callback_format_plain": "false",
"require_pushed_authorization_requests": "false",
"hid_user_authn_policy": "AT_CUSTPW",
"client_id_issued_at": 1655716755,
"tls_client_certificate_bound_access_tokens": false,
"backchannel_token_delivery_mode": "poll",
"client_name": "OpenID Client New IdP",
"grant_types": [
"client_credentials",
"password",
"authorization_code"
],
"hid_refresh_token_validity": "3600",
"redirect_uris": [
http://localhost,
http://localhost:4200
],
"hid_client_channel": "CH_DIRECT",
"hid_client_pwd_policy": "AT_SYSLOG",
"hid_ciba_poll_interval": "5",
"hid_client_pki_policy": "AT_SYSPKI",
"hid_user_channel": "CSTPORT",
"pushed_authorization_request_validity": "600"
}
Define the Portal Parameters
The authn_portal_configuration is an array of the IdP portal parameters in the JSON format (the format is validated during the register and update operations).
-
If the parameters are present, the new IdP will be used based on the defined values
-
If empty, (set the value to " " when empty), the standard HID Authentication Service interface is displayed
It contains the following parameters:
Parameter | Description | Status |
---|---|---|
workflow_id |
The unique identifier of the authentication configuration definition to be used for the client The content of configuration defines the flow and authentication factors. See Create the Authentication Workflow If absent or contains an incorrect ID, the OpenID client registration returns error. |
Mandatory |
theme_id |
The unique identifier for theme definition The content of the theme defines the customization for application interface such as titles and labels. See Customizing the Identity Portal If empty, the default theme is used. |
Optional |
It defines the URI where the login page will be redirected (optional):
If present, the value must be the URI of interface handling the IdP flow.
HID Authentication Service checks it is a valid URI format (should be absolute URI path) and the login page will be redirected to this URI.
If empty, the new portal URL will be computed with the deployment URI and tenant
Configure Support for SSO
The IdP supports single sign-on (SSO) with the either the same or different clients/applications on multiple platforms.
If the authentication session is still valid, and the end user is already logged in, a new authentication request can be sent with specific parameters to log on again without being prompted to authenticate. The HID Authentication Service reuses the initial authentication session to generate an authorization code.
The SSO session is valid only if the user's login session is still valid and for the configured SSO period. The user will be prompted to log on again if either of the sessions has expired.
You can implement SSO by either:
-
Leveraging the browser's HTTP session cookie - the session token is stored in the browser's cookie
For subsequent authentication requests, the browser sends the cookie in the request header.
Note: The user's browser must allow cookies. -
Sharing the id_token between the relevant clients - the second application's login page is launched by invoking the authentication endpoint with the id_token_hint as a parameter
Depending on the client (same or different as in the initial authentication request), the HID Authentication Service returns a new id_token with the "aud" claim set to the client.
Note:- The id_token_hint takes precedence over the session cookie
- The sharing mechanism is out of the scope of the HID Authentication Service)
To enable SSO support, configure the following OpenID client parameters:
Parameter | Description |
---|---|
hid_federation_audiences |
To allow other applications to use the user's authenticated session for this client application (for example, client_INIT), add the OpenID client ID of the allowed application(s), where the format of the value should be a regular expression. For example, in the following use cases:
|
hid_sso_session_validity |
In the configuration of the client application(s) that will use the SSO session, define the maximum age limit of the existing SSO session (in seconds and greater than 0). If a user tries to log on after this limit is reached, and even if the initial authenticated session is still valid, they will be required to re-authenticate. The default value is 0 and if the parameter is not present (or set to 0), SSO support is disabled. |
For example, to support SSO between client_INIT and client_ID1:
-
For client_INIT, add client_ID1 as an allowed client in the hid_federation_audiences parameter.
-
On client_ID1, define that the session of client_INIT must be less than 600 seconds (that is, 10 minutes) in the hid_sso_session_validity parameter.
-
If the initial authenticated session of the client_INIT application is less than 10 minutes, SSO is available and users will not be prompted to authenticate to use the client_ID1 application
-
If the initial session is longer than 10 minutes, SSO is not possible and users will be prompted to authenticate to use the client_ID1 application
You can then control the SSO behavior using the parameters defined in the second authentication request:
The following is the behavior when a session cookie is present, the corresponding session context is for the same user and the user is already authenticated.
If one of these conditions is not met, the user is prompted for their credentials.
Value | SSO Behavior |
---|---|
Not present |
|
none (silent login) |
|
login |
|
consent |
|
Value | SSO Behavior |
---|---|
Not present | Use the value of the SSO validity period configured for the client |
Defined value |
If the existing session is older than the max_age value (even if it is still valid), the user needs to log on again The value should not be higher than the value of the SSO validity configured for the client. If it is, the HID Authentication Service will apply the max_age value configured for the client. |
Value | SSO Behavior |
---|---|
Not present | Search for SSO sessions based on the session cookie |
Present | If the user's session corresponding to the id_token_hint is still valid, no prompt for credentials |
You can also refine the behavior using the prompt and max_age parameters.
Value | SSO Behavior |
---|---|
Not present | Prompt for a user name or use the user in an SSO session if it exists and is valid |
Present |
|
-
If the scope for the second authentication is included in that of the initial authentication, and other SSO conditions are satisfied, the application can use the SSO session of the initial authentication
-
If scope for the second authentication is not included, the SSO behavior depends on the value of the prompt parameter
At initial authentication, the acr value is stored in the session context along with the client_id and scopes.
When it receives the second authentication request, the HID Authentication Service allows the use of the SSO session if the acr from the initial authentication satisfy the acr_values from of the second authentication.
If the acr value for the second authentication is not satisfied, the SSO behavior depends on the value of the prompt parameter:
-
If step-up is possible, the user is prompted to authenticate
-
If step-up is not possible, the user is prompted to re-authenticate with a factor(s) that satisfies the acr value
For further information ACR values, see the OpenID Core specification.
Any application that wants to access the SSO session of an authenticated application should have a compatible workflow configuration where the SSO session's authentication type should be one of the requesting application's authentication factors.
SSO is possible if the required authentication type is:
One of requesting application's second authentication factors
One of requesting application's first authentication factors and this factor does not require step-up authentication
Otherwise, the user will be prompted:
For step-up authentication if the required type is one of requesting application's first authentication factors and this factor does require step-up authentication
To re-authenticate if the required type is not one of requesting application's authentication factors (first or second)
Sample request for cookie-based SSO where the user can access the resource without being prompted to log on or sign the consent again
https://[base-server-url]/{tenant}/authn/login?client_id=client_ID1&response_type=code&scope=openid+profile&redirect_uri=http://localhost:8080&prompt=none
Sample request for cookie-based SSO where the user is prompted to sign the consent (with or without being prompted to log on again)
https://[base-server-url]/{tenant}/authn/login?client_id=client_ID1&response_type=code&scope=openid+profile&redirect_uri=http://localhost:8080&prompt=consent
Sample request for id_token-based SSO where the user can access the resource without being prompted to log on or sign the consent again
https://[base-server-url]/{tenant}/authn/login?client_id=client_ID1&response_type=id_token&scope=openid+profile&redirect_uri=http://localhost:8080&prompt=none&id_token_hint=eyJraWQiOiIxNjQ2OTMxNzgwNjYzIiwidHlwIjoiSldUIiwiYW..aX7OPI2IWbsC3NsniVH18rWBr2bGKlVB53gAypM2-IAoQWksnlcM9wvHp_eQefZnbqung
Where the returned id_token is that of the first request if id_token is in the response_type, or id_token can be obtained at the token endpoint and introspect endpoint later on
Sample request for id_token-based SSO where the user can access the resource without being prompted to log on but always prompt for consent
https://[base-server-url]/{tenant}/authn/login?client_id=client_ID1&response_type=code&scope=openid+profile&redirect_uri=http://localhost:8080&prompt=consent
Where a new id_token is returned. For example, to get an id_token via the hybrid flow:
https://[base-server-url]/\{tenant}/authn/login?client_id=client_ID1&response_type=code+id_token&scope=openid+profile&redirect_uri=http://localhost:8080
Manage the Authenticators in the Authentication Flow
Already Expired
When the password has expired and the Change Password action is allowed by the current authenticator, the user is redirected to the Change Password flow with an error notification.
If the Change Password action is not allowed, user is redirected to back end with an error message.