User Authentication

Component Overview

Component Package

com.hid.olb.loginComponent

User Interface

Yes, the First Factor and MFA screens will be added based on the options selected in the Component Properties.

Platforms Supported Web
Functionality This component is used for user login.
Available from Version 12.0.0

Server and Client App Properties

Mandatory Server Properties HID_HOST

<HID Authentication Service Host>

(e.g., test123.aaas.hidcloud.com)

HID_KONY_APP_KEY

<App key of the fabric application>

(e.g., h728h89031832jdy9292)

HID_KONY_APP_SECRET

<App secret of the fabric application>

(e.g., 89bv2894673792003jy2)

HID_IS_FETCH_USER_ATTRIBUTES

<Identity provider service value>

(e.g., false)

Note:

If you set the identity provider service to DbxUserLogin (Custom Identity) instead of customHIDLogin, ensure its value is set to true. The default value is false.

HID_CIBA_API_PORT

<Port for the CIBA Callback URL>

(e.g., 443)

Note:

In cases where the value is different from the usual 443, it is mandatory to add this server property and provide the port value.

HID_PUSH_LOGON_AUTH_TYPE

<Push logon authenticator type>

(e.g., AT_PASA)

HID_PUSH_LOG_CHANNEL

<Channel ID for push>

(e.g., CH_PASA)

HID_REDIRECT_URI <Redirect url set for the FIDO tenant>
HID_AS_CLIENT_ID <Client Id for the tenant>
HID_PASSWORD_AUTHTYPE <Static Password Authenticator if other than AT_STDPWD>
HID_OOB_SMS_OTP_AUTHTYPE <OOB SMS Authenticator if other than AT_OOBSMS>
HID_OOB_EMAIL_OTP_AUTHTYPE <OOB Email Authenticator if other than AT_OOBEML>
HID_DEVICE_TYPE <Device type to be used for Approve if other than DT_TDSV4>
HID_SECURE_OTP_AUTHTYPE <HID Approve OTP Authenticator if other than AT_EMPOTP>
HID_HARDWARE_OTP_AUTHTYPE <Hardware Token OTP Authenticator if other than AT_OTP>
HID_IDP_CHANNEL_ID

<End user channel ID>

(e.g., CH_EXTRAPP)

HID_API_VERSION <This server property defines the API version for the Authentication Service and Appliance, ensuring that updated APIs are used. (The default value is 10 for Authentication Service and 3 for Appliance.)>
HID_IS_MFA_REQUIRED

<This setting enables the user to activate/deactivate the Multi-factor authentication (MFA)>

(Default: true)

HID_CACHE_EXPIRY_TIME 120 (by default)
HID_SMS_MSG_TEMPLATE <Use # as your OTP for authentication. DO NOT share this OTP with anyone>
HID_IS_GATEWAY_ENABLED

True: HID generates and sends the OTP.

False: HID generates the OTP, but Infinity sends it.

HID_SMS_DEVICE_TYPE

<The device type for SMS>

Value: DT_OOBSMS (by default)

HID_EMAIL_DEVICE_TYPE

<The device type for email>

Value : DT_OOBEML (by default)

Mandatory Client App Properties HID_IS_APPLIANCE True / False

View Sample Server Settings

Authentication Component Properties

S.No. Property Name Allowed Values Purpose
1 isRMSEnabled Radio button to select (on/off) This property determines whether Risk Management Sysytem (RMS) is active or not.
2 tmCookieTag <RMS Cookie will have this value> This property determines the value of RMS cookie for device tag.
3 tmCookieSid <RMS Cookie will have this value> This property determines the value of RMS cookie for session id.
4 adaptiveAuth JSON object This property determines the value as JSON object to choose adaptive auth based on RMS score.
5 isRMSReadOnly Radio button to select (on/off) This property determines whether RMS is read only or not.
6 ServiceName  Selection Used to Get TDS Template for login (OLB_LOGIN is default value).
7 FirstFactor "STATIC_PWD","SECURE_CODE",USER_ID_LESS ,“FIDO

This property determines the first authentication factor to be used for the authentication.

Currently, the component supports the following factors:

  • Static password (STATIC_PWD)

  • Secure code (SECURE_CODE)

  • FIDO

  • USER_ID_LESS

8

Multi-Factor Authentication (MFA)

"SECURE_CODE" , "OTP_SMS","OTP_EML","APPROVE, “NO_MFA","OTP_HWT"

This property determines the second authentication factor to be used for authentication after the first authentication factor.

Currently, the component supports the following factors:

  • Secure Code (Used with first factor as Static Password)

  • OTP via OOB SMS
  • OTP via OOB Email
  • OTP HWT

  • Push-based authentication using HID Approve
  • NO_MFA

Note: When we select FirstFactor as FIDO, or USER_ID_LESS, then it is mandatory to select MFA as NO_MFA.

Authentication Component Functions

Method Description Parameters
logoutOnClick   This method is used to logout username, sessionId (optional empty by default) 
getRmsSessionId  This method is used to fetch the RMS Session ID N/A

Authentication Component Events

Event name Description Parameters
onSuccessCallback Callback to be defined for successful login. identity response
onFailureCallback Callback to be defined for failure during login. String (Error Response)
showLoading  The loader is triggered and displayed whenever a service call is initiated. N/A
dismissLoading  The loader is triggered and dismissed whenever a service call is initiated. N/A
changeContext  This is triggered when component screens change, indicating that updates to the form are necessary.

String: context

context reference:

Copy

"Login", 
"OTP", 
"OTPError", 
"PushDevices",  
"Approve", 
"OOBPIN", 
"Secure", 
"ScanToApprove", 
"ScanToApproveMain", 
"LoginFIDO" ,  
"ContactSupport" 
contactSupport  contactSupport  String (Error Response)

Authentication Component Flow

STATIC_PWD

  1. On the login screen, the user must enter their username and password, then click Submit.

  2. After successfully validating the user's static password, the component displays the screen to authenticate using the second authentication factor, based on the defined value of the MFA property:

SECURE_CODE

  1. On the login screen, user must enter their username and Secure Code, then click Submit.

  2. After successfully validating the user's Secure Code, the component displays the screen to authenticate using the second authentication factor, based on the defined value of the MFA property.

USER_ID_LESS

  1. Onboard a user with any flow which includes registering mobile device. (e.g., SECURE_CODE in web or Mobile onboarding)

  2. On the login screen, the User can see a button, click to generate QR code.

  3. Scan the QR code with the registered mobile application.

  4. Once approved by the user in the mobile application, the user will be logged in to the web application.

FIDO

  1. On the login screen, the user must enter their username.

  2. Users can authenticate using a FIDO authenticator/passkey through the web authentication platform

  3. Once authenticated, the user will be logged in to the web application and redirected to the dashboard.

Authentication Component Services

Object Services

ServiceName DataModel Mapping Purpose Input Parameters Invoking

HIDAuthService

ApproveRequest

initiate

Send the Push notification to the HID Approve device.

Username, deviceId

HIDApproveInitiation > initiate

HIDAuthService

ApproveStatus

poll

Poll to the ApproveCallback service to fetch the status of user's response to the HID Approve Push notification.

mfa_key (authRequest Id from the initiate service response)

HIDPollConsensus > getHIDApprovalStatus

HIDAuthService

Devices

searchDevices

Get the list of devices associated with the user.

username

HIDSearchPushDevicesOrch > getDevices

HIDAuthService

OTPRequest

sendOTPLogin

Send the OTP (SMS/Email) to the user.

userId, AuthenticatorType (AT_OOBSMS/ AT_OOBEML), AuthenticatorValue (OOB Device Type code : DT_OOBSMS/DT_OOBEML) , msgId , password , username

HIDCustomOTPService > SendOTP

HIDAuthService getScanToApproveQrData getScanToApproveQrData It will fetch data to generate QR code for login. - HIDGetScanToApproveQrData (1.0).getScanToApproveQrData
HIDAuthService ValidateSecureCode validateOtpForUserManagement     HIDOTPAuthServices > validateOTPAuth

Fabric Services

Names Operation Name Service Type Description

HIDClientIdentity

-

Identity

Fetches Client Bearer Token

HIDUserLogin

-

Identity

End-user authentication with MFA validation

HIDClientAuthIdentityWrapper

getClientBearerToken

Integration

IntegrationWrapper of ClientIdentity

HIDDependencyManager

 

Integration

Resolves the dependencies for HIDProcessor.jar.

HIDHIDApproveInitiation

Initiate

Integration

Sends an HID Approve Push notification to the user's registered device.

HIDPollConsensus

getHIDApprovalStatus

Integration

Java service to fetch the callback response of the HID Approve push notification.

HIDOTPAuthServices

hardwareOTPAuth

Integration

Validates the Hardware token OTP for the user.

HIDOTPAuthServices

validateOTPAuth

Integration

Validates the OOB (SMS/Email) OTP.

HIDPasswordAuthServices

passwordValidation

Integration

Validates the user's static password.

HIDSearchServices

SearchDeviceAuth

Integration

Lists the devices associated with the user.

HIDSearchServices

SearchUserAuth

Integration

Searches for the user.

HIDUserIdentityAttributes getAttributes Integration Temenos Digital service to fetch the customer's identity attributes.

HIDSearchPushDevicesOrch

getDevices

Orchestration

Orchestration to fetch the userid and then gets the list of devices associated with the user.

HIDOTPServices sendOOBLogin Integration Sends an OOB (SMS/Email) OTP to the user.
HIDIdentityService login Integration Identity service endpoint.
HIDIdentityService secondFactorLogin Integration Identity service endpoint for MFA
HIDGetScanToApproveQrData getScanToApproveQrData Integration It will fetch data to generate QR code for login.
HIDFIDO getTokenUsingAuthorizationCode Integration It will generate the token by transferring the generated authorization code.
HIDFIDO getAuthenticationOptions Integration It will provide the registered credentials for the client to generate the assertion.
HIDFIDO getAuthorizationCode Integration  
HIDFIDO authenticate Integration It will provide the assertion from the client which will then authenticate user.
HIDPushedAuthorizationRequest PAR Integration It will generate the request_uri for subsequent calls.
HIDAuthenticatorPolicy getPasswordPolicy Integration Provides the Password policy.
HIDCustomOTPService sendOTP Integration Used to send OTP.
HIDOTPServiceKMSOrch addOOBAndSendOTPAuthService, addOOBAndSendOTPAppliance , generateAndSendOTPAppliance, generateAndSendOTPAuthService, sendLoginOTPAppliance, sendLoginOTPAuthService Orchestration Used for adding OOB authenticator , generate OTP and sending OTP.
HIDSoapServices indirectPrimaryAuthenticateDevice Integration (Soap Service) Generate and Send OTP
HIDOTPUtilServices fetchPhoneNumber Integration Used to fetch Phone number of the user.
HIDOpenIDConfigService FetchOpenIDConfig Integration Used to fetch the well known openID configurations.
Important: For User Authentication, you must configure the base URL and response output to fetch the customer's identity attributes. (Required)

Java Services

Service Name Purpose Dependencies Called by (Service Name-Operation)

HIDPollForConsensus

Java service which keeps polling for 45 seconds to get the status of the HID Approve Push notification sent to the user.

 

HIDPollConsensus-getHIDApprovalStatus

OTPDeliveryService Java Service to decide which delivery gateway to use to send SMS HID_SMS_MSG_TEMPLATE , IS_HID_GATEWAY_ENABLED , HID_OOB_SMS_OTP_AUTHTPYE, HID_OOB_EMAIL_OTP_AUTHTPYE, HID_SMS_DEVICE_TYPE , HID_EMAIL_DEVICE_TYPE HIDCustomOTPService

Listener Endpoints (HTTP Servlets)

Name URL Purpose Dependencies

ApproveCallBackEndpoint

https://hidglobal-dev.temenos-cloud.net/services/ApproveCallBackEndpoint

Listen to the callback response sent by the HID Authentication Service for the user's response to the HID Approve Push notification.

  1. Value of Server Property : HOST

  2. Set the value of ATR_CIBACB attribute for the client to the URL(Column 2) in the HID Authentication Service.

  3. Set the value of "hid_ciba_callback_format_plain" to false for the client in the HID Authentication Service using the Register API.

Authentication Pre/Post Processors

Authentication Pre Processors:

Name Description Used by (ServiceName-Operation)
CustomMFAValidation Validates second factor (MFA). Retrieves MFA session from cache using mfa_key, validates based on authType: APPROVE (push), FIDO, NO_MFA (step-down), OTP/SecureCode. Integrates with RMS for risk tracking. Removes MFA cache on success. HIDIdentityService - secondFactorLogin
CustomValidateAuthentication Primary first-factor authentication preprocessor. Parses login payload JSON (username/password), validates against HID auth services based on authType. Integrates with RMS for risk scoring/step-up decisions. Caches MFA session and returns mfa_meta when MFA enabled. HIDIdentityService - login
FidoValidationPreprocessor Sets authType to configured FIDO authentication type from server property HID_FIDO_AUTHTYPE, falling back to default FIDO_AUTHTYPE. HIDFIDOOrch - authenticate
GetBearerTokenPreProcessor Retrieves x-kony-app-key and x-kony-app-secret from server properties (KONY_APP_KEY, KONY_SECRET) and injects them into request headers for bearer token acquisition. HIDClientAuthIdentityWrapper - getClientBearerToken
GetDevicesOrchPreProcessor Validates transaction/message ID (msgId) from input against cache. If cached value is "true", sets transactionId and isLoginFlow attributes. Acts as guard for device search orchestration during login. HIDSearchPushDevicesOrch - getDevices
GetScanToApproveQrDataPreProcessor Builds JWT login_hint_token for Scan-to-Approve (QR code) flow. Populates claims with authpol, tds, device_type, createSession=1, mode=userid_less. HIDGetScanToApproveQrData - getScanToApproveQrData
GetUserIdentityAttributesPreProcessor Guards user identity attributes retrieval. Checks if sequenceFailed; if so, prevents service call. Otherwise passes username to service input for user attribute lookup. HIDSearchPushDevicesOrch - getDevices
HIDApprovePreprocessor Builds JWT login_hint_token for HID Approve (push notification). Populates claims with authpol, tds, channel, usercode, createSession, optional deviceid. Generates UUID client_notification_token. HIDApproveInitiation - initiate
HIDIdentityServicePreProcessor Extracts TransactionId from incoming payload's Meta object and stores it in cache (configurable TTL). Cached ID is later validated by GetDevicesOrchPreProcessor. HIDIdentityService - login
HardwareOTPAuthPreprocessor Sets authType to configured hardware OTP type from HID_HARDWARE_OTP_AUTHTYPE server property, falling back to default HW_OTP_AUTHTYPE. HIDOTPAuthServices - hardwareOTPAuth
InitiateSecondFactorPreprocessor  Initiates second-factor OTP delivery by calling internal OTPTemp-send service with user credentials and email OTP auth type. Returns OOB_SENT status. OTP Initiation
OTPValidationPreprocessor Resolves correct OTP authentication type based on authType input (OTP_SMS, OTP_EML, or Secure Code). Maps to corresponding server property and sets channelId. HIDOTPAuthServices - validateOTPAuth
PasswordValidationPreprocessor Sets authType to configured password type from HID_PASSWORD_AUTHTYPE server property, falling back to default PWD_AUTHTYPE. HIDPasswordAuthServices - passwordValidation
SearchDeviceAuthPreProcessor Guards device search during authentication. Checks UserExist attribute; if user doesn't exist, sets sequenceFailed=true and stores error message, preventing further orchestration. HIDSearchServices - SearchDeviceAuth

Authentication Post Processors:

Names Description Used by (ServiceName-Operation)
GetAuthCodePostProcessor Parses JSON response to extract code and context fields from HID authentication service response. Returns error if auth code/context are unavailable. HIDFIDO -getAuthorizationCode
GetBearerTokenPostProcessor Extracts access_token from result, prepends "Bearer " prefix, and stores it as a request attribute for downstream services to use as an authorization header value. HIDClientAuthIdentityWrapper - getClientBearerToken
GetDevicesOrchPostProcessor

Checks if the device orchestration sequence failed (returns searchDevicesServiceError).

For login flows, validates and removes transactionId from cache. Returns 400 if transactionId is missing

HIDSearchPushDevicesOrch - getDevices
GetScanToApproveQrDataPostProcessor Checks if error message (errmsg) exists in result. If present, ensures the error and HTTP status are propagated back. HIDGetScanToApproveQrData - getScanToApproveQrData
GetUserIdentityAttributesPostProcessor Checks opstatus of response. If non-zero (failure), marks orchestration sequence as failed by setting sequenceFailed=true and errMessage for downstream processors. HIDSearchPushDevicesOrch - getDevices
HIDApprovePostprocessor Handles HID Approve (CIBA push) flow. If auth_req_id is present, caches client_notification_token with key "CCNT" for later callback lookup. Otherwise propagates error. HIDApproveInitiation -initiate
SearchDeviceAuthPostProcessor Parses devices dataset records to extract and clean friendlyName, startDate, and expiryDate from raw composite string fields into individual clean values. HIDSearchServices - SearchDeviceAuth
SearchUserAuthPostProcessor Checks if user exists by examining totalResults and id. Sets UserExist request attribute to true/false for orchestration flow decisions. HIDSearchServices - SearchUserAuth
TokenValidatorPostprocessor Validates JWT tokens by calling JWTValidationManager.verifyToken() on id_token. Returns JWTTokenValidation=Success (200) or Failed (400). HIDAuthentication - TokenValidator
ValidateMfaOrchPostProcessor Orchestration post-processor for MFA validation. Checks sequenceFailed attribute; if true, propagates custom error message and sets opstatus=-1. HIDIdentityService - secondFactorLogin

Common Processor:

Names Description Used by (ServiceName-Operation)
CheckUsernameFromSession Check username from the server and check if this matches the passed username from the frontend or not . (Specifically for infinity user)
  • HIDSearchDevice-searchDevices

  • HIDApproveDeviceRegistration-getInviteCode

  • HIDOTPAuthService- validateOtpForUserManagement

HID Identity Service Configuration

Important: The identity service has been updated to HIDUserLogin, replacing CustomHIDLogin and DbxUserLogin. The steps in this section apply only to customers using the legacy components and are not required for updated components (HIDUserLogin).

This section describes how to configure the Infinity Identity service (DbxUserLogin) endpoints for the HID identity service (CustomHIDLogin) to perform login validation.

Prerequisites:

To work with this identity service, you must import the following components in the Quantum visualizer:

  • For web applications: Login component.

  • For mobile applications: MobileApproveSDK component.

Troubleshooting Fabric Services

Refer to troubleshooting the User Authentication Fabric Services.

Risk-based User Authentication

HID Temenos Digital Component additionally supports an adaptive and risk-based authentication. It is optional i.e., You can enable or disable this functionality based on your needs.

HID Risk Management Solution provides this threat detection solution for real time risk-based authentication.

HID Temenos Digital Component enables you to easily integrate with the HID RMS Web component and use the risk-based Login flow as an add-on feature available as part of User Authentication (this section) component.

Refer HID RMS Web component - Login flow for more information.