Onboarding Users

Mandatory Server Settings	HOST	<HID Authentication Service Host> (e.g., test123.aaas.hidcloud.com)
	TENANT	<HID Authentication Service Tenant Id> (e.g., tf98f45g90843781907)
	ORG_ADMIN_USERNAME	<Org admin user of HID Authentication Service Tenant> (e.g., john.doe@abcorg.com)
	ORG_ADMIN_PASSWORD	<Password for the Org admin user> (e.g., Password01)
	KONY_APP_KEY	<App key of the fabric application> (e.g., h728h89031832jdy9292)
	KONY_APP_SECRET	<App secret of the fabric application> (e.g., 89bv2894673792003jy2)
	SERVICES_URL	https://<kony-account-host>/services (e.g., https://hidglobaltest.konycloud.com:443/services)
	HID_REDIRECT_URI	<Redirect url set for the FIDO tenant>
	AS_CLIENT_ID	<Client Id for the tenant>
	ACTIVATION_CODE_AUTHTYPE	<Activation Code Authenticator if other than AT_ACTPWD>
	PASSWORD_AUTHTYPE	<Static Password Authenticator if other than AT_STDPWD>
	OOB_SMS_OTP_AUTHTYPE	<OOB SMS Authenticator if other than AT_OOBSMS>
	OOB_EMAIL_OTP_AUTHTYPE	<OOB Email Authenticator if other than AT_OOBEML>
	DEVICE_TYPE	<Device type to be used for HID Approve if other than DT_TDSV4>
	HID_IS_APPLIANCE	<Identifies whether device is HID Appliance or not>
	FIDO_AUTHTYPE	AT_FIDO (by default)
	HID_ACT_EXPIRY_IN_DAYS	<Set the expiration period for Activation Code Authenticator in days> (Default: 1)
	HID_PWD_EXPIRY_IN_DAYS	<Set the expiration period for Password Authenticator in days> (Default: 365)
	HID_OFFSET_TIME	<This server setting adjusts the time zone for Appliance> (Default: +00:00) Note: This property is applicable only when there is a timezone gap between the Fabric Server and HID Server locations. The format for HID_OFFSET_TIME is hh:mm For Example: If HID server is located in UK and the customer is from Kenya then HID_OFFSET_TIME property in the server property will be +02:00.

View Sample Server Settings

Onboarding Component Properties

S.No.	Property Name	Allowed Values	Purpose
1	FirstFactor	"STATIC_PWD","SECURE_CODE", "OTP_SMS_PIN", “FIDO”	This property determines the first authentication factor to be added to the user. Currently the first authentication factors supported are: Static password OOB SMS Secure code FIDO
2	MFA	"OTP_SMS","OTP_EML","APPROVE, “NO_MFA"	This property determines the second authentication factor to be added to the user after the first authentication factor is created. Currently, the component supports the following factors: OTP via OOB SMS OTP via OOB Email OTP HWT Push-based authentication using HID Approve NO_MFA

S.No.

Property Name

Allowed Values

Purpose

FirstFactor

"STATIC_PWD","SECURE_CODE", "OTP_SMS_PIN", “FIDO”

This property determines the first authentication factor to be added to the user. Currently the first authentication factors supported are:

Static password
OOB SMS
Secure code
FIDO

MFA

"OTP_SMS","OTP_EML","APPROVE, “NO_MFA"

This property determines the second authentication factor to be added to the user after the first authentication factor is created.

Currently, the component supports the following factors:

OTP via OOB SMS
OTP via OOB Email
OTP HWT
Push-based authentication using HID Approve
NO_MFA

Onboarding Component Functions

No public function is exposed. All the functions are called from the UI provided with the component.

Onboarding Component Flow

STATIC_PWD

In the first screen, the user provides their Username and Activation Code, then clicks Register.
After successfully validating the Activation Code, the component displays the screen to add a password for the user.
In the second screen, user enters and confirms a Password and clicks Submit.
Note: The Password must comply with the Password policy.
After the Static password authenticator is successfully created, based on the defined value of the MFA property, the components adds the second authenticator for the user:
HID Approve
1. The third screen displays the options to register an HID Approve device using either the QR code or manual registration.
  Registration via QR Code
  Manual registration
2. After the device is registered successfully, the user is directed to next screen with a notification that the Push notification has been sent to the registered device to confirm the onboarding process.
3. After approving the push notification, the user is directed to next screen confirming the successful onboarding.
OTP via SMS or Email
1. After adding the Out-of-Band (OOB) for SMS/Email authenticator to the user, the user receives an OTP either by SMS or by email based on the selected MFA option.
2. In the third screen, the user enters the received OTP to complete the onboarding process.
3. After validating the OTP successfully, the user is directed to next screen confirming the successful onboarding.

SECURE_CODE

On the first screen, user need to provide Username and activation code, then click Register Button.
After successfully validating the activation code, it will show the next screen to with QR code to register user on mobile app.

or

User can select the "Activate Manually" option to display the details to register device manually.
- After the device is registered successfully, user will be directed to next screen to show that the onboarding process is completed successfully.

OTP_SMS_PIN

On the first screen, user need to provide Username and activation code, then click Register Button.
After successfully validating the activation code, it will show the next screen to add PIN to the user.
On the second screen, user need to enter the Password and Confirm Password and click Submit Button (the PIN provided here should comply to the Password policy).
- On the third screen, user will be directed to next screen to show that the onboarding process is completed successfully.

FIDO

On the first screen, user will provide username and activation code and clicked on register button.
This will then show a popup to select the options with supported device to register the device.
User get register a new fido authenticator/passkey using the web authentication platform
Once done user will redirect to success screen with message and login button.

Onboarding Component Services

Object Services

ServiceName	DataModel	Mapping	Purpose	Input Parameters	Invoking
HIDObjects	ActivationCodeValidation	validateActivationCode	Validate the user's activation code.	filter (username), username, activationCode, authType	OnboardingValidation > ValidateUser
HIDObjects	AddOOBAuthenticator	addOOBAuthenticator	Add an OOB (SMS/Email) authenticator to the user.	userId, AuthenticatorType (AT_OOBSMS/ AT_OOBEML), AuthenticatorValue (OOB Device Type code : DT_OOBSMS/DT_OOBEML)	ScimAPIsOrg > addOOBAuthenticator
HIDObjects	AddPasswordAuthenticator	addPasswordAuthenticator	Add a static password authenticator to the user.	username, userId, password, authType, Auth_Key	ScimAPIsOrg > addPasswordAuthenticatorInt
HIDObjects	ApproveDeviceRegistration	getInviteCode	Provision the HID Approve device to the user and get the invite code to add the HID Approve device.	userId, username, usernameWithRandomNo, Auth_Key	PushDeviceRegistrationOrch > getInviteCode
HIDObjects	HIDApproveInitiation	initiateApprove	Initiate the Push notification on the HID Approve device.	username	HIDApproveInitiation > initiate
HIDObjects	ApproveStatusPolling	approveStatusPolling	Poll to the ApproveCallback service to fetch the status of user's response to the HID Approve Push notification.	mfa_key (authRequest Id from the initiateApprove service response)	HIDPollConsensus > getHIDApprovalStatus
HIDObjects	DeviceRegistrationPolling	deviceRegistrationPolling	Poll to the DeviceRegistration Callback service to fetch the status of the HID Approve device registration.	deviceId (device Id from the getInviteCode service response)	HIDPollConsensus > getHIDDeviceRegistrationStatus
HIDObjects	SendOOB	sendOOB	Send the OOB (SMS/Email) OTP to the user.	username, AuthenticatorType (AT_OOBSMS/AT_OOBEML)	OTPServices > sendOOB
HIDObjects	ValidateOOB	validateOOB	Validate the OOB (SMS/Email) OTP.	username, AuthenticatorType (AT_OOBSMS/ AT_OOBEML), OTP	OTPService > validateOOB
HIDObjects	PasswordPolicy	getPasswordPolicy	Gets the policy for Static Password Authenticator	none	ScimAPIs>getPasswordPolicy
HIDObjects	AddAllOOBAuthNew	addAllOOBAuthenticators	Add an OOB(SMS/Email) authenticator, TX OOB, and Send OTP to the user.	userId, AuthenticatorType (AT_OOBSMS/ AT_OOBEML), AuthenticatorValue (OOB Device Type code : DT_OOBSMS/DT_OOBEML)	ScimApisOrch> AddAllOOBAuthenticators
HIDObjects	FIDOOnboarding	getCredentialOptions	It will fetch the configuration options to create FIDO credentials.	username	FIDOOrch> getCredentialOptions
HIDObjects	FIDOOnboarding	registerCredential	It will register the user with FIDO Authenticator.	username, request_uri, id, rawId, clientDataJSON, attestationObject, csrf	FIDO> registerCredential
HIDAuthService	FIDOAuthentication	authenticate	Authenticate the user with FIDO credential assertion and fetch the token.	username, request_uri, csrf, csrfx	FIDOOrch> authenticate
HIDAuthService	FIDOAuthentication	getAuthenticationOptions	It will provide the registered credentials for the client to generate the assertion.	username, request_uri	FIDOOrch> getAuthenticationOptions

Fabric Services

Names	Operation Name	Service Type	Description
ClientIdentity	-	Identity	Fetches Client Bearer Token
OrgAdminScim	-	Identity	Fetches OrgAdmin Bearer Token
ActivationCodeService	Login	Integration	Authenticates the Activation Code
ClientAuthIdentityWrapper	getClientBearerToken	Integration	IntegrationWrapper of ClientIdentity
ClientAuthIdentityWrapper	getOrgBearerToken	Integration	Integration Wrapper for OrgAdminScim
DependencyManager		Integration	Resolves the dependencies for HIDProcessor.jar.
DeviceProvisionJava	GetProvisonMsg	Integration	Fetches the Invite Code
HIDApproveInitiation	Initiate	Integration	Sends an HID Approve Push notification to the user's registered device.
HIDPollConsensus	getHIDApprovalStatus	Integration	Java service to fetch callback response of the HID Approve Push notification.
HIDPollConsensus	getHIDDeviceRegistrationStatus	Integration	Java service to fetch the callback response of the HID Approve device registration status.
OTPServices	SendOOB	Integration	Sends an OOB OTP to the user.
OTPServices	validateOOB	Integration	Validates an OOB OTP.
OTPServices	validateOTP	Integration	Validates a Hardware OTP.
ScimAPIs	SearchUser	Integration	Searches for the user.
ScimAPIs	createNewDevice	Integration	Creates a new Device ID for the user.
ScimAPIs	getActivationCodeAuthenticator	Integration	An exclusive getAuthenticator service for the ValidateUser Orchestration service. This service does not work alone so use the getAuthenticator instead.
ScimAPIs	getPasswordPolicy	Integration	Provides the Password policy.
ScimAPIs	updateDevice	Integration	Binds the new Device ID to the user.
ScimAPIsOrg	addOOBAuthenticator	Integration	Adds an OOB Authenticator to the user.
ScimAPIsOrg	addPasswordAuthenticatorInt	Integration	Adds a Password Authenticator.
OnbaordingValidation	ValidateUser	Orchestration
PushDeviceRegistrationOrch	getInviteCode	Orchestration	Provisioning Push Device
ScimAPIsOrg	addOOBAuthenticatorForOrch	Integration	To add OOB authenticator (AT_OOBSMS/ AT_OOBEML)
TransactionAuthServices	AddTXOOBAuthForOrch	Integration	To add Transaction OOB (TX_OOB)
ScimApisOrch	AddAllOOBAuthenticators	Orchestration	To add OOB authenticator, TX OOB authenticator, and to send OTP to the user.
PushedAuthorizationRequest	PAR	Integration	It will generate the request_uri for subsequent calls.
FIDO	getCredentialOptions	Integration	It will fetch the configuration options to create FIDO credentials.
FIDO	registerCredential	Integration	It will register the user with FIDO Authenticator.
FIDOOrch	authenticate	Orchestration	It will be consumed for authentication journey of the user.
FIDOOrch	getAuthenticationOptions	Orchestration	It will provide the registered credentials for the client to generate the assertion.
FIDOOrch	getCredentialOptions	Orchestration	It will fetch the configuration options to create FIDO credentials.

Java Services

Service Name	Purpose	Dependencies	Called by (Service Name-Operation)
DeviceProvision	Java service to send the Device Provisioning request for HID Approve device registration and process the response to send the provisioning message.	You need to configure following Server Properties: HOST TENANT SERVICES_URL	DeviceProvisionJava-getProvisonMsg
HIDPollForConsensus	Java service which keeps polling for 45 seconds to get the status of the HID Approve Push notification sent to the user.		HIDPollConsensus-getHIDApprovalStatus
PollForDeviceRegistrationStatus	Java service which keeps polling for 45 seconds to get the status of the HID Approve device registration.		HIDPollConsensus-getHIDDeviceRegistrationStatus

Service Name

Purpose

Dependencies

Called by (Service Name-Operation)

DeviceProvision

Java service to send the Device Provisioning request for HID Approve device registration and process the response to send the provisioning message.

You need to configure following Server Properties:

HOST
TENANT
SERVICES_URL

DeviceProvisionJava-getProvisonMsg

HIDPollForConsensus

Java service which keeps polling for 45 seconds to get the status of the HID Approve Push notification sent to the user.

HIDPollConsensus-getHIDApprovalStatus

PollForDeviceRegistrationStatus

Java service which keeps polling for 45 seconds to get the status of the HID Approve device registration.

HIDPollConsensus-getHIDDeviceRegistrationStatus

Listener Endpoints (HTTP Servlets)

Name	URL	Purpose	Dependencies
ApproveCallBackEndpoint	https://hidglobal-dev.konycloud.com/services/ApproveCallBackEndpoint	Listen to the callback response sent by the HID Authentication Service for the user's response to the HID Approve Push notification.	Value of Server Property : HOST Set the value of ATR_CIBACB attribute for the client to the url (Column 2) in HID Authentication Service. Set the value of "hid_ciba_callback_format_plain" to false for the client in the HID Authentication Service using the Register API.
DeviceRegistrationCallBackEndpoint	https://hidglobal-dev.konycloud.com/services/DeviceRegistrationCallBackEndpoint	Listen to the callback response sent by the HID Authentication Service for the user's response to the HID Approve Device registration request (either by scanning QR code or manually registration)	None (Listener endpoint URL is already being sent in Device Provisioning request as cb_url).

Onboarding Pre/Post Processors

Names	Description	Used by (ServiceName-Operation)
ActivationCodeAuthenticatorPostProcessor	Processes the output of Get Activation code authenticator for user and adds an error message to the response if activation code is already consumed, expired or reached wrong attempts threshold.	ScimAPIs-getActivationCodeAuthenticator
ActivationCodeLoginPostProcessor	Adds an error message to the output if the validation of the Activation Code API sends an error.	ActivationCodeService-login
AddPasswordPostProcessor	Processes the output of the Add Static password authenticator to user API, adds an error code to the output if the API fails and adds an error message if the API specifically fails because an authenticator already exists for the user.	ScimAPIsOrg-addPasswordAuthenticatorInt
CreateDevicePostprocessor	Processes the output of Create Device API for HID Approve device registration, adds an error message to the output if the device creation fails.	ScimAPIs-createNewDevice
GetInviteCodePostProcessor	Processes the output of the Create Device Provision API for the HID Approve device registration, adds an error message to the result if the device id or provisioning message is null in the response.	PushDeviceRegistrationOrch-getInviteCode
SearchUserPostProcessor	Processes the output of the Search User API based on the total results and if user is active or not. Also verifies if the Activation Code authenticator is added to the user.	ScimAPIs-SearchUser
UpdateDevicePostProcessor	Processes the output of the Update Device API which is used during the HID Approve device registration, adds an error message to the output if the API fails.	ScimAPIs-updateDevice
ValidateUserPostProcessor	Processes the output of validating the user's Activation Code orchestration service, adds an error message to the result if any error occurs during the operation.	OnbaordingValidation-ValidateUser
ActivationCodeAuthenticatorPreProcessor	Pre-processes the output of search user for GetActivationCode Authenticator for user to verify if the user exists and if the Activation Code authenticator exists for user.	ScimAPIs-getActivationCodeAuthenticator
ActivationCodeLoginPreProcessor	Verifies if an error has occurred in the previous service during the orchestration. Also sets the value of AuthenticationType in the input for the request from the configured server setting ACTIVATION_CODE_AUTHTYPE. If not configured, takes the default value (AT_ACTPWD).	ActivationCodeService-login
AddOOBAuthenticatorPreProcessor	Sets the value of AuthenticationType in the input for the request if configured in the server settings OOB_SMS_OTP_AUTHTYPE or OOB_EMAIL_OTP_AUTHTYPE. If not configured, takes the default value (AT_OOBSMS/AT_OOBEML).	ScimAPIsOrg-addOOBAuthenticator
AddPasswordPreProcessor	Sets the startDate, expDate in the input for the request and AuthenticationType if configured in the server setting PASSWORD_AUTHTYPE. If not configured, takes the default value (AT_STDPWD).	ScimAPIsOrg-addPasswordAuthenticatorInt
CreateDevicePreProcessor	Sets the startDate, expiryDate in the input for the request and deviceType if configured in the server setting DEVICE_TYPE. If not configured, takes the default value (DT_TDSV4).	ScimAPIs-createNewDevice
DeviceProvisionPreProcessor	Verifies if an error has occurred in previous service during the orchestration. Also sets the value of deviceType in the input for the request from the configured server setting DEVICE_TYPE. If not configured, takes the default value (DT_TDSV4).	ScimAPIs-updateDevice DeviceProvisionJava-getProvisonMsg
OOBAuthenticatorPreprocessor	Sets the value of AuthenticationType in the input for the request if configured in the server settings OOB_SMS_OTP_AUTHTYPE or OOB_EMAIL_OTP_AUTHTYPE. If not configured, takes the default value (AT_OOBSMS/AT_OOBEML).	OTPServices-sendOOB OTPServices-validateOOB
AddAllOOBAuthenticatorsPrePreprocessor	This processes the inputs and checks whether the Auth_Key is present or not.	ScimApisOrch>AddAllOOBAuthenticators
AddAllOOBAuthenticatorsPostProcessor	Remove the Auth_Key from Cache, once the services are executed successfully or sends an error.	ScimApisOrch>AddAllOOBAuthenticators
AddSMSOOBAuthenticatorPreProcessor	Sets the value of AuthenticationType in the input for the request if configured in the server settings OOB_SMS_OTP_AUTHTYPE or OOB_EMAIL_OTP_AUTHTYPE. If not configured, takes the default value (AT_OOBSMS/AT_OOBEML).	ScimAPIsOrg> addOOBAuthenticatorForOrch
AddSMSOOBAuthenticatorPostProcessor	Adds an error message to the output if the add OOB authenticator service fails.	ScimAPIsOrg\ addOOBAuthenticatorForOrch
AddTXOOBPreProcessor	Processes the inputs and checks the error message from previous call.	TransactionAuthServices\ AddTXOOBAuthForOrch
AddTXOOBAuthenticatorPostProcessor	Adds an error message to the output if the add TX_OOB authenticator service fails.	TransactionAuthServices\ AddTXOOBAuthForOrch
SendOOBPostProcessor	Adds an error message to the output if the send OTP service fails.	OTPServices\sendOOB
GetInviteCodePreProcessor	This processes the inputs and checks whether the Auth_Key is present or not.	PushDeviceRegistrationOrch\getInviteCode
ClientBasePreProcessor	It will add client auth token to the request.	FIDO - getAuthenticationOptions
GetCredentialOptionsPostProcessor	It will add csrf token to the request for next call.	FIDO - getAuthenticationOptions
RegisterCredentialsPreProcessor	It will add csrf token to the request header.	FIDO - registerCredential
RegisterCredentialsPostProcessor	It will handle the empty response from the API call.	FIDO - registerCredential
PARPreProcessor	It will read the server property for clientId and request_uri.	PushedAuthorizationRequest - PAR
PARPreProcessor	It will add request_uri to the request for next call.	PushedAuthorizationRequest - PAR

Troubleshooting Fabric Services

Refer to troubleshooting the Onboarding Fabric Services.