Onboarding Users

Mandatory Server Settings

HOST

<HID Authentication Service Host>

(e.g., test123.aaas.hidcloud.com)

TENANT

<HID Authentication Service Tenant Id>

(e.g., tf98f45g90843781907)

ORG_ADMIN_USERNAME

<Org admin user of HID Authentication Service Tenant>

(e.g., john.doe@abcorg.com)

ORG_ADMIN_PASSWORD

<Password for the Org admin user>

(e.g., Password01)

KONY_APP_KEY

<App key of the fabric application>

(e.g., h728h89031832jdy9292)

KONY_APP_SECRET

<App secret of the fabric application>

(e.g., 89bv2894673792003jy2)

SERVICES_URL

https://<kony-account-host>/services
(e.g., https://hidglobaltest.konycloud.com:443/services)

HID_REDIRECT_URI <Redirect url set for the FIDO tenant>
AS_CLIENT_ID <Client Id for the tenant>

ACTIVATION_CODE_AUTHTYPE

<Activation Code Authenticator if other than AT_ACTPWD>

PASSWORD_AUTHTYPE

<Static Password Authenticator if other than AT_STDPWD>

OOB_SMS_OTP_AUTHTYPE

<OOB SMS Authenticator if other than AT_OOBSMS>

OOB_EMAIL_OTP_AUTHTYPE

<OOB Email Authenticator if other than AT_OOBEML>

DEVICE_TYPE

<Device type to be used for HID Approve if other than DT_TDSV4>
HID_IS_APPLIANCE <Identifies whether device is HID Appliance or not>
FIDO_AUTHTYPE AT_FIDO (by default)
HID_ACT_EXPIRY_IN_DAYS

<Set the expiration period for Activation Code Authenticator in days>

(Default: 1)

HID_PWD_EXPIRY_IN_DAYS

<Set the expiration period for Password Authenticator in days>

(Default: 365)

HID_OFFSET_TIME

<This server setting adjusts the time zone for Appliance>

(Default: +00:00)

Note:
  • This property is applicable only when there is a timezone gap between the Fabric Server and HID Server locations.

  • The format for HID_OFFSET_TIME is hh:mm

    For Example: If HID server is located in UK and the customer is from Kenya then HID_OFFSET_TIME property in the server property will be +02:00.

HID_PROVISION_HOST <In case of appliance, this is the value of internal host>

View Sample Server Settings

Onboarding Component Properties

S.No. Property Name Allowed Values Purpose
1 FirstFactor "STATIC_PWD","SECURE_CODE", "OTP_SMS_PIN", “FIDO”

This property determines the first authentication factor to be added to the user. Currently the first authentication factors supported are:

  • Static password

  • OOB SMS

  • Secure code

  • FIDO

2

MFA

"OTP_SMS","OTP_EML","APPROVE, “NO_MFA"

This property determines the second authentication factor to be added to the user after the first authentication factor is created.

Currently, the component supports the following factors:

  • OTP via OOB SMS
  • OTP via OOB Email
  • OTP HWT
  • Push-based authentication using HID Approve
  • NO_MFA

Onboarding Component Functions

No public function is exposed. All the functions are called from the UI provided with the component.

Onboarding Component Flow

STATIC_PWD

  1. In the first screen, the user provides their Username and Activation Code, then clicks Register.

  2. After successfully validating the Activation Code, the component displays the screen to add a password for the user.

  3. In the second screen, user enters and confirms a Password and clicks Submit.
    Note: The Password must comply with the Password policy.

  4. After the Static password authenticator is successfully created, based on the defined value of the MFA property, the components adds the second authenticator for the user:

SECURE_CODE

  1. On the first screen, user need to provide Username and activation code, then click Register Button.

  2. After successfully validating the activation code, it will show the next screen to with QR code to register user on mobile app.

    or

    User can select the "Activate Manually" option to display the details to register device manually.

    • After the device is registered successfully, user will be directed to next screen to show that the onboarding process is completed successfully.

OTP_SMS_PIN

  1. On the first screen, user need to provide Username and activation code, then click Register Button.

  2. After successfully validating the activation code, it will show the next screen to add PIN to the user.

  3. On the second screen, user need to enter the Password and Confirm Password and click Submit Button (the PIN provided here should comply to the Password policy).

    • On the third screen, user will be directed to next screen to show that the onboarding process is completed successfully.

FIDO

  1. On the first screen, user will provide username and activation code and clicked on register button.

  2. This will then show a popup to select the options with supported device to register the device.

  3. User get register a new fido authenticator/passkey using the web authentication platform

  4. Once done user will redirect to success screen with message and login button.

Onboarding Component Services

Object Services

ServiceName DataModel Mapping Purpose Input Parameters Invoking

HIDObjects

ActivationCodeValidation

validateActivationCode

Validate the user's activation code.

filter (username), username, activationCode, authType

OnboardingValidation > ValidateUser

HIDObjects

AddOOBAuthenticator

addOOBAuthenticator

Add an OOB (SMS/Email) authenticator to the user.

userId, AuthenticatorType (AT_OOBSMS/ AT_OOBEML), AuthenticatorValue (OOB Device Type code : DT_OOBSMS/DT_OOBEML)

ScimAPIsOrg > addOOBAuthenticator

HIDObjects

AddPasswordAuthenticator

addPasswordAuthenticator

Add a static password authenticator to the user.

username, userId, password, authType, Auth_Key

ScimAPIsOrg > addPasswordAuthenticatorInt

HIDObjects

ApproveDeviceRegistration

getInviteCode

Provision the HID Approve device to the user and get the invite code to add the HID Approve device.

userId, username, usernameWithRandomNo, Auth_Key

PushDeviceRegistrationOrch > getInviteCode

HIDObjects

HIDApproveInitiation

initiateApprove

Initiate the Push notification on the HID Approve device.

username

HIDApproveInitiation > initiate

HIDObjects

ApproveStatusPolling

approveStatusPolling

Poll to the ApproveCallback service to fetch the status of user's response to the HID Approve Push notification.

mfa_key (authRequest Id from the initiateApprove service response)

HIDPollConsensus > getHIDApprovalStatus

HIDObjects

DeviceRegistrationPolling

deviceRegistrationPolling

Poll to the DeviceRegistration Callback service to fetch the status of the HID Approve device registration.

deviceId (device Id from the getInviteCode service response)

HIDPollConsensus > getHIDDeviceRegistrationStatus

HIDObjects

SendOOB

sendOOB

Send the OOB (SMS/Email) OTP to the user.

username, AuthenticatorType (AT_OOBSMS/AT_OOBEML)

OTPServices > sendOOB

HIDObjects

ValidateOOB

validateOOB

Validate the OOB (SMS/Email) OTP.

username, AuthenticatorType (AT_OOBSMS/ AT_OOBEML), OTP

OTPService > validateOOB

HIDObjects PasswordPolicy getPasswordPolicy Gets the policy for Static Password Authenticator none ScimAPIs>getPasswordPolicy
HIDObjects AddAllOOBAuthNew addAllOOBAuthenticators Add an OOB(SMS/Email) authenticator, TX OOB, and Send OTP to the user. userId, AuthenticatorType (AT_OOBSMS/ AT_OOBEML), AuthenticatorValue (OOB Device Type code : DT_OOBSMS/DT_OOBEML) ScimApisOrch> AddAllOOBAuthenticators
HIDObjects FIDOOnboarding getCredentialOptions It will fetch the configuration options to create FIDO credentials. username FIDOOrch> getCredentialOptions
HIDObjects FIDOOnboarding registerCredential It will register the user with FIDO Authenticator. username, request_uri, id, rawId, clientDataJSON, attestationObject, csrf FIDO> registerCredential
HIDAuthService FIDOAuthentication authenticate Authenticate the user with FIDO credential assertion and fetch the token. username, request_uri, csrf, csrfx FIDOOrch> authenticate
HIDAuthService FIDOAuthentication getAuthenticationOptions It will provide the registered credentials for the client to generate the assertion. username, request_uri FIDOOrch> getAuthenticationOptions

Fabric Services

Names Operation Name Service Type Description

ClientIdentity

-

Identity

Fetches Client Bearer Token

OrgAdminScim

-

Identity

Fetches OrgAdmin Bearer Token

ActivationCodeService

Login

Integration

Authenticates the Activation Code

ClientAuthIdentityWrapper

getClientBearerToken

Integration

IntegrationWrapper of ClientIdentity

ClientAuthIdentityWrapper

getOrgBearerToken

Integration

Integration Wrapper for OrgAdminScim

DependencyManager

 

Integration

Resolves the dependencies for HIDProcessor.jar.

DeviceProvisionJava

GetProvisonMsg

Integration

Fetches the Invite Code

HIDApproveInitiation

Initiate

Integration

Sends an HID Approve Push notification to the user's registered device.

HIDPollConsensus

getHIDApprovalStatus

Integration

Java service to fetch callback response of the HID Approve Push notification.

HIDPollConsensus

getHIDDeviceRegistrationStatus

Integration

Java service to fetch the callback response of the HID Approve device registration status.

OTPServices

SendOOB

Integration

Sends an OOB OTP to the user.

OTPServices

validateOOB

Integration

Validates an OOB OTP.

OTPServices

validateOTP

Integration

Validates a Hardware OTP.

ScimAPIs

SearchUser

Integration

Searches for the user.

ScimAPIs

createNewDevice

Integration

Creates a new Device ID for the user.

ScimAPIs

getActivationCodeAuthenticator

Integration

An exclusive getAuthenticator service for the ValidateUser Orchestration service. This service does not work alone so use the getAuthenticator instead.

ScimAPIs getPasswordPolicy Integration Provides the Password policy.

ScimAPIs

updateDevice

Integration

Binds the new Device ID to the user.

ScimAPIsOrg

addOOBAuthenticator

Integration

Adds an OOB Authenticator to the user.

ScimAPIsOrg

addPasswordAuthenticatorInt

Integration

Adds a Password Authenticator.

OnbaordingValidation

ValidateUser

Orchestration

 

PushDeviceRegistrationOrch

getInviteCode

Orchestration

Provisioning Push Device

ScimAPIsOrg addOOBAuthenticatorForOrch Integration To add OOB authenticator (AT_OOBSMS/ AT_OOBEML)
TransactionAuthServices AddTXOOBAuthForOrch Integration To add Transaction OOB (TX_OOB)
ScimApisOrch AddAllOOBAuthenticators Orchestration To add OOB authenticator, TX OOB authenticator, and to send OTP to the user.
PushedAuthorizationRequest PAR Integration It will generate the request_uri for subsequent calls.
FIDO getCredentialOptions Integration It will fetch the configuration options to create FIDO credentials.
FIDO registerCredential Integration It will register the user with FIDO Authenticator.
FIDOOrch authenticate Orchestration It will be consumed for authentication journey of the user.
FIDOOrch getAuthenticationOptions Orchestration It will provide the registered credentials for the client to generate the assertion.
FIDOOrch getCredentialOptions Orchestration It will fetch the configuration options to create FIDO credentials.

Java Services

Service Name Purpose Dependencies Called by (Service Name-Operation)

DeviceProvision

Java service to send the Device Provisioning request for HID Approve device registration and process the response to send the provisioning message.

You need to configure following Server Properties:

  • HOST
  • TENANT
  • SERVICES_URL

DeviceProvisionJava-getProvisonMsg

HIDPollForConsensus

Java service which keeps polling for 45 seconds to get the status of the HID Approve Push notification sent to the user.

 

HIDPollConsensus-getHIDApprovalStatus

PollForDeviceRegistrationStatus

Java service which keeps polling for 45 seconds to get the status of the HID Approve device registration.

 

HIDPollConsensus-getHIDDeviceRegistrationStatus

Listener Endpoints (HTTP Servlets)

Name URL Purpose Dependencies

ApproveCallBackEndpoint

https://hidglobal-dev.konycloud.com/services/ApproveCallBackEndpoint

Listen to the callback response sent by the HID Authentication Service for the user's response to the HID Approve Push notification.

  1. Value of Server Property : HOST

  2. Set the value of ATR_CIBACB attribute for the client to the url (Column 2) in HID Authentication Service.

  3. Set the value of "hid_ciba_callback_format_plain" to false for the client in the HID Authentication Service using the Register API.

DeviceRegistrationCallBackEndpoint

https://hidglobal-dev.konycloud.com/services/DeviceRegistrationCallBackEndpoint

Listen to the callback response sent by the HID Authentication Service for the user's response to the HID Approve Device registration request (either by scanning QR code or manually registration)

None (Listener endpoint URL is already being sent in Device Provisioning request as cb_url).

Onboarding Pre/Post Processors

Names Description Used by (ServiceName-Operation)

ActivationCodeAuthenticatorPostProcessor

Processes the output of Get Activation code authenticator for user and adds an error message to the response

if activation code is already consumed, expired or reached wrong attempts threshold.

ScimAPIs-getActivationCodeAuthenticator

ActivationCodeLoginPostProcessor

Adds an error message to the output if the validation of the Activation Code API sends an error.

ActivationCodeService-login

AddPasswordPostProcessor

Processes the output of the Add Static password authenticator to user API, adds an error code to the output if the API fails and adds an error message if the API specifically fails because an authenticator already exists for the user.

ScimAPIsOrg-addPasswordAuthenticatorInt

CreateDevicePostprocessor

Processes the output of Create Device API for HID Approve device registration, adds an error message to the output if the device creation fails.

ScimAPIs-createNewDevice

GetInviteCodePostProcessor

Processes the output of the Create Device Provision API for the HID Approve device registration, adds an error message to the result if the device id or provisioning message is null in the response.

PushDeviceRegistrationOrch-getInviteCode

SearchUserPostProcessor

Processes the output of the Search User API based on the total results and if user is active or not. Also verifies if the Activation Code authenticator is added to the user.

ScimAPIs-SearchUser

UpdateDevicePostProcessor

Processes the output of the Update Device API which is used during the HID Approve device registration, adds an error message to the output if the API fails.

ScimAPIs-updateDevice

ValidateUserPostProcessor

Processes the output of validating the user's Activation Code orchestration service, adds an error message to the result if any error occurs during the operation.

OnbaordingValidation-ValidateUser

ActivationCodeAuthenticatorPreProcessor

Pre-processes the output of search user for GetActivationCode Authenticator for user to verify if the user exists and if the Activation Code authenticator exists for user.

ScimAPIs-getActivationCodeAuthenticator

ActivationCodeLoginPreProcessor

Verifies if an error has occurred in the previous service during the orchestration. Also sets the value of AuthenticationType in the input for the request from the configured server setting ACTIVATION_CODE_AUTHTYPE. If not configured, takes the default value (AT_ACTPWD).

ActivationCodeService-login

AddOOBAuthenticatorPreProcessor

Sets the value of AuthenticationType in the input for the request if configured in the server settings OOB_SMS_OTP_AUTHTYPE or OOB_EMAIL_OTP_AUTHTYPE. If not configured, takes the default value (AT_OOBSMS/AT_OOBEML).

ScimAPIsOrg-addOOBAuthenticator

AddPasswordPreProcessor

Sets the startDate, expDate in the input for the request and AuthenticationType if configured in the server setting PASSWORD_AUTHTYPE. If not configured, takes the default value (AT_STDPWD).

ScimAPIsOrg-addPasswordAuthenticatorInt

CreateDevicePreProcessor

Sets the startDate, expiryDate in the input for the request and deviceType if configured in the server setting DEVICE_TYPE. If not configured, takes the default value (DT_TDSV4).

ScimAPIs-createNewDevice

DeviceProvisionPreProcessor

Verifies if an error has occurred in previous service during the orchestration. Also sets the value of deviceType in the input for the request from the configured server setting DEVICE_TYPE. If not configured, takes the default value (DT_TDSV4).

ScimAPIs-updateDevice

DeviceProvisionJava-getProvisonMsg

OOBAuthenticatorPreprocessor

Sets the value of AuthenticationType in the input for the request if configured in the server settings OOB_SMS_OTP_AUTHTYPE or OOB_EMAIL_OTP_AUTHTYPE. If not configured, takes the default value (AT_OOBSMS/AT_OOBEML).

OTPServices-sendOOB
OTPServices-validateOOB

AddAllOOBAuthenticatorsPrePreprocessor This processes the inputs and checks whether the Auth_Key is present or not. ScimApisOrch>AddAllOOBAuthenticators
AddAllOOBAuthenticatorsPostProcessor Remove the Auth_Key from Cache, once the services are executed successfully or sends an error. ScimApisOrch>AddAllOOBAuthenticators
AddSMSOOBAuthenticatorPreProcessor Sets the value of AuthenticationType in the input for the request if configured in the server settings OOB_SMS_OTP_AUTHTYPE or OOB_EMAIL_OTP_AUTHTYPE. If not configured, takes the default value (AT_OOBSMS/AT_OOBEML). ScimAPIsOrg> addOOBAuthenticatorForOrch
AddSMSOOBAuthenticatorPostProcessor Adds an error message to the output if the add OOB authenticator service fails. ScimAPIsOrg\ addOOBAuthenticatorForOrch
AddTXOOBPreProcessor Processes the inputs and checks the error message from previous call. TransactionAuthServices\ AddTXOOBAuthForOrch
AddTXOOBAuthenticatorPostProcessor Adds an error message to the output if the add TX_OOB authenticator service fails. TransactionAuthServices\ AddTXOOBAuthForOrch
SendOOBPostProcessor Adds an error message to the output if the send OTP service fails. OTPServices\sendOOB
GetInviteCodePreProcessor This processes the inputs and checks whether the Auth_Key is present or not. PushDeviceRegistrationOrch\getInviteCode
ClientBasePreProcessor It will add client auth token to the request. FIDO - getAuthenticationOptions
GetCredentialOptionsPostProcessor It will add csrf token to the request for next call. FIDO - getAuthenticationOptions
RegisterCredentialsPreProcessor It will add csrf token to the request header. FIDO - registerCredential
RegisterCredentialsPostProcessor It will handle the empty response from the API call. FIDO - registerCredential
PARPreProcessor It will read the server property for clientId and request_uri. PushedAuthorizationRequest - PAR
PARPreProcessor It will add request_uri to the request for next call. PushedAuthorizationRequest - PAR

Troubleshooting Fabric Services

Refer to troubleshooting the Onboarding Fabric Services.