User Authentication

Mandatory Server Settings	HOST	<HID Authentication Service Host>
	ORG_ADMIN_USERNAME	<Org admin user of HID Authentication Service Tenant>
	ORG_ADMIN_PASSWORD	<Password for the Org admin user>
	KONY_APP_KEY	<App key of the fabric application>
	KONY_APP_SECRET	<App secret of the fabric application>
Optional Server Settings	PASSWORD_AUTHTYPE	<Static Password Authenticator if other than AT_STDPWD>
	OOB_SMS_OTP_AUTHTYPE	<OOB SMS Authenticator if other than AT_OOBSMS>
	OOB_EMAIL_OTP_AUTHTYPE	<OOB Email Authenticator if other than AT_OOBEML>
	DEVICE_TYPE	<Device type to be used for Approve if other than DT_TDSV4>
	SECURE_OTP_AUTHTYPE	<HID Approve OTP Authenticator if other than AT_EMPOTP>
	HARDWARE_OTP_AUTHTYPE	<Hardware Token OTP Authenticator if other than AT_OTP>

Authentication Component Properties

S.No.	Property Name	Allowed Values	Purpose
1	MFA	"OTP_SMS","OTP_EML","APPROVE", "OTP_HWT"	This property determines the second authentication factor to be used for authentication after the Static password authentication. Currently, the component supports the following factors: OTP via OOB SMS OTP via OOB Email Push-based authentication using HID Approve OTP via hardware token

S.No.

Property Name

Allowed Values

Purpose

MFA

"OTP_SMS","OTP_EML","APPROVE", "OTP_HWT"

This property determines the second authentication factor to be used for authentication after the Static password authentication.

Currently, the component supports the following factors:

OTP via OOB SMS
OTP via OOB Email
Push-based authentication using HID Approve
OTP via hardware token

Authentication Component Functions

No public function is exposed. All the functions are called from the UI provided with the component.

Authentication Component Events

1	onSuccessCallback	Callback to be defined for successful login.
2	onFailureCallback	Callback to be defined for failure during login.

Authentication Component Flow

In the first screen, the user provides their Username and Password, then clicks Submit.
After successfully validating the user's static password, based on the defined value of the MFA property, the component displays the screen to authenticate using the second authentication factor:

HID Approve

If the user has more than one registered HID Approve device, the list of devices is displayed.

If user has only one registered HID Approve device, the user will receive a push notification directly.

The user can either select a device to which to send Push notification or they can select to authenticate using an HID Approve Secure Code.

On selecting the device, the user receives a Push notification on the selected device. The user can also select to authenticate using an HID Approve Secure Code.

After approving the Push notification, user is directed to the next screen confirming that they have been successfully authenticated and can log out if required.

OTP via SMS or Email

User receives an OTP either by SMS or by email based on the MFA selected.

On the next screen, the user enters the received OTP and clicks Confirm to complete the authentication.

After validating the OTP successfully, the user is directed to the next screen confirming that they have been successfully authenticated and can log out if required.

OTP with Hardware token

The user generates an OTP using their hardware token.

On the next screen, the user enters the OTP and clicks Confirm to complete the authentication.

After validating the OTP successfully, the user is directed to the next screen confirming that they have been successfully authenticated and can log out if required.

Authentication Component Services

Object Services

ServiceName	DataModel	Mapping	Purpose	Input Parameters	Invoking
HIDAuthService	ApproveRequest	initiate	Send the Push notification to the HID Approve device.	Username, deviceId	HIDApproveInitiation > initiate
HIDAuthService	ApproveStatus	poll	Poll to the ApproveCallback service to fetch the status of user's response to the HID Approve Push notification.	mfa_key (authRequest Id from the initiate service response)	HIDPollConsensus > getHIDApprovalStatus
HIDAuthService	Devices	searchDevices	Get the list of devices associated with the user.	username	SearchPushDevicesOrch > getDevices
HIDAuthService	OTPRequest	sendOTP	Send the OOB (SMS/Email) OTP to the user.	username, AuthenticatorType (AT_OOBSMS/AT_OOBEML)	SendOTPService > sendOTP

Fabric Services

Names	Operation Name	Service Type	Description
ClientIdentity	-	Identity	Fetches Client Bearer Token
customHIDLogin	-	Identity	End-user authentication with MFA validation
ClientAuthIdentityWrapper	getClientBearerToken	Integration	IntegrationWrapper of ClientIdentity
CustomFactorValidation	login	Integration	Authenticates the user using the first authentication factor, based on the input Auth type, it invokes the desired service and forms the result data set for MFA validation.
CustomMFASelector	validateMFA	Integration	Validates the MFA and authenticates the user using the second authentication factor based on the input auth type by invoking the desired services.
DependencyManager		Integration	Resolves the dependencies for HIDProcessor.jar.
HIDApproveInitiation	Initiate	Integration	Sends an HID Approve Push notification to the user's registered device.
HIDPollConsensus	getHIDApprovalStatus	Integration	Java service to fetch the callback response of the HID Approve push notification.
OTPAuthServices	hardwareOTPAuth	Integration	Validates the Hardware token OTP for the user.
OTPAuthServices	validateOTPAuth	Integration	Validates the OOB (SMS/Email) OTP.
PasswordAuthServices	passwordValidation	Integration	Validates the user's static password.
SearchServices	SearchDeviceAuth	Integration	Lists the devices associated with the user.
SearchServices	SearchUserAuth	Integration	Searches for the user.
SendOTPService	sendOTP	Integration	Sends an OOB (SMS/Email) OTP to the user.
UserIdentityAttributes	getAttributes	Integration	Infinity service to fetch the customer's identity attributes.
LoginValidation	validateMfa	Orchestration	Orchestration to validate MFA (second authentication factor) and get identity attributes for the user from Infinity.
SearchPushDevicesOrch	getDevices	Orchestration	Orchestration to fetch the userid and then gets the list of devices associated with the user.

Important: For UserIdentityAttributes, you must configure the base URL and response output to fetch the customer's identity attributes. (Required)

Java Services

Service Name	Purpose	Called by (Service Name-Operation)
HIDPollForConsensus	Java service which keeps polling for 45 seconds to get the status of the HID Approve Push notification sent to the user.	HIDPollConsensus-getHIDApprovalStatus

Listener Endpoints (HTTP Servlets)

Name	URL	Purpose	Dependencies
ApproveCallBackEndpoint	https://hidglobaltest.konycloud.com:443/services/ApproveCallBackEndpoint	Listen to the callback response sent by the HID Authentication Service for the user's response to the HID Approve Push notification.	Value of Server Property : HOST Set the value of ATR_CIBACB attribute for the client to the URL(Column 2) in the HID Authentication Service. Set the value of "hid_ciba_callback_format_plain" to false for the client in the HID Authentication Service using the Register API.

Authentication Pre/Post Processors

Names	Description	Used by (ServiceName-Operation)
GetBearerTokenPostProcessor	Gets the access token from the result and adds it to the DataControllerRequest.	ClientAuthIdentityWrapper-getClientBearerToken
GetDevicesOrchPostProcessor	Processes the output of the get devices orchestration service, adds an error message to the result if any error occurs during the operation.	SearchPushDevicesOrch-getDevices
HIDApprovePostProcessor	Inserts the client_notification_token from the service output to the cache for verification during the callback.	HIDApproveInitiation-initiate
SearchDeviceAuthPostProcessor	Processes the output of Search devices for user service output to set the friendlyname, start date and expiry date to empty when the particular record in the collection does not have the value. (Post processor to fix the platform issue as collection does not work correctly on the Kony platform.)	SearchServices-SearchDeviceAuth
SearchUserAuthPostProcessor	Processes the output of Search user service and sets the value of UserExist to true/false in DataControllerRequest to be used by other services.	SearchServices-SearchUserAuth
CustomMFAValidation	Based on the input auth type, invokes the Integration service to authenticate the user for the second authentication factor and validates the MFA.	CustomMFASelector-validateMFA
CustomValidateAuthentication	Based on the input auth type, invokes the Integration service to authenticate the user for the first authentication factor and generates the result data set for MFA validation.	CustomFactorValidation-login
GetBearerTokenPreProcessor	Sets the value of x-kony-app-key and x-kony-app-secret in request header from the configured server settings KONY_APP_KEY and KONY_APP_SECRET respectively.	ClientAuthIdentityWrapper-getClientBearerToken
HardwareOTPAuthPreprocessor	Sets the value of AuthenticationType in the input for the request if configured in the server settings HARDWARE_OTP_AUTHTYPE. If not configured, takes the default value (AT_OTP).	OTPAuthServices-hardwareOTPAuth
HIDApprovePreprocessor	Generates the login_hint_token and client_notification_token for the HID Approve Push notification initiate request.	HIDApproveInitiation-initiate
OTPValidationPreprocessor	Sets the value of AuthenticationType in the input for the request if configured in the server settings OOB_SMS_OTP_AUTHTYPE, OOB_EMAIL_OTP_AUTHTYPE or SECURE_OTP_AUTHTYPE. If not configured, takes the default value (AT_OOBSMS/AT_OOBEML/AT_EMPOTP).	OTPAuthServices-validateOTPAuth
PasswordValidationPreprocessor	Sets the value of AuthenticationType in the input for the request if configured in the server settings PASSWORD_AUTHTYPE. If not configured, takes the default value (AT_STDPWD).	PasswordAuthServices-passwordValidation
SearchDeviceAuthPreProcessor	Verifies if the user exists from the Search User service output. If not, then adds the error message to the service output.	SearchServices-SearchDeviceAuth

Risk-based User Authentication

HID Temenos Infinity Component additionally supports an adaptive and risk-based authentication. It is optional i.e., You can enable or disable this functionality based on your needs.

HID Risk Management Solution provides this threat detection solution for real time risk-based authentication.

HID Temenos Infinity Component enables you to easily integrate with the HID RMS Web component and use the risk-based Login flow as an add-on feature available as part of User Authentication (this section) component.

Refer HID RMS Web component - Login flow for more information.