User Authentication

Mandatory Server Settings

HOST

<HID Authentication Service Host>

(e.g., test123.aaas.hidcloud.com)

ORG_ADMIN_USERNAME

<Org admin user of HID Authentication Service Tenant>

(e.g., john.doe@abcorg.com)

ORG_ADMIN_PASSWORD

<Password for the Org admin user>

(e.g., Password01)

KONY_APP_KEY

<App key of the fabric application>

(e.g., h728h89031832jdy9292)

KONY_APP_SECRET

<App secret of the fabric application>

(e.g., 89bv2894673792003jy2)
Optional Server Settings

PASSWORD_AUTHTYPE

 <Static Password Authenticator if other than AT_STDPWD>

OOB_SMS_OTP_AUTHTYPE

<OOB SMS Authenticator if other than AT_OOBSMS>

OOB_EMAIL_OTP_AUTHTYPE

<OOB Email Authenticator if other than AT_OOBEML>

DEVICE_TYPE

 <Device type to be used for Approve if other than DT_TDSV4>

SECURE_OTP_AUTHTYPE

<HID Approve OTP Authenticator if other than AT_EMPOTP>

HARDWARE_OTP_AUTHTYPE

<Hardware Token OTP Authenticator if other than AT_OTP>

View Sample Server Settings

Authentication Component Properties

S.No. Property Name Allowed Values Purpose
1 isRMSEnabled Radio button to select (on/off) This property determines whether Risk Management Sysytem (RMS) is active or not.
2 tmCookieTag <RMS Cookie will have this value> This property determines the value of RMS cookie for device tag.
3 tmCookieSid <RMS Cookie will have this value> This property determines the value of RMS cookie for session id.
4 adaptiveAuth JSON object This property determines the value as JSON object to choose adaptive auth based on RMS score.
5 isRMSReadOnly Radio button to select (on/off) This property determines whether RMS is read only or not.
6 FirstFactor "STATIC_PWD", "SECURE_CODE", "OTP_SMS_PIN"

This property determines the first authentication factor to be used for the authentication.

Currently, the component supports the following factors:

  • Static password (STATIC_PWD)

  • Secure code (SECURE_CODE)

  • OTP_SMS_PIN (OTP_SMS / / OTP_EML)

7

Multi-Factor Authentication (MFA)

"OTP_SMS","OTP_EML","APPROVE", "OTP_HWT", "NO_MFA"

This property determines the second authentication factor to be used for authentication after the first authentication factor.

Currently, the component supports the following factors:

  • OTP via OOB SMS
  • OTP via OOB Email
  • Push-based authentication using HID Approve
  • OTP via hardware token

Authentication Component Functions

No public function is exposed. All the functions are called from the UI provided with the component.

Authentication Component Events

1

onSuccessCallback

Callback to be defined for successful login.
2

onFailureCallback

Callback to be defined for failure during login.

Authentication Component Flow

STATIC_PWD

  1. In the first screen, the user need to Username and Password, then click Submit.

  2. After successfully validating the user's static password, based on the defined value of the MFA property, the component displays the screen to authenticate using the second authentication factor:

  • If the user has more than one registered HID Approve device, the list of devices is displayed.
  • If user has only one registered HID Approve device, the user will receive a push notification directly.
  1. The user can either select a device to which to send Push notification or they can select to authenticate using an HID Approve Secure Code.                                   
  2. On selecting the device, the user receives a Push notification on the selected device. The user can also select to authenticate using an HID Approve Secure Code.
  3. After approving the Push notification, user is directed to the next screen confirming that they have been successfully authenticated and can log out if required.

  1. User receives an OTP either by SMS or by email based on the MFA selected.

  2. On the next screen, the user enters the received OTP and clicks Confirm to complete the authentication.

  3. After validating the OTP successfully, the user is directed to the next screen confirming that they have been successfully authenticated and can log out if required.

  1. The user generates an OTP using their hardware token.

  2. On the next screen, the user enters the OTP and clicks Confirm to complete the authentication.

  3. After validating the OTP successfully, the user is directed to the next screen confirming that they have been successfully authenticated and can log out if required.

SECURE_CODE

  1. On the first screen, user need to provide Username and activation code, then click Register Button.

  2. After successfully validating the activation code, it will show the next screen to with QR code to register user on mobile app.

    or

    User can select the "Activate Manually" option to display the details to register device manually.

    • After the device is registered successfully, user will be directed to next screen to show that the onboarding process is completed successfully.

OTP_SMS_PIN

  1. On the first screen, user need to provide Username and activation code, then click Register Button.

  2. After successfully validating the activation code, it will show the next screen to add PIN to the user.

  3. On the second screen, user need to enter the Password and Confirm Password and click Submit Button (the PIN provided here should comply to the Password policy).

    • On the third screen, user will be directed to next screen to show that the onboarding process is completed successfully.

    Note:

    • For OTP_SMS_PIN flow, it is mandatory to select MFA as NO_MFA. Because in this flow there is no authenticator is used for further authentication.

    • If any other MFA is selected with OTP_SMS_PIN, then there will be an exception.

    • If NO_MFA is selected as second authentication factor, for any first authentication factor other than OTP_SMS_PIN, then there will be an exception.

Authentication Component Services

Object Services

ServiceName DataModel Mapping Purpose Input Parameters Invoking

HIDAuthService

ApproveRequest

initiate

Send the Push notification to the HID Approve device.

Username, deviceId

HIDApproveInitiation > initiate

HIDAuthService

ApproveStatus

poll

Poll to the ApproveCallback service to fetch the status of user's response to the HID Approve Push notification.

mfa_key (authRequest Id from the initiate service response)

HIDPollConsensus > getHIDApprovalStatus

HIDAuthService

Devices

searchDevices

Get the list of devices associated with the user.

username

SearchPushDevicesOrch > getDevices

HIDAuthService

OTPRequest

sendOTP

Send the OOB (SMS/Email) OTP to the user.

username, AuthenticatorType (AT_OOBSMS/AT_OOBEML)

SendOTPService > sendOTP

Fabric Services

Names Operation Name Service Type Description

ClientIdentity

-

Identity

Fetches Client Bearer Token

customHIDLogin

-

Identity

End-user authentication with MFA validation

ClientAuthIdentityWrapper

getClientBearerToken

Integration

IntegrationWrapper of ClientIdentity

CustomFactorValidation

login

Integration

Authenticates the user using the first authentication factor, based on the input Auth type, it invokes the desired service and forms the result data set for MFA validation.

CustomMFASelector

validateMFA

Integration

Validates the MFA and authenticates the user using the second authentication factor based on the input auth type by invoking the desired services.

DependencyManager

 

Integration

Resolves the dependencies for HIDProcessor.jar.

HIDApproveInitiation

Initiate

Integration

Sends an HID Approve Push notification to the user's registered device.

HIDPollConsensus

getHIDApprovalStatus

Integration

Java service to fetch the callback response of the HID Approve push notification.

OTPAuthServices

hardwareOTPAuth

Integration

Validates the Hardware token OTP for the user.

OTPAuthServices

validateOTPAuth

Integration

Validates the OOB (SMS/Email) OTP.

PasswordAuthServices

passwordValidation

Integration

Validates the user's static password.

SearchServices

SearchDeviceAuth

Integration

Lists the devices associated with the user.

SearchServices

SearchUserAuth

Integration

Searches for the user.

SendOTPService

sendOTP

Integration

Sends an OOB (SMS/Email) OTP to the user.
UserIdentityAttributes getAttributes Integration Infinity service to fetch the customer's identity attributes.
LoginValidation validateMfa Orchestration Orchestration to validate MFA (second authentication factor) and get identity attributes for the user from Infinity.

SearchPushDevicesOrch

getDevices

Orchestration

Orchestration to fetch the userid and then gets the list of devices associated with the user.
Important: For UserIdentityAttributes, you must configure the base URL and response output to fetch the customer's identity attributes. (Required)

Java Services

Service Name Purpose Called by (Service Name-Operation)

HIDPollForConsensus

Java service which keeps polling for 45 seconds to get the status of the HID Approve Push notification sent to the user.

HIDPollConsensus-getHIDApprovalStatus

Listener Endpoints (HTTP Servlets)

Name URL Purpose Dependencies

ApproveCallBackEndpoint

https://hidglobal-dev.konycloud.com/services/ApproveCallBackEndpoint

Listen to the callback response sent by the HID Authentication Service for the user's response to the HID Approve Push notification.

  1. Value of Server Property : HOST

  2. Set the value of ATR_CIBACB attribute for the client to the URL(Column 2) in the HID Authentication Service.

  3. Set the value of "hid_ciba_callback_format_plain" to false for the client in the HID Authentication Service using the Register API.

Authentication Pre/Post Processors

Names Description Used by (ServiceName-Operation)

GetBearerTokenPostProcessor

Gets the access token from the result and adds it to the DataControllerRequest.

ClientAuthIdentityWrapper-getClientBearerToken

GetDevicesOrchPostProcessor

Processes the output of the get devices orchestration service, adds an error message to the result if any error occurs during the operation.

SearchPushDevicesOrch-getDevices

HIDApprovePostProcessor

Inserts the client_notification_token from the service output to the cache for verification during the callback.

HIDApproveInitiation-initiate

SearchDeviceAuthPostProcessor

Processes the output of Search devices for user service output to set the friendlyname, start date and expiry date to empty when the particular record in the collection does not have the value. (Post processor to fix the platform issue as collection does not work correctly on the Kony platform.)

SearchServices-SearchDeviceAuth

SearchUserAuthPostProcessor

Processes the output of Search user service and sets the value of UserExist to true/false in DataControllerRequest to be used by other services.

SearchServices-SearchUserAuth

CustomMFAValidation

Based on the input auth type, invokes the Integration service to authenticate the user for the second authentication factor and validates the MFA.

CustomMFASelector-validateMFA

CustomValidateAuthentication

Based on the input auth type, invokes the Integration service to authenticate the user for the first authentication factor and generates the result data set for MFA validation.

CustomFactorValidation-login

GetBearerTokenPreProcessor

Sets the value of x-kony-app-key and x-kony-app-secret in request header from the configured server settings KONY_APP_KEY and KONY_APP_SECRET respectively.

ClientAuthIdentityWrapper-getClientBearerToken

HardwareOTPAuthPreprocessor

Sets the value of AuthenticationType in the input for the request if configured in the server settings HARDWARE_OTP_AUTHTYPE. If not configured, takes the default value (AT_OTP).

OTPAuthServices-hardwareOTPAuth

HIDApprovePreprocessor

Generates the login_hint_token and client_notification_token for the HID Approve Push notification initiate request.

HIDApproveInitiation-initiate

OTPValidationPreprocessor

Sets the value of AuthenticationType in the input for the request if configured in the server settings OOB_SMS_OTP_AUTHTYPE, OOB_EMAIL_OTP_AUTHTYPE or SECURE_OTP_AUTHTYPE. If not configured, takes the default value (AT_OOBSMS/AT_OOBEML/AT_EMPOTP).

OTPAuthServices-validateOTPAuth

PasswordValidationPreprocessor

Sets the value of AuthenticationType in the input for the request if configured in the server settings PASSWORD_AUTHTYPE. If not configured, takes the default value (AT_STDPWD).

PasswordAuthServices-passwordValidation

SearchDeviceAuthPreProcessor

Verifies if the user exists from the Search User service output. If not, then adds the error message to the service output.

SearchServices-SearchDeviceAuth

Troubleshooting Fabric Services

Refer to troubleshooting the User Authentication Fabric Services.

Risk-based User Authentication

HID Temenos Infinity Component additionally supports an adaptive and risk-based authentication. It is optional i.e., You can enable or disable this functionality based on your needs.

HID Risk Management Solution provides this threat detection solution for real time risk-based authentication.

HID Temenos Infinity Component enables you to easily integrate with the HID RMS Web component and use the risk-based Login flow as an add-on feature available as part of User Authentication (this section) component.

Refer HID RMS Web component - Login flow for more information.