Topology example: Cloud only

These topology scenarios use OneSpan cloud services:

  • To relay push notifications (OneSpan Notification Gateway).
  • To route communication from the mobile authenticator app back to the customer network.

For instructions to set up such a topology, see Setting up a cloud-only deployment.

Scenario: Push activation (Cloud only)

Usually, the authenticator app requires activation and must register itself to opt-in for further use of push notifications, i.e. push and login.

About this scenario

It supports the following mobile authenticator apps:

  • OneSpan Mobile Authenticator
Push activation topology (cloud only)

Figure: Push activation (Topology, Cloud only)

Walkthrough: Push and activate (cloud only)

  1. The user starts the mobile authenticator app, i.e. OneSpan Mobile Authenticator, and puts it into activation mode.
  2. The user initiates an online activation process of the mobile authenticator app via User Self-Management Website.
  3. The User Self-Management Website application initiates the activation on OneSpan Authentication Server.
  4. OneSpan Authentication Server generates activation data. It then sends the activation data to User Self-Management Website. User Self-Management Website creates a Cronto image and displays it to the user.
  5. The user scans the Cronto image using the mobile authenticator app.
  6. The mobile authenticator app initiates the online activation via the OneSpan DIGIPASS Gateway (cloud).
  7. OneSpan DIGIPASS Gateway (cloud) retrieves the details of the on-prem DIGIPASS Gateway and sets up a secure connection to it. OneSpan DIGIPASS Gateway (cloud) serves as a proxy between the mobile authenticator app and OneSpan Authentication Server. The following steps use this secured proxy channel.
  8. The mobile authenticator app requests authenticator license activation data from OneSpan Authentication Server.
  9. The mobile authenticator app confirms the license activation.
  10. OneSpan Authentication Server creates instance activation data. This activation data is sent to the mobile authenticator app.
  11. The mobile authenticator app activates its instance. It then sends a confirmation to OneSpan Authentication Server.
  12. OneSpan Authentication Server again sends confirmation data to the mobile authenticator app, including the user ID, user domain, and the ID of the respective on-prem DIGIPASS Gateway.
  13. The mobile authenticator app registers itself for push notifications to OneSpan Authentication Server and to the respective third-party notification service. This is required to receive push notifications in the future.

Scenario: Push and login (Cloud only)

Push and login consists of an out-of-band authentication initiated on a website or other application. The authentication request is transmitted via push notifications to a mobile app. The user can inspect and confirm the authentication request with the mobile app.

About this scenario

It supports the following mobile authenticator apps:

  • OneSpan Mobile Authenticator
Push and login topology (cloud only)

Figure: Push and login (Topology, Cloud only)

Walkthrough: Push and login (cloud only)

  1. The user initiates a push and login process using the specified request method in the client application, e.g. an application server or Digipass Authentication for Windows Logon.
  2. The client application initiates a push and login process on OneSpan Authentication Server.
  3. After receiving the corresponding request from the client application, OneSpan Authentication Server generates the required push notification message and relays it to the Message Delivery Component (MDC).
  4. MDC relays the push notification request to the OneSpan Notification Gateway.
  5. OneSpan Notification Gateway sends the push notification via third-party notification web services for the respective end device.
  6. The mobile authenticator app, e.g. OneSpan Mobile Authenticator, requests details from OneSpan DIGIPASS Gateway (cloud).
  7. OneSpan DIGIPASS Gateway (cloud) requests details from the on-prem DIGIPASS Gateway.
  8. The on-prem DIGIPASS Gateway requests details from OneSpan Authentication Server.
  9. The mobile authenticator app retrieves the push notification details from DIGIPASS Gateway and requests the user to confirm the logon request to the specified client application.
  10. The user confirms and accepts the push and login request. The mobile authenticator app authenticates the user against OneSpan Authentication Server via DIGIPASS Gateway.
  11. OneSpan Authentication Server processes this request. In case of success it returns the authentication result to the client application.
  12. The user is informed via the client application that the authentication has succeeded.