Setting up a cloud-only deployment

This topic outlines the configuration tasks and settings for a typical cloud-only deployment. It allows you to use push activation and push and login using OneSpan cloud services to relay push notifications and to route communication from the mobile authenticator app back to the customer network.

For a conceptual overview of this scenario, see Topology example: Cloud only.

Deployment topology with IP (cloud only)

Figure: Deployment with IP addresses (Cloud only)

This deployment typically includes:

  • One OneSpan Authentication Server instance on the customer network in the protected network (opOAS).
  • One DIGIPASS Gateway instance on the customer network in the DMZ (opDPGW).
  • One OneSpan User Websites instance on the customer network in the DMZ (opUWS).
  • Authentication clients, e.g. Digipass Authentication for Windows Logon.
  • The OneSpan Mobile Authenticator app installed on the users' end devices.
  • OneSpan cloud services (osNG, osDPGW).
Table: Components and IP addresses (Cloud-only)
Component Location Public IP address Private IP address Default port

OneSpan Authentication Server (opOAS)

 Customer network n/a opOAS-PR 8888
DIGIPASS Gateway (opDPGW) Customer network opDPGW-PU opDPGW-PR 11080
User Self-Management Website (opUWS) Customer network opUWS-PU opUWS-PR 8443 or 9443
OneSpan Notification Gateway (osNG) Cloud service osNG-PU n/a
OneSpan DIGIPASS Gateway (cloud) (osDPGW) Cloud service osDPGW-PU n/a 11080

Setup outline

The following procedures describe how to configure the respective components for push and login. They assume that you have already successfully installed the required components according to the respective product documentation.

You need to do the following:

  1. Set up OneSpan Authentication Server (see Setting up OneSpan Authentication Server):

    1. Obtain a license for OneSpan Authentication Server.
    2. Install OneSpan Authentication Server. For instructions, refer to the OneSpan Authentication Server Installation Guide for Windows.
    3. Create server policies in OneSpan Authentication Server.
    4. Configure Message Delivery Component (MDC).

  2. Set up OneSpan User Websites (see Setting up OneSpan User Websites):

    1. Install OneSpan User Websites. For instructions, see OneSpan User Websites Administrator Guide.
    2. Create client components for OneSpan User Websites.
    3. Obtain and apply a component license for OneSpan User Websites.

  3. Set up DIGIPASS Gateway (see Setting up DIGIPASS Gateway):

    1. Install and configure DIGIPASS Gateway.
    2. Create client components for DIGIPASS Gateway.
    3. Obtain and apply a component license for DIGIPASS Gateway.

  4. Perform post-configuration steps (see Post-installation tasks):

    1. Register for a push notification account on the OneSpan Customer Portal (production environment).
    2. Configure OneSpan Notification Gateway in OneSpan Authentication Server.
    3. Configure your firewall.

  5. Set up OneSpan Mobile Authenticator (see Setting up the OneSpan Mobile Authenticator app).

Setting up OneSpan Authentication Server

Obtaining licenses for OneSpan Authentication Server

To obtain the required licenses, do one of the following:

  • Register with your contract ID and retrieve full licenses for a production environment.
  • Register and retrieve evaluation licenses for a test environment.

To retrieve a valid license for OneSpan Authentication Server with a contract ID (production environment)

  1. Go to the OneSpan Customer Portal at https://cp.onespan.com/.
  2. Sign in using your contract ID and serial number.
  3. Navigate to the Registrations tab.
  4. Select IDENTIKEY Authentication Server.
  5. Click New registration.
  6. Enter the private IP address of your OneSpan Authentication Server instance (opOAS-PR).
  7. Click Create. After successful registration, a table displays the registration date, the IP address, a description, and the license file (license.dat) for OneSpan Authentication Server. To download the license file, click Download license file.

To retrieve a valid evaluation license for OneSpan Authentication Server

  1. Go to the OneSpan Customer Portal at https://cp.onespan.com/.
  2. Click Get an evaluation license.
  3. Enter your personal information.
  4. Confirm your evaluation request by clicking on the link in the email.
  5. Select IDENTIKEY Product Family.
  6. Click Continue.
  7. On the New evaluation license for IDENTIKEY Product Family page, select IDENTIKEY Authentication server
  8. Click Continue.
  9. Enter the private IP address of your OneSpan Authentication Server (opOAS-PR), and accept the end-user license agreement at the bottom of the page, and click Create.
  10. Download the license file (license.dat).
  11. Click I'm done.

You will need the server license when installing OneSpan Authentication Server.

Installing OneSpan Authentication Server

Install OneSpan Authentication Server according to your requirements. A default installation is sufficient, all configuration tasks and required settings to use push and login will be discussed in this guide.

For detailed instructions, refer to the OneSpan Authentication Server Installation Guide for Windows.

Creating push notification policies in OneSpan Authentication Server

You need to create client component records for the components that connect directly to OneSpan Authentication Server. Before you can create the records, you need to prepare a policy for each client component:

  • A provisioning policy to allow online activation (used by OneSpan User Websites).
  • An authentication policy for push and login (used by DIGIPASS Gateway).

To create a provisioning policy

  1. Open the OneSpan Authentication Server Administration Web Interface.
  2. Navigate to Policies > Create.

  3. Enter the required information:

    • Policy ID: Push Notification- Provisioning
    • Inherits from: IDENTIKEY Provisioning for Multi-Device Licensing
  4. Click SUBMIT.
  5. After creating the policy, select Click here to manage Push Notification - Provisioning.
  6. In the Available Actions pane click Edit.

  7. Verify/change the following settings in the POLICIES > Policy tab:

    • Local Authentication: Default
    • Back-End Authentication: None
    • Back-End Protocol: None
  8. Click SAVE.

To create an authentication policy

  1. Open the OneSpan Authentication Server Administration Web Interface.
  2. Navigate to POLICIES > Create.

  3. Enter the required information:

    • Policy ID: Push Notification - Authentication
    • Inherits from: IDENTIKEY Authentication with Secure Channel
  4. Click SUBMIT.
  5. After creating the policy, select Click here to manage Push Notification - Authentication.

  6. Verify/change the following settings in the POLICIES > DIGIPASS tab:

    • Application Names: This field is optional. It is used to restrict authenticator applications based on the application name to handle requests. If this field is not set in the policy, all applications are per se allowed to handle requests. OneSpan Authentication Server will select one authenticator application to be included in the push notification request.
    • Secure Channel Support: Yes - Permitted

  7. Verify/change the following settings in the POLICIES > Push Notification tab:

    • Request Method: KeywordPassword
    • Request Keyword: push
    • Mobile Application Name: com.vasco.digipass.es
    • Authentication timeout (seconds): 30

  8. (OPTIONAL) Change the push notification message templates in the POLICIES > Push Notification tab:

    • Message Title: The text that will be used as the push notification title. By default, this is "Logon request".
    • Message Subject: The text that will be used as the push notification subject. By default, this is "Authenticate to [servicename]".

  9. Verify/change the following settings in the POLICIES > DP Control Parameters tab:

    • Challenge Check Mode: 0 - No Challenge Check

      The default value is 1 - DP specific Challenge Required. If you do not change this setting, provisioning will fail when attempting to activate new authenticators.

  10. Click SAVE.

Setting up Message Delivery Component (MDC)

During the installation of OneSpan Authentication Server, a default configuration of the Message Delivery Component (MDC) is set to relay push notifications to the respective cloud-based notification services (Apple APNs, Google FCM) via OneSpan Notification Gateway (OneSpan cloud services).

By default, push notifications are relayed to https://to.push.onespan.cloud/api/push_notifications via port 443.

You can use the MDC Configuration Utility to configure the HTTP gateway used for push notification delivery. For more information, see DIGIPASS Gateway Getting Started Guide and refer to the OneSpan Authentication Server Administrator Guide.

Setting up OneSpan User Websites

Installing OneSpan User Websites

You need to install and configure OneSpan User Websites to use push notification–based authentication.

Before you begin with the installation, ensure that OneSpan Authentication Server has been successfully installed. Otherwise, OneSpan User Websites remains unconfigured, and you need to configure it later manually.

For more information about installing OneSpan User Websites, see OneSpan User Websites Administrator Guide.

Creating client component records for OneSpan User Websites in OneSpan Authentication Server

You need to create certain client component records for OneSpan User Websites in the Administration Web Interface of OneSpan Authentication Server. You can find and modify the component type names in the configuration file of OneSpan User Websites:

%PROGRAMFILES%\OneSpan\User Websites\tomcat\webapps\selfmgmt\WEB-INF\classes\selfmgmt.conf

Table: Component types for push notification in OneSpan User Websites lists the properties that are relevant for push notification. The Value column refers to both, the value in the OneSpan User Websites configuration file and the name of the client component in OneSpan Authentication Server.

Table: Component types for push notification in OneSpan User Websites
Component type Value Description
Scenario: Online activation
component.type.provisioning.dp4mobile.dsapp UWS DSAPP Based Provisioning

This client type will be used for online activation (MDL).

Policy: Push Notification - Provisioning
Scenario: Offline activation
component.type.provisioning.dp4mobile.mdl UWS MDL Provisioning

This client type will be used for offline activation (MDL).

Policy: Push Notification - Provisioning
component.type.provisioning.dp4mobile.standard UWS Standard Provisioning This client type will be used for offline activation using a QR code and for device binding.
Scenario: Authentication
component.type.authentication IDENTIKEY User Websites

Used for performing push notification logon and authentication when upgrading to push notification.

Policy: Push Notification - Authentication

To create a client component for online activation

  1. Open the OneSpan Authentication Server Administration Web Interface.
  2. Navigate to Clients > Register.

  3. Creating the new client with the following options:

    • Client Type: UWS DSAPP Based Provisioning
    • Location: Private IP address of OneSpan User Websites (opUWS-PR)
    • Policy ID: Push Notification - Provisioning
    • Protocol ID: SOAP
  4. Click Create.

To create a client component for offline activation using color QR code

  1. Open the OneSpan Authentication Server Administration Web Interface.
  2. Navigate to Clients > Register.

  3. Creating the new client with the following options:

    • Client Type: UWS MDL Provisioning
    • Location: Private IP address of OneSpan User Websites (opUWS-PR)
    • Policy ID: Push Notification - Provisioning
    • Protocol ID: SOAP
  4. Click Create.

To create a client component for push notification authentication

  1. Open the OneSpan Authentication Server Administration Web Interface.
  2. Navigate to Clients > Register.

  3. Create the new client with the following options:

    • Client Type: IDENTIKEY User Websites
    • Location: Private IP address of OneSpan User Websites (opUWS-PR)
    • Policy ID: Push Notification - Authentication
    • Protocol ID: SOAP
  4. Click Create.

After the necessary components have been created to enable push notifications, we highly recommend to create another client component to test push notification authentication in OneSpan User Websites:

To create a client component to test push notifications

  1. Open the OneSpan Authentication Server Administration Web Interface.
  2. Navigate to Clients > Register.

  3. Creating the new client with the following options:

    • Client Type: Authentication Sample Client
    • Location: Private IP address of OneSpan User Websites (opUWS-PR)
    • Policy ID: Push Notification - Authentication
    • Protocol ID: SOAP
  4. Click Create.

Obtaining licenses for OneSpan User Websites

To obtain the required licenses, do one of the following:

  • Register with your contract ID and retrieve full licenses for a production environment.
  • Register and retrieve evaluation licenses for a test environment.

To retrieve a valid license for OneSpan User Websites with a contract ID (production environment)

  1. Go to the OneSpan Customer Portal at https://cp.onespan.com/.
  2. Sign in using your contract ID and serial number.
  3. Navigate to the Registrations tab.
  4. Select OneSpan User Websites.
  5. Click New registration.
  6. Enter the private IP address of your OneSpan User Websites instance (opUWS-PR).
  7. Click Create. After successful registration, a table displays the registration date, the IP address, a description, and the license file (license.dat) for OneSpan User Websites. To download the license file, click Download license file.

To retrieve a valid evaluation license for OneSpan User Websites

  1. Go to the OneSpan Customer Portal at https://cp.onespan.com/.
  2. Click Get an evaluation license.
  3. Enter your personal information.
  4. Confirm your evaluation request by clicking on the link in the email.
  5. Select IDENTIKEY Product Family, and click IDENTIKEY Add-on Software at the bottom of the New evaluation license for IDENTIKEY Product Family page.
  6. Click Continue.
  7. Select OneSpan User Websites.
  8. Click Continue.
  9. Enter the private IP address of the OneSpan User Websites (opUWS-PR). Accept the end user license agreement at the bottom of the page and click Create.
  10. Download the license file (license.dat ). We recommend to prefix it with a tag, e.g. UWS-license.dat.
  11. Click I'm done.

Applying client component licenses for OneSpan User Websites

To load your license for the OneSpan User Websites client component (authentication)

  1. Open the OneSpan Authentication Server Administration Web Interface.
  2. Navigate to Clients > List.
  3. Select IDENTIKEY User Websites (created in Setting up OneSpan User Websites).
  4. Switch to the License tab.
  5. Click Load License Key.
  6. Add the license file (UWS-license.dat) you downloaded from the OneSpan Customer Portal (see Obtaining licenses for OneSpan User Websites).

Setting up DIGIPASS Gateway

Installing DIGIPASS Gateway

DIGIPASS Gateway is a vital component in this setup. Its basic installation is summarized in this guide.

For detailed instructions, see DIGIPASS Gateway Getting Started Guide.

To install DIGIPASS Gateway

  1. Run the DIGIPASS Gateway setup package and follow the on-screen instructions.

  2. Configure the OneSpan Authentication Server connection and SSL certificate settings.

    This step is required only if DIGIPASS Gateway and OneSpan Authentication Server are installed on different hosts.

    admintool type dpgateway autoadd name url

    where:

    • name is the display name of the OneSpan Authentication Server entry. Valid values are primary and backup to set a primary and backup server instance, respectively. You need to set at least a primary server instance.
    • url is the IP address (or FQDN) and SOAP port of the OneSpan Authentication Server instance, including the protocol string (opOAS-PR).

     

    admintool type dpgateway autoadd primary https://opOAS-PR:8888

    DIGIPASS Gateway must be configured to use the same primary and backup OneSpan Authentication Server instances as configured with the client application(s) initiating the push notification procedures.

  3. Configure the client components used by OneSpan Authentication Server and DIGIPASS Gateway:

    admintool type dpgateway component set authentication "DIGIPASS Gateway"

    admintool type dpgateway component set authentication.secure_channel "DIGIPASS Gateway"

    admintool type dpgateway component set provisioning.dp4mobile "Gateway Provisioning"

    admintool type dpgateway component set provisioning.mdl "Gateway Provisioning"

    You can view the configured client components with the following command:

    admintool type dpgateway component list

  4. Configure the DIGIPASS Gateway API keys:

    admintool type dpgateway api‑key‑frontend generate

    admintool type dpgateway api‑key‑backend generate

    The API keys are sensitive data. They are used for HTTP authentication, e.g. when the OneSpan DIGIPASS Gateway (cloud) connects to the on-prem DIGIPASS Gateway. The front-end API key is required for services typically used by the mobile applications, e.g. OneSpan Mobile Authenticator. The back-end API key is required for services typically exposed to the solution's back-end side, e.g. the banking website.

    Keep track of the front-end API key that you generate/set during the installation, as it is required to register DIGIPASS Gateway in OneSpan Authentication Server via the Web Administration Service and to create a push notification account via the OneSpan Customer Portal (see Registering for a push notification account on the OneSpan Customer Portal (production environment)).

    Note that the OneSpan Customer Portal refers to the front-end API key as DP Gateway Password.

To verify that DIGIPASS Gateway has been successfully installed and is publicly reachable, you can try to connect to it using the following command:

curl -v ‑u frontend_api_key: ‑k https://dpgateway_host:11080/test

For example:

curl -v ‑u 120b1af5a433379255212cfd: ‑k https://opDPGW-PU:11080/test

If DIGIPASS Gateway is set up correctly and can be reached, you should see output similar to:

{"type":"Hello from DP-Gateway!","version":"5.5.0-9999"}* Connection #0 to host 192.0.2.10 left intact

Creating client component records for DIGIPASS Gateway in OneSpan Authentication Server

DIGIPASS Gateway communicates with OneSpan Authentication Server via SOAP to process provisioning and authentication requests. Therefore, provisioning and authentication client component records need to be created in OneSpan Authentication Server for DIGIPASS Gateway.

The Value column refers to both, the Value in the DIGIPASS Gateway configuration and the name of the client component in OneSpan Authentication Server.

Table: DIGIPASS Gateway component types for push notifications in OneSpan Authentication Server
Component type Value Description
Scenario: Online activation
provisioning.dp4mobile Gateway Provisioning

This is needed for the retrieval of activation data using DSAPP.

Policy: Push Notification - Provisioning
Scenario: Offline activation
provisioning.mdl Gateway Provisioning

This is needed for offline activation of MDL devices.

Policy: Push Notification - Provisioning
Scenario: Authentication
authentication DIGIPASS Gateway

This is needed for authentication when performing a PIN change.

Policy: Push Notification - Authentication
authentication.secure_channel DIGIPASS Gateway

This is needed for authentication when performing a push notification logon.

Policy: Push Notification - Authentication
Scenario: Test
authentication Authentication Sample Client This is used for testing purposes during setup.

To create a provisioning client component record for DIGIPASS Gateway

  1. Open the OneSpan Authentication Server Administration Web Interface.
  2. Navigate to Clients > Register.

  3. Create the new client with the following options:

    • Client Type: Gateway Provisioning
    • Location: Private IP address of DIGIPASS Gateway (opDPGW-PR)
    • Policy ID: Push Notification - Provisioning
    • Protocol ID: SOAP
  4. Click Create.

To create an authentication client component record for DIGIPASS Gateway

  1. Open the OneSpan Authentication Server Administration Web Interface.
  2. Navigate to Clients > Register.

  3. Create the new client with the following options:

    • Client Type: DIGIPASS Gateway
    • Location: Private IP address of DIGIPASS Gateway (opDPGW-PR)
    • Policy ID: Push Notification - Authentication
    • Protocol ID: SOAP
  4. Click Create.

Obtaining licenses for DIGIPASS Gateway

To obtain the required licenses, do one of the following:

  • Register with your contract ID and retrieve full licenses for a production environment.
  • Register and retrieve evaluation licenses for a test environment.

To retrieve a valid license for DIGIPASS Gateway with a contract ID (production environment)

  1. Go to the OneSpan Customer Portal at https://cp.onespan.com/.
  2. Sign in using your contract ID and serial number.
  3. Navigate to the Registrations tab.
  4. Select DIGIPASS Gateway.
  5. Click New registration.
  6. Enter the private IP address of your DIGIPASS Gateway instance (opDPGW-PR).
  7. Click Create. After successful registration, a table displays the registration date, the IP address, a description, and the license file (license.dat) for DIGIPASS Gateway. To download the license file, click Download license file.

To retrieve a valid evaluation license and register your on-prem DIGIPASS Gateway

  1. Go to the OneSpan Customer Portal at https://cp.onespan.com/.
  2. Click Get an evaluation license.
  3. Enter your personal information.
  4. Confirm your evaluation request by clicking on the link in the email.
  5. On the IDENTIKEY Add-on Software page select DIGIPASS Gateway.
  6. Click Continue.

  7. Enter the evaluation license details for the on-prem DIGIPASS Gateway, including the following information:

    • IP Address: The private IP address of the on-prem DIGIPASS Gateway (opDPGW-PR), e.g. 192.0.2.1. This is the address DIGIPASS Gateway uses to communicate with the OneSpan Authentication Server instance.
    • Description: This field is optional.
    • URL: This is the public URL where the on-prem DIGIPASS Gateway can be accessed from the Internet (opDPGW-PU), e.g. https://192.0.2.1:11080/rest/v2. This is required for the OneSpan Notification Gateway to communicate with your on-prem DIGIPASS Gateway. Note that old app versions, including the OneSpan Mobile Authenticator app, are still using the legacy API URL, for example, https://192.0.2.1:11080/rest.
    • DP Gateway Password: This is the front-end API key generated during the installation of DIGIPASS Gateway (see Setting up DIGIPASS Gateway).
  8. Click Create.
  9. Download the license file (license.dat). We recommend to prefix it with a tag, e.g. DPGW-license.dat.
  10. Download the DIGIPASS Gateway data for future reference and to use in Configuring OneSpan Notification Gateway in OneSpan Authentication Server.
  11. Click I'm done.

Applying client component licenses for DIGIPASS Gateway

To load your license for the DIGIPASS Gateway client component (authentication)

  1. Open the OneSpan Authentication Server Administration Web Interface.
  2. Navigate to Clients > List.
  3. Select DIGIPASS Gateway (created in Setting up DIGIPASS Gateway).
  4. Switch to the License tab.
  5. Click Load License Key.
  6. Add the license file (DPGW-license.dat) you downloaded from the OneSpan Customer Portal (see Obtaining licenses for DIGIPASS Gateway).

Post-installation tasks

Registering for a push notification account on the OneSpan Customer Portal (production environment)

You need to create a push notification account on the OneSpan Customer Portal.

This procedure does not apply for evaluation license purposes, because the push notification account was created while creating the DIGIPASS Gateway evaluation license (see Obtaining licenses for DIGIPASS Gateway).

To create a push notification account

  1. Go to the OneSpan Customer Portal at https://cp.onespan.com/.
  2. Sign in using your contract ID and serial number.
  3. Navigate to the Push Notifications tab.
  4. Click Add New Account.

  5. Enter the following information here:

    • URL: This is the public URL where the on-prem DIGIPASS Gateway can be accessed from the Internet (opDPGW-PU), e.g. https://192.0.2.1:11080/rest/v2. Note that old app versions, including the OneSpan Mobile Authenticator app, are still using the legacy API URL, for example, https://192.0.2.1:11080/rest.
    • DP Gateway Password: This is the front-end API key that has been set/generated during the installation of DIGIPASS Gateway (see Setting up DIGIPASS Gateway).

  6. Click Create.

    The DP Gateway ID and API Key will be automatically generated. They are required to configure push notifications in OneSpan Authentication Server (see Configuring OneSpan Notification Gateway in OneSpan Authentication Server).

Configuring OneSpan Notification Gateway in OneSpan Authentication Server

You need to configure the DIGIPASS Gateway data that has been generated by the OneSpan Customer Portal in OneSpan Authentication Server.

To register DIGIPASS Gateway in OneSpan Authentication Server

  1. Open the OneSpan Authentication Server Administration Web Interface.
  2. Navigate to SERVERS > Global Configuration > Push Notification.
  3. Click Edit.

  4. Enter the following information here:

  5. Click Save.

Configuring your firewall

Some mobile client applications, such as the OneSpan Mobile Authenticator app, send requests back to the on-prem DIGIPASS Gateway via the OneSpan cloud services.

To be able to do so, you need to allow incoming traffic from the following DNS name and IP addresses:

from.push.onespan.cloud

52.212.65.44, 54.195.122.202, 52.18.53.166

Furthermore, you need to allow outgoing traffic to the following DNS name and IP address:

to.push.onespan.cloud

34.247.152.60

Do not forget to also properly configure any personal firewall software installed on the on-prem DIGIPASS Gateway servers, such as Windows Defender Firewall, to avoid connection issues.

Setting up the OneSpan Mobile Authenticator app

The latest version of the OneSpan Mobile Authenticator app can be downloaded from the relevant mobile market places:

After installation, the iOS development version requires the user to trust the application before it can be used.

To trust an app on iOS

  1. Go to Settings>Device Management.
  2. Select the Enterprise App from the list.
  3. Select Trust <developer name> and confirm.

Testing the cloud-only deployment

Testing the connection to the on-prem DIGIPASS Gateway

The on-prem DIGIPASS Gateway is the proxy to the customer network. This test verifies that you can access it from your mobile device via its public IP address (opDPGW-PU).

To test the connection to the on-prem DIGIPASS Gateway (on the mobile device)

  1. Disable Wi-Fi on your mobile device.
  2. Enable mobile data only.

  3. Open a web browser and browse to the DIGIPASS Gateway test endpoint, i.e. https://dpgateway_host:11080/test.

    dpgateway_host is the public IP address of the on-prem DIGIPASS Gateway (opDPGW-PU).

    If you do not get a response, verify your firewall and connection settings (see Configuring your firewall).

Testing offline activation

This test verifies that offline activation of the OneSpan Mobile Authenticator app works, i.e. the activation code is generated and entered into the authenticator manually (via the app).

To test the offline activation of the OneSpan Mobile Authenticator app

  1. Open OneSpan Authentication Server Administration Web Interface.
  2. Create a test user, e.g. user pn with password Test1234.

  3. Import a test DIGIPASS export file (DPX) for the OneSpan Mobile Authenticator app, e.g. %PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\dpx\Demo_DIGIPASSApp.dpx.

    Transport key: 11111111111111111111111111111111 (press the 1 key 32 times).

  4. On the mobile device, install the OneSpan Mobile Authenticator app.
  5. In OneSpan User Websites (e.g. https://opUWS-PU:9443/selfmgmt), select ACTIVATE > 2-Step Offline Activation using a Color QR code.
  6. Type the credentials of the test user and click REGISTER.
  7. In the OneSpan Mobile Authenticator app, scan the color QR code.
  8. Choose and confirm a PIN.
  9. In OneSpan User Websites, type the device code calculated by the app in the ACTIVATION STEP (1/2) page and click CONTINUE.
  10. In the OneSpan Mobile Authenticator app, scan the color QR code and accept the default authenticator name.
  11. In OneSpan User Websites, type the signature calculated by the app in the ACTIVATION STEP (2/2) page and click ACTIVATE.
  12. In the OneSpan Mobile Authenticator app, tap the arrow to continue.
  13. Accept the warning to get a confirmation from OneSpan Authentication Server.

  14. Verify the registration details:

    1. In OneSpan Authentication Server Administration Web Interface, verify the authenticator license that was assigned to the test user.
    2. Verify the details of the authenticator instance. Focus on the DIGIPASS, Activation Information, and Recent Activity tabs.

  15. In OneSpan Authentication Server Administration Web Interface, delete the authenticator instance and the authenticator assigned to the test user.

Testing online activation

This test verifies that online activation of the OneSpan Mobile Authenticator app works, i.e. the full activation data is generated and pushed to the authenticator without user involvement.

To test the online activation of the OneSpan Mobile Authenticator app

  1. In OneSpan User Websites (e.g. https://opUWS-PU:9443/selfmgmt), select Self-Registration, Auto-Assignment, and Online Activation for Mobile Authenticator.

  2. Type the name and the password of the test user and click CONTINUE.

    If back-end authentication is successful, the page will display a color QR code containing the activation data.

  3. On the mobile device, open the OneSpan Mobile Authenticator app. The activation screen is displayed.

  4. Follow the on-screen instructions to scan the color QR code and activate the OneSpan Mobile Authenticator app.

  5. Enter a device PIN.

    When the activation is completed, the OneSpan Mobile Authenticator app displays a one-time password (OTP).

  6. In OneSpan User Websites, click DONE. You are redirected to the OneSpan User Websites main page.

  7. Verify the activation results:

    1. In OneSpan Authentication Server Administration Web Interface:

      • Verify the authenticator license that was assigned to the test user, e.g. DTA0008364 (via the DIGIPASS page).
      • Verify the authenticator instance that was activated and assigned to the test user, e.g. DTA0008364-1 (via the DIGIPASS page).
      • Verify that the OneSpan Mobile Authenticator app is registered to receive push notifications in the authenticator instance. For the respective authenticator instance, the value of Activation Information > Push Notification Identifier must be a number.
      • Verify the DIGIPASS Gateway ID (via the SERVERS > Global Configuration > Push Notification tab). You will have to compare it with the back-end identifier set in the OneSpan Mobile Authenticator app in a subsequent step.

    2. In the OneSpan Mobile Authenticator app (via Application Info):

      • Inspect the details of the application info for the test authenticator pn. Verify that the license serial number matches the one in OneSpan Authentication Server Administration Web Interface.
      • Verify that the instance number under Sequence Number matches the one in OneSpan Authentication Server Administration Web Interface.
      • Verify that the back-end identifier matches the one in DIGIPASS Gateway ID in OneSpan Authentication Server Administration Web Interface.

Testing online authentication

To test online authentication (push and login)

  1. In OneSpan User Websites (e.g. https://opUWS-PU:9443/selfmgmt), select Login Test.
  2. Type the name of the test user, i.e. pn.
  3. Type the push notification keyword and the password of the test user, i.e. pushTest1234.
  4. Click LOG IN.
  5. On the mobile device, accept the received push notification.
  6. Follow the on-screen instructions of the device and confirm the authentication on the mobile device to complete the authentication process.
  7. The device displays a message that your authentication was successful.