Topology example: On-premises only

These topology scenarios do not use any OneSpan cloud service, but depend on customer-made solutions.

The push notification messages are relayed via the DIGIPASS Gateway hosted by the customer (on-premises).

The mobile authenticator app is a customer-made application implementing OneSpan Mobile Security Suite. Thus it does not need OneSpan DIGIPASS Gateway (cloud) to route its communication back to the customer network, but can connect to the customer network directly to retrieve the actual request data from OneSpan Authentication Server.

Scenario: Push and login (On-premises only)

Push and login consists of an out-of-band authentication initiated on a website or other application. The authentication request is transmitted via push notifications to a mobile app. The user can inspect and confirm the authentication request with the mobile app.

About this scenario

It supports the following mobile authenticator apps:

  • Mobile Authenticator Studio
  • OneSpan Mobile Security Suite
Push and login (topology, on-prem only)

Figure: Push and login (Topology, On-premises only)

Walkthrough: Push and login (on-premises only)

  1. The user initiates a push and login process using the specified request method in the client application, e.g. an application server or Digipass Authentication for Windows Logon.
  2. The client application initiates a push and login process on OneSpan Authentication Server.
  3. After receiving the corresponding request from the client application, OneSpan Authentication Server generates the required push notification message. The push notification message is relayed to the Message Delivery Component (MDC) service.
  4. MDC relays the push notification request to the on-prem DIGIPASS Gateway.
  5. The on-prem DIGIPASS Gateway sends the push notification via third-party notification web services for the respective end device.
  6. The mobile authenticator app, e.g. a customer-made application implementing OneSpan Mobile Security Suite, requests the authentication request details via the on-prem DIGIPASS Gateway.
  7. The on-prem DIGIPASS Gateway requests details from OneSpan Authentication Server.
  8. The mobile authenticator app retrieves the push notification details from the on-prem DIGIPASS Gateway. It then requests the user to confirm to log on to the specified client application.
  9. The user confirms and accepts the push and login request. The mobile authenticator app authenticates the user against OneSpan Authentication Server via DIGIPASS Gateway.
  10. OneSpan Authentication Server processes this request, and in case of success returns the authentication to the client application.
  11. The user is informed via the client application that the authentication has succeeded.

Scenario: Push and sign (On-premises only)

Push and sign allows data signing using a separate and unconnected channel (out-of-band signing).

About this scenario

It supports the following mobile authenticator apps:

  • Mobile Authenticator Studio
  • OneSpan Mobile Security Suite
Push and sign (topology, on-prem only)

Figure: Push and sign (Topology, On-premises only)

Walkthrough: Push and sign (on-premises only)

  1. The user initiates a transaction data signing request towards the application server, e.g. via a banking application site.
  2. The application server initiates a push and sign process on OneSpan Authentication Server.
  3. After receiving the corresponding request from the application server, OneSpan Authentication Server generates the required push notification message. The push notification message is relayed to the Message Delivery Component (MDC) service.
  4. MDC sends the push notification request to the on-premises DIGIPASS Gateway.
  5. The on-prem DIGIPASS Gateway sends a push notification to the mobile authenticator app via third-party notification services for the respective end device. If a user has multiple devices assigned and registered, a push notification is sent to all applicable devices (MDL instances).
  6. The mobile authenticator app, e.g. a customer-made application implementing OneSpan Mobile Security Suite, retrieves the signature transaction message via the on-premises DIGIPASS Gateway. It then requests the user to confirm the signing of the transaction data.
  7. The user confirms and accepts the push and sign request. The mobile authenticator app authenticates the user against OneSpan Authentication Server via DIGIPASS Gateway.
  8. OneSpan Authentication Server processes this request and, if applicable, returns success to the application server.
  9. The user is informed via the application server that the transaction data has been signed successfully.