FIDO UAF onboarding in the Sandbox and Production environments

Overview of the FIDO UAF architecture

A typical FIDO UAFClosed FIDO UAF aims to substitute password authentication. It provides passwordless and multi-factor authentication with compliant authenticators. deployment for the Sandbox and Production environments involves the following parties:

  • Relying Party Service (RPS). The back-end server of the mobile application acts as the Relying Party Service. Via a secure connection (TLS certificates), the mobile application delegates FIDO Server responsibilities to the OneSpan Trusted Identity platform API.
  • OneSpan Trusted Identity platform API. This REST API exposes the FIDO UAF Server functionality via dedicated FIDO endpoints that are available in Intelligent Adaptive Authentication.

For more information about FIDO concepts, refer to the specifications and technical glossary provided by the FIDO Alliance.

Prerequisites

Before you start the onboarding process with OneSpan, ensure that you completed the following steps:

  • A mobile application with FIDO UAF client capabilities has been configured.
  • Your Relying Party Service has been adjusted to be able to connect to the OneSpan Trusted Identity platform API service.

Configuration of FIDO UAF in the Sandbox and Production environments

To enable the integration of FIDO UAF-based functionalities with Intelligent Adaptive Authentication for the Sandbox and Production environments, the following information must be provided to configure the FIDO UAF Server correctly:

To enable FIDO UAF for the Sandbox and Production environments, submit a service request on the Product Support page by clicking the corresponding button.

Tenant name

Ensure that you already have created a tenant. To enable FIDO UAF, provide the tenant name to OneSpan support—our support staff will activate FIDO UAF for you.

AppID

When you set up FIDO UAF, you must configure the AppIDClosed The AppID is a URL provided as part of the protocol message, sent by the server, which indicates the scope of the newly generated keys, which is basically a URL, to allow scoping the registered keys to different platform applications. From this AppID, a list of trusted facets is retrieved. This list of trusted facets is defined and stored in Intelligent Adaptive Authentication during the configuration of the Relying PartyClosed A web site or other entity that uses a FIDO protocol to directly authenticate users (i.e., performs peer-entity authentication). Note that if FIDO is composed with federated identity management protocols (e.g. SAML, OpenID Connect etc.), the identity provider will also be playing the role of a FIDO Relying Party..

On the client side, the FIDO Client ensures that only the trusted facets are allowed to work with the registered keys for performing the FIDO ceremonies.

As the mobile application is not connected directly to the OneSpan Trusted Identity platform API, the Relying Party Service must expose the AppID that is used to retrieve the trusted facets list to the FIDO client. Internally, the Relying Party Service obtains the trusted facets from the OneSpan Trusted Identity platform API app facets endpoint:

Trusted facets list: retrieval process

Sequence of the trusted facets list retrieval

  1. The mobile application, which includes the FIDO Client, retrieves the AppId: https://yourwebapp.example.com/AppId.
  2. The Relying Party Service, as the back end of the mobile application, obtains the trusted facets from the OneSpan Trusted Identity platform API app facets endpoint:
  3. The API returns the list of facets to the Relying Party Service.
  4. The Relying Party Service returns the list to the mobile application.
  5. The FIDO Client included in the mobile application verifies that the facet is included in the list of trusted facets.

Trusted facets list

The trusted facets returned by the OneSpan Trusted Identity platform API app facets endpoint, GET /fido-uaf-app-facets, is used for the configuration of the FIDO UAF Server Relying Party.

Android

For Android devices, the facet ID must be a URI derived from the Base64 encoding SHA-1 hash of the APK signing certificate [APK-Signing]: android:apk-key-hash:base64_encoded_sha1_hash-of-apk-signing-cert.

Android facet ID example:

"android:apk-key-hash:NTQ3Mjg1Mjk1ODc1NzA1NzQ1ODc1NzM"

iOS

For iOS devices, the facet ID must be the Bundle ID [BundleID] URI of the application: ios:bundle-id:ios-bundle-id-of-app.

iOS facet ID example:

"ios:bundle-id:com.example.foo"

Metadata statements

The FIDO UAF Server works out-of-the-box with a list of supported FIDO UAF authenticators which are part of the FIDO Alliance Metadata Service version 3.0.

If you intend to use an authenticator that is not included in the FIDO Alliance Metadata Service, ensure that you provide the relevant metadata statements to OneSpan in the v3 format.

For more information about FIDO UAF authenticators supported by the FIDO Alliance Metadata Service, see FIDO UAF-supported authenticators.

Next steps

With this, FIDO UAF is enabled and you are ready to use the supported FIDO UAF operations. For more information on these operations, see the following articles: