Login
    Contents x
    FIDO UAF Onboarding in the Sandbox and Production Environments
    • 25 Oct 2024
    • 3 Minutes to read
    • Dark
      Light
    Contents

    FIDO UAF Onboarding in the Sandbox and Production Environments

    • Updated on 25 Oct 2024
    • 3 Minutes to read
    • Dark
      Light
    Article summary

    verview of the FIDO UAF architecture

    A typical FIDO UAF deployment for the Sandbox and Production environments involves the following parties:

    • Client infrastructure. This includes the FIDO user device with the FIDO UAF client integrated in the mobile application. By default, OneSpan supports the FIDO UAF authenticators which are part of the FIDO Alliance Metadata Service version 3.0.

    • Relying Party Service (RPS). The back-end server of the mobile application acts as the Relying Party Service. Via a secure connection (TLS certificates), the mobile application delegates FIDO Server responsibilities to the OneSpan Trusted Identity platform API.

    • OneSpan Trusted Identity platform API. This REST API exposes the FIDO UAF Server functionality via dedicated FIDO endpoints that are available in Intelligent Adaptive Authentication.

    For more information about FIDO concepts, refer to the specifications and technical glossary provided by the FIDO Alliance.

    Prerequisites

    Before you start the onboarding process with OneSpan, ensure that you completed the following steps:

    • A mobile application with FIDO UAF client capabilities has been configured.

    • Your Relying Party Service has been adjusted to be able to connect to the OneSpan Trusted Identity platform API service.

    Configuration of FIDO UAF in the Sandbox and Production environments

    To enable the integration of FIDO UAF-based functionalities with Intelligent Adaptive Authentication for the Sandbox and Production environments, the following information must be provided to configure the FIDO UAF Server correctly:

    • Tenant name

    • AppID of your mobile application

    • Trusted facets list

    • (If required) Metadata statements

    To enable FIDO UAF for the Sandbox and Production environments, submit a service request on the Product Support page by clicking the corresponding button.

    Tenant name

    Ensure that you already have created a tenant. To enable FIDO UAF, provide the tenant name to OneSpan support—our support staff will activate FIDO UAF for you.

    AppID

    When you set up FIDO UAF, you must configure the AppID, which is basically a URL, to allow scoping the registered keys to different platform applications. From this AppID, a list of trusted facets is retrieved. This list of trusted facets is defined and stored in Intelligent Adaptive Authentication during the configuration of the Relying Party.

    On the client side, the FIDO Client ensures that only the trusted facets are allowed to work with the registered keys for performing the FIDO ceremonies.

    As the mobile application is not connected directly to the OneSpan Trusted Identity platform API, the Relying Party Service must expose the AppID that is used to retrieve the trusted facets list to the FIDO client. Internally, the Relying Party Service obtains the trusted facets from the OneSpan Trusted Identity platform API app facets endpoint:

    Trusted facets list: retrieval process

    Sequence of the trusted facets list retrieval

    1. The mobile application, which includes the FIDO Client, retrieves the AppId: https://yourwebapp.example.com/AppId.

    2. The Relying Party Service, as the back end of the mobile application, obtains the trusted facets from the OneSpan Trusted Identity platform API app facets endpoint:

    3. The API returns the list of facets to the Relying Party Service.

    4. The Relying Party Service returns the list to the mobile application.

    5. The FIDO Client included in the mobile application verifies that the facet is included in the list of trusted facets.

    Trusted facets list

    The trusted facets returned by the OneSpan Trusted Identity platform API app facets endpoint, GET /fido-uaf-app-facets, is used for the configuration of the FIDO UAF Server Relying Party.

    Android

    For Android devices, the facet ID must be a URI derived from the Base64 encoding SHA-1 hash of the APK signing certificate [APK-Signing]: android:apk-key-hash:base64_encoded_sha1_hash-of-apk-signing-cert.

    Android facet ID example:

    "android:apk-key-hash:NTQ3Mjg1Mjk1ODc1NzA1NzQ1ODc1NzM"

    iOS

    For iOS devices, the facet ID must be the Bundle ID [BundleID] URI of the application: ios:bundle-id:ios-bundle-id-of-app.

    iOS facet ID example:

    "ios:bundle-id:com.example.foo"

    Metadata statements

    The FIDO UAF Server works out-of-the-box with a list of supported FIDO UAF authenticators which are part of the FIDO Alliance Metadata Service version 3.0.

    If you intend to use an authenticator that is not included in the FIDO Alliance Metadata Service, ensure that you provide the relevant metadata statements to OneSpan in the v3 format.

    For more information about FIDO UAF authenticators supported by the FIDO Alliance Metadata Service, see FIDO UAF-supported authenticators.

    Next steps

    With this, FIDO UAF is enabled and you are ready to use the supported FIDO UAF operations. For more information on these operations, see the following articles:

    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, our interactive help assistant