- 10 Jan 2025
- 4 Minutes to read
- DarkLight
- PDF
Integration of User Registration and Authenticator Activation Using Orchestration
- Updated on 10 Jan 2025
- 4 Minutes to read
- DarkLight
- PDF
Before the user can use OneSpan Cloud Authentication, they must complete the registration process and activate their authenticator. Once the device is activated, it can be used for login, event, and transaction data signing operations.
User registration and authenticator activation
Prerequisites for the registration operation
The mobile application must be integrated with the Orchestration SDK.
(Optional) Define a static password for users.
Sequence of a registration and activation flow
The user starts the registration process via the User Registration service on the client web application. The user enters a user ID and, optionally, a static password to start the registration operation. The web server then forwards the request to the OneSpan Trusted Identity platform API with a call to the POST /users/register endpoint.
The use of a static password is optional during the registration process. If no static password is entered, the OneSpan Trusted Identity platform (TID) generates a temporary random password only used for this operation.
The TID user account is created.
An unassigned authenticator license is assigned to the newly created account.
With this, the user is registered and an activation password is sent to the web application.
The status of the registration can be checked anytime with a call to the POST /registrations/check-status endpoint.
The client application forwards this activation password to the user. The user either scans the QR code from the web application or manually enters the activation password on the mobile application.
The returned activation password is time-limited (10 minutes). When the user tries to enter the activation password after this time, the authenticator activation fails.
The Orchestration SDK starts the activation of the device. For this, the Orchestration SDK must establish a secure communication tunnel with the Provisioning service.
The Orchestration SDK exchanges multiple activation calls to the Provisioning service to gather the necessary activation data. The Orchestration SDK sends requests to the Provisioning service, and the Provisioning service returns orchestration responses to the Orchestration SDK.
For more detailed information about the activation and the orchestration calls, refer to Features of the Orchestration SDK: Activation.
To integrate the registration flow
Issue a registration request with the POST /users/register endpoint:
Payload:
objectType: "RegisterUserInputEx"
(Optional) cddc:
browserCDDC
fingerprintRaw
fingerprintHash
clientIP
(Optional) staticPassword
userID
Another objectType value RegisterUserInput is currently exposed for the userregister service in the OneSpan Trusted Identity platform API. This value corresponds to the userregister API that was exposed in OneSpan Cloud Authentication 1.3 (January 2021). This objectType value is listed for reasons of backward compatibility and to document a supported (but deprecated) option.
Activation status check
Two methods are available to poll the activation status following the register request—synchronous or asynchronous activation.
Synchronous activation—check status
The client application sends the check-status request that is processed after register only once.
The user application server invokes the POST /registrations/check-status endpoint with the following data:
{ "login": " SomeUserID ", "timeoutSeconds": 60 }
This statement waits for the activation to start. If the user activates the authenticator in 30 seconds, the customer web application will receive the activated response after 30 seconds. If the user does not activate the authenticator within the timeout parameter (60 seconds in this example), the Check Status service will return the following status:
{ "activationStatus": "timeout" }
The customer web application can then decide to retry with a timeout. In this scenario you should retry later without a timeout and restart the activation process. If the user does not activate the authenticator within the session expiration time (10 minutes), the Check Status service will return the following status:
{ "activationStatus": "unknown" }
Asynchronous activation—check status
The client application pools at a certain interval to get the last status information via the POST /registrations/check-status endpoint, with the following data:
{ "login": "SomeUserID" }
When the activation is still pending, the Check Status service will return the following status:
{ "activationStatus": "pending" }
When the activation is successful, the Check Status service will return the following status:
{ "activationStatus": "activated" }
As soon as this is the case, the pending activation status is reset and the Check Status service will return the following status:
{ "activationStatus": "unknown" }
User deregistration and removal of the authenticator assignment
Sequence of a user deregistration and removal of the authenticator assignment
The user starts the deregistration process. The web server forwards the request to the OneSpan Trusted Identity platform API with a call to the POST /users/{userID@domain}/unregister endpoint.
The OneSpan Trusted Identity platform API communicates with the Provisioning service to unassign the authenticator license.
The TID user is deleted from the OneSpan Trusted Identity platform.
To deregister the OneSpan Trusted Identity platform user account
Issue a deregistration request with the POST /users/{userID@domain}/unregister endpoint:
Payload:
objectType: "UnregisterUserInputEx"
(Optional) cddc:
browserCDDC
fingerprintRaw
fingerprintHash
clientIP
Another objectType value UnRegisterUserInput is currently exposed for the userunregister service in the OneSpan Trusted Identity platform API. This value corresponds to the userunregister API that was exposed in OneSpan Cloud Authentication 1.3 (January 2021). This objectType value is listed for reasons of backward compatibility and to document a supported (but deprecated) option.
Next Steps
The next step for a full integration of Intelligent Adaptive Authentication is the Integration of User Login and Event Validation via Notification.