FIDO UAF Onboarding in the Sandbox and Production Environments

  • Updated on Feb 25, 2026
  • Published on Dec 10, 2025
  • 5 minute(s) read
Prev Next

For general information about FIDO UAF concepts, refer to the FIDO UAF Architectural Overview, specifications, and technical glossary provided by the FIDO Alliance.

Overview of the FIDO UAF architecture

A typical FIDO UAF deployment for the Sandbox and Production environments involves the following parties:

  • Client infrastructure. This includes the FIDO user device with the FIDO UAF client integrated in the mobile application. By default, OneSpan supports the FIDO UAF authenticators which are part of the FIDO Alliance Metadata Service version 3.0.

  • Relying Party Service (RPS). The back-end server of the mobile application acts as the Relying Party Service. Via a secure connection (TLS certificates), the mobile application delegates FIDO Server responsibilities to the OneSpan Trusted Identity platform API.

  • OneSpan Trusted Identity platform API. This REST API exposes the FIDO UAF Server functionality via dedicated FIDO endpoints that are available in OneSpan Cloud Authentication.

For the configuration and onboarding process to enable the FIDO UAF-based functionalities of OneSpan Cloud Authentication for the Sandbox and Production environments, you can choose between the Self-Service Onboarding feature or onboarding FIDO UAF with the help of our support staff.

Prerequisites

Before you start the onboarding process with OneSpan, ensure that you completed the following steps:

  • A mobile application with FIDO UAF client capabilities has been configured.

  • Your Relying Party Service has been adjusted to be able to connect to the OneSpan Trusted Identity platform API service.

Self-serviced onboarding

The Self-Service Onboarding feature allows you to configure FIDO UAF via the OneSpan Trusted Identity platform REST API endpoints yourself. To enable FIDO UAF in self-service, you need to create the following:

  1. Match criteria: authenticator types

  2. Policy

  3. Relying Party Resource

Create match criteria

The match criteria are used in the policy to select which authenticators are allowed or disallowed. To create match criteria, call the POST /uaf-authenticator-types endpoint in the OneSpan Trusted Identity platform REST API. For more information about match criteria and available endpoints, see Manage FIDO UAF authenticator types.

Create a policy

During authenticator registration, a policy is used to determine which authenticator types are allowed or disallowed for use. To create a policy, call the POST /uaf-policies endpoint in the OneSpan Trusted Identity platform REST API. For more information about FIDO UAF policies and available endpoints, see Manage FIDO UAF policies.

Create a Relying Party Resource

To create a Relying Party Resource, call the POST /uaf-relying-parties endpoint in the OneSpan Trusted Identity platform REST API. For more information about relying party resources and available endpoints, see Manage FIDO UAF Relying Party resources.

Your web application is now ready to use the supported FIDO UAF-based operations with OneSpan Cloud Authentication.

Onboard FIDO UAF with OneSpan Support

To onboard FIDO UAF with our support stuff and to enable the integration of FIDO UAF-based functionalities with OneSpan Cloud Authentication for the Sandbox and Production environments, the following information must be provided to configure the FIDO UAF Server correctly:

  • Tenant name

  • AppID of your mobile application

  • Trusted facets list

  • (If required) Metadata statements

To enable FIDO UAF for the Sandbox and Production environments, submit a service request on the Product Support page by clicking the corresponding button.

Tenant name

Ensure that you already have created a tenant. To enable FIDO UAF, provide the tenant name to OneSpan support—our support staff will activate FIDO UAF for you.

AppID

When you set up FIDO UAF, you must configure the AppID, which is basically a URL, to allow scoping the registered keys to different platform applications. From this AppID, a list of trusted facets is retrieved. This list of trusted facets is defined and stored in OneSpan Cloud Authentication during the configuration of the Relying Party.

On the client side, the FIDO Client ensures that only the trusted facets are allowed to work with the registered keys for performing the FIDO ceremonies.

As the mobile application is not connected directly to the OneSpan Trusted Identity platform API, the Relying Party Service must expose the AppID that is used to retrieve the trusted facets list to the FIDO client. Internally, the Relying Party Service obtains the trusted facets from the OneSpan Trusted Identity platform API app facets endpoint:

Trusted facets list: retrieval process

Sequence of the trusted facets list retrieval

  1. The mobile application, which includes the FIDO Client, retrieves the AppId: https://yourwebapp.example.com/AppId.

  2. The Relying Party Service, as the back end of the mobile application, obtains the trusted facets from the OneSpan Trusted Identity platform API app facets endpoint:

  3. The API returns the list of facets to the Relying Party Service.

  4. The Relying Party Service returns the list to the mobile application.

  5. The FIDO Client included in the mobile application verifies that the facet is included in the list of trusted facets.

Trusted facets list

The trusted facets returned by the OneSpan Trusted Identity platform API app facets endpoint, GET /fido-uaf-app-facets, is used for the configuration of the FIDO UAF Server Relying Party.

Android

For Android devices, the facet ID must be a URI derived from the Base64 encoding SHA-1 hash of the APK signing certificate [APK-Signing]: android:apk-key-hash:base64_encoded_sha1_hash-of-apk-signing-cert.

Android facet ID example:

"android:apk-key-hash:NTQ3Mjg1Mjk1ODc1NzA1NzQ1ODc1NzM"

iOS

For iOS devices, the facet ID must be the Bundle ID [BundleID] URI of the application: ios:bundle-id:ios-bundle-id-of-app.

iOS facet ID example:

"ios:bundle-id:com.example.foo"

Metadata statements

The FIDO UAF Server works out-of-the-box with a list of supported FIDO UAF authenticators which are part of the FIDO Alliance Metadata Service version 3.0.

If you intend to use an authenticator that is not included in the FIDO Alliance Metadata Service, ensure that you provide the relevant metadata statements to OneSpan in the v3 format.

For more information about FIDO UAF authenticators supported by the FIDO Alliance Metadata Service, see FIDO UAF-supported authenticators.

Managing FIDO UAF resources

You can manage the different FIDO UAF resources by using the following OneSpan Trusted Identity platform REST API endpoints. For up-to-date information about endpoint payloads and responses, refer to the Interactive API Reference.

Activity

Endpoint to call

Manage FIDO UAF Relying Parties

Create a new FIDO UAF Relying Party Resource

POST /uaf-relying-parties

Query FIDO UAF Relying Party Resources

GET /uaf-relying-parties

Update an existing FIDO UAF Relying Party Resource

PUT /uaf-relying-parties/{relyingPartyID}

Manage FIDO UAF policies

Create a new FIDO UAF policy

POST /uaf-policies

Retrieve all existing FIDO UAF policies

GET /uaf-policies

View a FIDO UAF policy

GET /uaf-policies/{policyID}

Delete a FIDO UAF policy

DELETE /uaf-policies/{policyID}

Update a FIDO UAF policy

PUT /uaf-policies/{policyID}

Manage FIDO UAF authenticator types

Create a new FIDO UAF authenticator type

POST /uaf-authenticator-types

Query all FIDO UAF authenticator types

GET /uaf-authenticator-types

View a FIDO UAF authenticator type

GET /uaf-authenticator-types/{uuid}

Delete a FIDO UAF authenticator type

DELETE /uaf-authenticator-types/{uuid}

Update a FIDO UAF authenticator type

PUT /uaf-authenticator-types/{uuid}

Next steps

With this, FIDO UAF is enabled and you are ready to use the supported FIDO UAF operations. For more information on these operations, see the following articles: