Authentication

Authentication, or "AuthN," is the process of proving identity with sufficient confidence and establishing a secure connection between the end-user and the service.

Authorization

Authorization, or "AuthZ," is the process of granting access to resources based on various constraints, including actions, permissions, policies, and other attributes.

Accounting

Accounting, or "Auditing," refers to the process of monitoring events and logging records of who accessed what resources, when, and the actions taken within an audit trail.

The Identity Hub is a centralized system that enables administrators to configure and manage all aspects of identity service.

Key Features for Hub Administrators

Entities

• User Management: Create, update, and deactivate user accounts from a centralized interface.

• Organization Management: Manage multiple organizations within the system, ensuring appropriate access and permissions for each.

• SCIM Management: Implement and manage System for Cross-domain Identity Management (SCIM) for user provisioning and management.

Security

Access Control

• OAuth Management: Configure and manage OAuth authorization settings for secure access to applications.

• JWKS Management: Handle JSON Web Key Sets (JWKS) for signing and encrypting tokens to enhance security.

• OAuth2 Metadata Management: Manage OAuth2 metadata for clients and authorization servers to streamline integration.

• OAuth Client Management: Configure and manage OAuth clients, controlling their permissions and settings.

• Protected Resource Management: Define and manage resources that require protection through access controls.

• Audit Log Management: Monitor user activities and changes with detailed audit logs for compliance and oversight.

• Account Recovery Management: Assist end-users in recovering their accounts if they forget their credentials or become locked out.

• Account Registration Management: Oversee the registration process, ensuring it meets organizational standards and compliance requirements.

• Application Access Control: Manage access to multiple applications and control which users can use single sign-on (SSO).

• Consent Management Administration: Configure and manage consent settings for data sharing and privacy preferences on behalf of end-users.

• Data Access Request Management: Handle user requests for accessing personal data, data exports, and account deletions to ensure compliance with data protection regulations.

• Identity Verification Configuration: Set parameters for identity verification processes, enhancing security during user access.

• Notifications and Alerts Setup: Configure notifications and alerts for important events, such as account lockouts or suspicious activities.

• Profile Management Control: Assist in managing end-user profiles, allowing for updates and changes to personal information.

• Session Management Oversight: Monitor and manage user sessions to ensure account security and mitigate potential security risks.

• Reporting and Analytics Tools: Generate reports on user activity, access patterns, and system performance for informed decision-making.

• Integration Management: Manage integrations with third-party applications and services to ensure seamless connectivity and data flow.

• Authentication Management: Set and manage authentication methods, including multi-factor authentication (MFA) and passwordless options.

• Authentication Policies Configuration: Enforce authentication methods for end-users, such as passkeys, biometrics, and passwords.

Overview

TF Platform provides Identity as a Service (IDaaS), handling both authentication (confirming user identity) and authorization (managing access to resources) for your applications.

When to Consider the IDaas?

1. You Want to Secure User Authentication Enable multiple secure login options for users, including traditional usernames and passwords, passwordless methods like SMS, email, or passkeys, and Single Sign-On (SSO).

2. You Want to Implement Single Sign-On (SSO) Allow users to sign in once and access all applications without the need to remember separate credentials.

3. You Want to Enforce Multifactor Authentication (MFA) Enforce additional layers of authentication using methods such as passkeys, SMS, email, or biometric authentication to enhance security.

4. You Want Centralized Identity Management Manage all user identities from a single dashboard, streamlining administration and reducing complexity.

5. You Want to Secure Your APIs Protect your APIs with the OAuth 2.0 framework, ensuring that only authorized users can access your services.

6. You Want to Support Hybrid Environments Seamlessly manage identities across on-premises, cloud, and hybrid applications for a consistent user experience.

7. You Want Cross-Platform Security Ensure secure interactions between your web and mobile applications and APIs across various platforms.

8. You Want to Manage User Access Customize authorization policies based on user roles or relationships to control access effectively and ensure appropriate permissions.

9. You Want Compliance and Regulatory Support Automatically meet compliance requirements with built-in features for:

   • NIS2 (Network and Information Systems Directive)

   • ISO/IEC 27001 (Information Security Management)

   • SOC 2 (Service Organization Control 2)

   • GDPR (General Data Protection Regulation)

   • HIPAA (Health Insurance Portability and Accountability Act)

To govern access to services our platform supports two types of access control models: RBAC (Role-based Access Control) and ABAC (Attribute-based Access Control) through Open Policy Agent using REGO language.

Understanding RBAC

RBAC is an access control model that restricts access to resources based on predefined roles. Each role is associated with a distinct name and has a predefined set of permissions and policies.

Hierarchical Role Assignment

Our service allows roles to be assigned to users, companies, and groups, creating a hierarchical structure for role assignments.

Practical Approach

Our recommendation is to establish and assign roles to groups instead of individual users. By utilizing groups, it facilitates the easy addition or removal of users and ensures consistent permissions for all group members.

How do we recommend using roles within your services?

By reading the role from introspection of the access token

allow if {

user_is_manager

}


user_is_owner if data.user_attributes\[input.user\].title == "manager"

By Using Policy Decision Point (Recommended)

if (response.allow) {

   // Allow access to the resource

} else {

  res.status(403).send('Unauthorized');

}

ABAC

ABAC is an access control model that restricts access to resources based on attributes. These attributes may include permissions, policies, departments, locations, IP addresses, and time conditions. These attributes can be assigned to users, groups, applications, or other entities.

if (

   attributes.includes("role:manager") &&

   attributes.includes("permission:read:document") &&

   attributes.includes("department:marketing") &&

   attributes.includes("location:office") &&

   attributes.includes("origin: 192.168.0.1") &&

) {

   // Allow access to the resource

} else {

   // Deny access

}

Authorization Protocols

Our platform utilizes the Open Authorization 2.1 (OAuth) standards to grant access to resources per the access control models outlined in the previous chapter. The OAuth standard defines four important roles:

The Resource Owner (RO)

• Definition: The Resource Owner is an entity with the authority to grant access to a protected resource. This entity may be an individual (end-user), or an organization.

• Sidenote: Delegated access happens when Resource Owners grant authorization to other entities, such as organizations, individual users, or applications, to perform actions on behalf of the Resource Owner.

The Resource Server (RS)

• Definition: The Resource Server is an application hosting the protected resources. It handles requests for these resources from the Client and makes them available via an API after access token validation.

Sidenote: The Resource Server responds to these requests by validating the provided access tokens through various methods to ensure they are valid and authorize the request.

The Client

• Definition: The Client is an application making requests for protected resources on behalf of the Resource Owner, with the Resource Owner's authorization obtained through the OAuth process.

Sidenote: The Client can be deployed on a variety of platforms, including but not limited to virtual machines, bare metal servers, desktops, edge devices, and IoT devices.

The Authorization Server (AS)

• Definition: The Authorization Server is an application responsible for issuing access tokens to the Client following successful authentication of the Resource Owner and obtaining authorization.

To authorize end-users, we utilize the Authorization Code Flow with Proof Key for Code Exchange (PKCE). This can be implemented using client libraries for the following use cases:

• Mobile Applications

• Native Applications

• SaaS Platforms

• Websites

• Desktop Applications

• Single Sign-On (SSO)

To authorize applications, we utilize the Client Credential Flow. Which can be implemented using client libraries for the following use cases:

• Scheduled Tasks and Cron Jobs

• Data Synchronization

• System-to-system integrations

• Inter-Microservice Communication

• Internet of Things (IoT) Device Communication

• Automated Testing Environment

Still pending…

The Application Programming Interface (API)

• The API acts as a communication channel between applications, enabling them to interact and exchange information with each other.

• Supported Protocols: HTTP APIs & RESTful APIs

• Protocols examples: HTTPS, RESTful APIs, SIP, SRTP, gRPC, AMQPS etc.

Privileges

Privileges are permissions assigned to an individual or groups. Privileges can be inherited by an overlapping entity.

Groups

Groups refers to collections of users or other entities that share a common set of privileges.

Permissions

Permissions refer to the declaration of actions that can be performed on a specific resource by a user or an application.

Scope

Scope refers to what an application can do on behalf of the user.

Password Authentication Protocol (PAP)

The Password Authentication Protocol (PAP) involves users providing their username and password, which the system then checks against a centralized database for verification.

Process:

1. User Input: Users start by entering their credentials, comprising a username and password.

2. Credential Verification: The system checks these credentials against a central database to confirm their accuracy.

3. Authentication: If the provided credentials match those in the database, the user is successfully authenticated, gaining access to the system

Time-based One-Time Passwords (TOTP) Protocol

TOTP Protocol is a time-sensitive method for generating one-time passwords. It can be deployed through channels such as email, SMS, and authenticator applications.

Process:

1. Setup: Exchange of a shared secret key between the authentication server and the user's device.

2. Synchronization: Both server and device synchronize their clocks to a common time reference.

3. OTP Generation: TOTP algorithm generates a unique one-time password using the shared key and current time.

4. User Authentication: User enters the OTP generated by their device. If it matches the server's calculated OTP, authentication is successful.

Open Identity Protocol (OpenID)

OpenID, an open standard and decentralized authentication protocol, enables user authentication through a third-party identity provider (IdP) service.

Process:

1. User Authentication Request: Users can be authenticated on collaborating sites (relying parties) using a third-party identity provider (IdP) service.

2. IdP Verification: The third-party identity provider verifies the user using its authentication mechanism.

3. Successful Authentication: If the user is successfully authenticated at the IdP, access is granted at the relying party's site, ensuring a secure and streamlined authentication process.

Universal Authentication Framework (UAF)

The Universal Authentication Framework (UAF) is a protocol developed by the FIDO Alliance, providing a secure and passwordless authentication solution.

Process:

1. During registration, the user associates their device with the online service.

2. The user selects a local authentication mechanism, such as swiping a finger, using facial recognition, speaking into the microphone, or entering a PIN.

3. This mechanism generates a private key that is used to sign a challenge issued by the FIDO UAF Server.

Mutual TLS (mTLS)

Mutual TLS extends the TLS protocol to achieve mutual authentication between the client and server by requiring both parties to present valid X.509 certificates.

Process:

1. Client Certificate Presentation: The client presents its X.509 certificate to the server during the SSL/TLS handshake.

2. Server Verification: The server verifies the client's certificate, ensuring its validity and proper signing by a trusted Certificate Authority (CA).

3. Server Certificate Presentation: The server presents its X.509 certificate to the client during the SSL/TLS handshake.

4. Client Verification: The client verifies the server's certificate, ensuring its validity and appropriate signing by a trusted CA.

5. Successful Authentication: If both certificates pass verification, mutual authentication is achieved, and a secure communication channel is established.

1. Overview and Dashboard

• System Overview

• User Statistics

• Security Alerts

• Compliance Status

• Performance Metrics

OAuth 2.0 Authorization Code Flow with PKCE

This document outlines the OAuth 2.0 Authorization Code Flow with PKCE, detailing the steps, endpoints, request payloads, and responses involved in initiating and completing user authentication without a client secret.

1. User Initiates OAuth Flow

Action: User Redirect to Authorization Server

Purpose: The user initiates the OAuth flow by redirecting to the authorization server to request authorization.

Redirection URL Format:

https://auth.example.com/authorize?client_id=client123&redirect_uri=https://app.example.com/callback&response_type=code&scope=openid profile email&code_challenge=challengeValue&code_challenge_method=S256

• Parameters:

  • client_id: The ID of the client application (e.g., client123).

  • redirect_uri: The URI where the authorization server will send the user after authorization.

  • response_type: The type of response desired (e.g., code).

  • scope: The scopes requested (e.g., openid profile email).

  • code_challenge: A transformed value of the code_verifier (see step 3).

  • code_challenge_method: Method used to derive the code_challenge (typically S256).

2. Authorization Server Redirects to Authentication Server

Action: Redirect to Authentication Server

Purpose: After validating the initial request, the authorization server redirects the user to the authentication server to initiate authentication if the session cookie is present. If the session cookie is not present, all authentication steps must be completed before proceeding.

Redirection URL:

https://auth.example.com/authentication/start?client_id=client123&redirect_uri=https://app.example.com/callback&response_type=code&scope=openid profile email&code_challenge=challengeValue&code_challenge_method=S256

3. Initiate Authentication

Endpoint: POST /authentication/start

Purpose: Starts the authentication process, retrieves available authentication methods, and returns a session cookie.

Request Payload:

{
  "identifier": "user@example.com",
  "client_id": "client123",
  "redirect_uri": "https://app.example.com/callback",
  "response_type": "code",
  "scope": "openid profile email",
  "code_challenge": "challengeValue",
  "code_challenge_method": "S256"
}

Response:

{
  "session_id": "auth_session_123456",
  "available_methods": ["password", "sms", "email", "sso", "passkey", "whatsapp"],
  "required_steps": 2,
  "next_step": 1
}

Session Cookie: Upon successful initiation, the server sets a session cookie in the user's browser to track the authentication session. This cookie should be sent with subsequent requests to maintain the session context.

4. Check Authentication Status

Endpoint: GET /authentication/status

Purpose: Checks the current status of the authentication session based on the session cookie.

Query Parameters:

• session_id: The ID of the authentication session (e.g., auth_session_123456).

Response:

{
  "session_id": "auth_session_123456",
  "status": "pending",
  "completed_steps": 0,
  "remaining_steps": 2,
  "next_step": 1
}

5. Perform Authentication Step

Endpoint: POST /authentication/authenticate

Purpose: Processes the specified authentication step based on the selected method.

Request Payloads for Different Authentication Methods:

• Password Authentication:

  Endpoint: POST /authentication/authenticate

  Request Payload:

  Copy

  {
    "session_id": "auth_session_123456",
    "method": "password",
    "username": "user@example.com",
    "password": "securepassword123",
    "client_id": "client123",
    "redirect_uri": "https://app.example.com/callback",
    "response_type": "code",
    "scope": "openid profile email",
    "code_challenge": "challengeValue",
    "code_challenge_method": "S256"
  }

• SMS Authentication:

  Endpoint: POST /authentication/authenticate

  Request Payload:

  Copy

  {
    "session_id": "auth_session_123456",
    "method": "sms",
    "phone_number": "+1234567890",
    "client_id": "client123",
    "redirect_uri": "https://app.example.com/callback",
    "response_type": "code",
    "scope": "openid profile email",
    "code_challenge": "challengeValue",
    "code_challenge_method": "S256"
  }

• Email Authentication:

  Endpoint: POST /authentication/authenticate

  Request Payload:

  Copy

  {
    "session_id": "auth_session_123456",
    "method": "email",
    "email": "user@example.com",
    "client_id": "client123",
    "redirect_uri": "https://app.example.com/callback",
    "response_type": "code",
    "scope": "openid profile email",
    "code_challenge": "challengeValue",
    "code_challenge_method": "S256"
  }

• SSO Authentication:

  Endpoint: POST /authentication/authenticate

  Request Payload:

  Copy

  {
    "session_id": "auth_session_123456",
    "method": "sso",
    "provider": "google",
    "client_id": "client123",
    "redirect_uri": "https://app.example.com/callback",
    "response_type": "code",
    "scope": "openid profile email",
    "code_challenge": "challengeValue",
    "code_challenge_method": "S256"
  }

• Passkey Authentication:

  Endpoint: POST /authentication/authenticate

  Request Payload:

  Copy

  {
    "session_id": "auth_session_123456",
    "method": "passkey",
    "challenge": "randomChallenge123",
    "response": {
      "id": "credentialId",
      "rawId": "base64EncodedRawId",
      "type": "public-key",
      "response": {
        "clientDataJSON": "base64EncodedClientData",
        "authenticatorData": "base64EncodedAuthData",
        "signature": "base64EncodedSignature",
        "userHandle": "base64EncodedUserHandle"
      }
    },
    "client_id": "client123",
    "redirect_uri": "https://app.example.com/callback",
    "response_type": "code",
    "scope": "openid profile email",
    "code_challenge": "challengeValue",
    "code_challenge_method": "S256"
  }

• WhatsApp Authentication:

  Endpoint: POST /authentication/authenticate

  Request Payload:

  Copy

  {
    "session_id": "auth_session_123456",
    "method": "whatsapp",
    "phone_number": "+1234567890",
    "client_id": "client123",
    "redirect_uri": "https://app.example.com/callback",
    "response_type": "code",
    "scope": "openid profile email",
    "code_challenge": "challengeValue",
    "code_challenge_method": "S256"
  }

Response:

{
  "session_id": "auth_session_123456",
  "status": "success",
  "completed_steps": 1,
  "remaining_steps": 1,
  "next_step": 2
}

6. Verify OTP (for SMS, Email, or WhatsApp)

Endpoint: POST /authentication/verify-otp

Purpose: Verifies the one-time password (OTP) received via SMS, email, or WhatsApp.

Request Payload:

{
  "session_id": "auth_session_123456",
  "otp": "123456",
  "client_id": "client123",
  "redirect_uri": "https://app.example.com/callback",
  "response_type": "code",
  "scope": "openid profile email",
  "code_challenge": "challengeValue",
  "code_challenge_method": "S256"
}

Response:

{
  "session_id": "auth_session_123456",
  "status": "success",
  "completed_steps": 2,
  "remaining_steps": 0,
  "next_step": null
}

7. Complete Authentication

Endpoint: POST /authentication/complete

Purpose: Confirms the completion of all required authentication steps.

Request Payload:

{
  "session_id": "auth_session_123456",
  "client_id": "client123",
  "redirect_uri": "https://app.example.com/callback",
  "response_type": "code",
  "scope": "openid profile email",
  "code_challenge": "challengeValue",
  "code_challenge_method": "S256"
}

Response:

{
  "session_id": "auth_session_123456",
  "status": "completed"
}

8. Redirect Back to Authorization Server

Endpoint: GET /authorize

Purpose: Redirects the user back to the authorization server to obtain an authorization code.

Query Parameters:

• client_id: The ID of the client application (e.g., client123).

• redirect_uri: The URI where the authorization server will send the authorization code.

• response_type: The type of response desired (e.g., code).

• scope: The scopes requested (e.g., openid profile email).

• state: A unique state value to maintain state between the request and callback.

• code_challenge: The previously used code challenge.

• code_challenge_method: The method used to create the code challenge.

Identity Mapping

The branding configuration for the Identity Self-Service Portal enables administrators to customize the portal's visual identity to align with their brand. This includes modifying logos, theme colors, fonts, and favicons.

Accessibility Compliance Our accessibility checker ensures that dark and light modes comply with Web Content Accessibility Guidelines (WCAG). This tool helps maintain sufficient contrast between text and background, enhancing readability and accessibility for all users.

Steps to Configure Branding in the Identity Self-Service Portal Builder

1. Open the Identity Self-Service Portal Builder Navigate to the Identity Self-Service Portal Builder page within the platform.

2. Access Branding Configuration Locate and click on the branding configuration section.

3. Upload Logos

   • Light Theme Logo: Click on the option to upload an image for the light theme logo. Ensure the image is in either PNG or SVG format.

4. Set Theme Colors

   • Enter the primary color using a valid hexadecimal code (e.g., #ff5733). Ensure the color falls within the specified range.

5. Upload Favicon

   • Click to upload a favicon in ICO, PNG, or SVG format. This favicon will appear in the browser tab.

6. Configure Fonts

   • Select a font family from the dropdown menu, which includes the top 15 supported UI fonts for use throughout the portal.

7. Run Accessibility Checker

   • After making your changes, use the accessibility checker to verify compliance with Web Content Accessibility Guidelines (WCAG) for both dark and light modes.

8. Save Changes

   • Once you have completed all branding configurations, click Save to apply the new settings to the portal.

Steps to configure the Registration Workflow Editor:

1. Navigate to the Identity Hub.

2. Access the Identity Self-Service Portal Builder:

   • Select Identity Self-Service Portal Builder from the main menu.

3. Open the Registration settings:

   • Click on the Workflow Editor tab.

4. Configure Registration Steps:

   • Add, edit, or remove registration steps in the workflow.

5. Set Step Properties:

   • For each step, specify the following:

     • Component Type: Choose from available registration components (e.g., Email, Phone Number, Terms and Conditions).

     • Display Mode: Set visibility options for each step (e.g., required, optional, hidden).

6. Save Configuration:

   • Click the Save button to apply changes to the registration workflow.

Steps to Configure SEO Settings for the Identity Self-Service Portal

1. Go to SEO Settings: From the Identity Self-Service Portal Builder page, navigate to the SEO settings section.

2. Update Metadata: Enter the page title, meta description, and up to 10 relevant meta keywords.

3. Set Search Visibility: Enable or disable the portal’s visibility on search engines as needed.

Signed Cookies

Authenticate a user and provide them with a time-limited token for accessing your protected content. 

Access Token

An access token refers to a token that a client can use to call endpoints.

Access tokens refer to tokens that enable clients to securely call protected endpoints. They contain information about the user and the resource for which it is intended.

Authorization Code

An authorization code is a one-time use token which is generated during the authorization request after authentication. The client can exchange this authorization code with the authorization server for an access_token.

Refresh Token

A refresh token refers to a one-time-use token that a client can use to exchange for a renewed access token and extend the duration of the privileged session. To obtain a refresh token, you need to include the ‘offline_access’ scope when you initiate an authorization request, and the user must authorize the ‘offline_access’ scope.

ID Token

ID tokens refer to tokens which clients can use to identify a user, they contain information based on the requested claims & scope.

Steps to Enable User Self-Registration:

1. Navigate to the Identity Hub.

2. Access the Identity Self-Service Portal Builder:

   • Select Identity Self-Service Portal Builder from the main menu.

3. Open the Registration Tab:

   • Click on the Registration tab.

4. Enable User Registration:

   • Toggle the User Registration option to the preferred state.

Once you enable this setting, a Register link will appear on the login page of the selected Identity Self-Service Portal, allowing users to create their accounts.

The Identity Self Service Portal Builder enables you to customize Identity Self Service Portal User Self-Service Portal

The User Self-Service Portal gives you full control over your account management. Whether you need to log in, register, recover your account, or manage your privacy settings, this portal offers all the essential features. Below are the main functionalities, each with links to more detailed instructions for ease of use.

Choose Your Onboarding Configuration

TF Platform-hosted Self Service Portal

This option offers a fully managed solution where users can authenticate, authorize, and manage their profiles through a TF Platform-hosted web form, customized with your brand’s name, colors, and icon. The form is generated using the Identity Hub API, ensuring robust data validation, compliance with global regulations, and seamless localization. TF Platform handles the complete identity lifecycle, including authentication, authorization, consent management, session management, and profile management.

Recommended for: Teams that want an out-of-the-box solution with minimal integration effort, where TF Platform manages all aspects of identity and access management (IAM).

API-Driven Self Service Portal

With this approach, you use the Identity Self Service API to build and maintain a fully customized identity management experience. Your application manages all key components—authentication, authorization, consent, session, and profile management—tailored to your specific business needs. You’ll have full control over the integration of various authentication methods (e.g., multi-factor authentication, biometrics), localization, and compliance requirements. Regular updates are required to meet evolving security and regulatory standards.

Recommended for: Organizations with the technical capacity to manage the complexities of a custom IAM solution, offering full control over authentication, authorization, and user experience. This is ideal for teams that require greater flexibility and customization for security and identity management processes.

Enable Self-Registration

You can for your users using the TF Platform. When enabled, this feature adds a registration link to the login page, allowing end-users to register their own accounts.

Configurable States for Workflow Components

Each component of the registration workflow can be assigned one of three states:

• Required: The end-user must complete this step to proceed with registration.

• Optional: The end-user can choose to skip this step.

• Hidden: This step will not be visible to the end-user.

Self-Registration Process Overview

The self-registration process involves five steps designed to enhance security and personalize account setup. Each step can be assigned one of the three states mentioned above.

Step 1: Email Verification

End-users must verify their email addresses using a Time-Based One-Time Password (TOTP) sent to their registered email. This step is required by default.

Step 2: Terms of Service Agreement

After verifying their email, end-users can review and accept the Terms of Service. This step can be marked as required, optional, or hidden.

Step 3: Profile Completion

End-users can provide additional information for their profiles, such as their name, gender, date of birth, and address details. This step can be assigned as required, optional, or hidden.

Step 4: Phone Number Verification

For added security, end-users can verify their phone numbers using TOTP. This step can be set as required, optional, or hidden.

Step 5: Username and Password Creation

End-users can create a unique username and a strong password that meets specified security criteria. This step can also be marked as required, optional, or hidden.

Manual Process

The manual identity verification process involves several steps:

1. Data Collection:

   • Collect the user's personal data, including name, address, date of birth, etc.

   • Obtain a copy of a government-issued ID (passport, driver's license, etc.).

2. **

Steps to Create a Client

1. Navigate to Client Management Page: Access the admin interface and locate the client management section.

2. Select Client Type: Choose between creating a Public or Confidential client.

3. Configure Settings:

   • Public Clients: Configure settings like redirect URIs, allowed scopes, and grant types.

   • Confidential Clients: Securely store client secrets, configure redirect URIs, and apply advanced security settings such as token endpoint authentication.

4. Save and Register: Once all configurations are made, save the settings and confirm client registration.

Search Functionality

• Quickly locate specific users by entering keywords such as usernames, emails, or IDs, with instant results for efficient navigation.

Filtering Options

• Narrow down the user list based on criteria like roles (admin, viewer), status (active, inactive), or registration date, allowing for customized views and precise selection.

Pagination

• View users in manageable chunks, making navigation easier with options to jump between pages or select how many users to display at once.

Bulk Actions (Optional)

• Perform mass updates on selected users, such as role changes or status updates, streamlining administrative tasks for larger user bases.

The account recovery request functionality is available for users of the Identity Hub with available authentication methods of If a user would If your user is connected to an external identity provider, account recovery must be done from the external identity provider.

This feature gives administrators a streamlined tool to manage Data Subject Access Requests, ensuring full compliance with data privacy regulations directly from the Identity Platform.

Steps to Manage Data Subject Requests

1. Access the Identity Hub:

   • Navigate to the Identity Hub within the platform.

2. Select the Relevant User:

   • Locate and select the user who submitted the DSAR.

3. Navigate to the User Profile:

   • Open the selected user’s profile page for detailed information.

4. Process the Request:

   • Choose the “Data Subject Requests” option to view and handle specific requests:

     • Access Request: Retrieve the user’s personal data.

     • Correction Request: Update or correct inaccurate or incomplete data.

     • Deletion Request: Permanently erase personal data from the system.

     • Export Request: Generate and provide personal data in a structured, machine-readable format.

.

The SEO settings feature in the Identity Self-Service Portal Builder allows administrators to control how the portal appears in browsers & search engine results.

It enables you to Configure SEO settings such as page titles, descriptions & keywords.

Overview

The Identity Self-Service Portal (SSP) is a customizable, secure, and easy-to-use solution that allows you to integrate authentication and authorization into your applications for your end-users.It can be built using the no-code Self-Service Portal Builder.

Key Features of the SSP

• Account Recovery: End-users can request to recover their accounts if they forget their credentials or become locked out.

• Account Registration: End-users can self-register new accounts or complete admin-initiated registrations.

• Application Access Center: End-users can access pre-registered applications through a centralized app center using SSO.

• Consent Screen: End-users provide consent for requests done by clients.

• Audit Logs: End-users can track and review their actions within the portal and optionally in integrated applications.

• Authentication: End-users verify their identity during the login process to gain access to the portal.

• Authentication Management: End-users can manage their authentication methods, including passkeys, biometrics, passwords, multi-factor authentication (MFA), passwordless email, and passwordless SMS.

• Consent Management: End-users can control their consent for data sharing and privacy preferences.

• Data Access Request Management: End-users can request access to their personal data, export their data, or request account deletion.

• Identity Verification: End-users can confirm their identity to enhance security during account access.

• Notifications: End-users receive important updates and communications about their activities.

• Profile Management: End-users can easily update their personal information and preferences.

• Session Management: End-users can manage their active sessions to ensure account security.

A page for social sign-in (e.g., Google, Apple, Slack, Github) allows you to log in using your existing accounts from these providers. Similar to passwordless login via email TOTP (Time-based One-Time Password), this method makes logging in easier and more secure.

Key Benefits:

• Quick Access: Log in with a single click using your preferred social account.

• Improved Security: Utilizes the strong security measures of established providers.

• Convenience: No need to remember another password.

Steps to Use Social Sign-In:

1. Navigate to the login page.

2. Choose a Provider: Select from the preconfigured options like Google, Apple, Slack, or Github.

3. Authenticate: Click the provider button and follow the prompts to log in.

4. Grant Permissions: Allow the application to access basic profile information.

For configuration settings, please refer to the administrative hub section on configuring Single Sign-On (SSO) providers.

Authentication

1. First, authenticate with a primary authentication method.

2. Then, select Authenticator App for one of the subsequent factors.

3. Receive a TOTP (Time-based One-Time Password) in your Authenticator App.

4. Enter the TOTP in the provided field.

5. Access your account.

Registration of the Authentication Method

1. Go to the account settings page.

2. Select "Add Authentication Method."

3. Choose "Authenticator App."

4. Scan the presented QR Code.

5. Verify your authenticator device by entering the visible TOTP.

6. The method is now registered for your account.

Changing the Authentication Method

1. Navigate to the account settings page.

2. Select "Manage Authentication Methods."

3. Choose "Change Authentication Method."

4. Follow the prompts to switch to a new authenticator app or authentication method.

5. Confirm the change via the new method.

Removing the Authentication Method

1. Go to the account settings page.

2. Select "Manage Authentication Methods."

3. Click on "Remove" next to the authenticator app with the TOTP method.

4. Confirm the removal via an authenticator verification step.

5. The method has been removed from your account.

Authentication

1. Enter your email address on the login page.

2. Receive a TOTP (Time-based One-Time Password) in your email.

3. Enter the TOTP in the provided field.

4. Access your account without a password.

Registration of the Authentication Method

1. Go to the account settings page.

2. Select "Add Authentication Method."

3. Choose "Email with TOTP."

4. Verify your email by entering the received TOTP.

5. The method is now registered for your account.

Changing the Authentication Method

1. Navigate to the account settings page.

2. Select "Manage Authentication Methods."

3. Choose "Change Authentication Method."

4. Follow the prompts to switch to a new email or authentication method.

5. Confirm the change via the new method.

Removing the Authentication Method

1. Go to the account settings page.

2. Select "Manage Authentication Methods."

3. Click on "Remove" next to the email with TOTP method.

4. Confirm the removal via an email verification step.

5. The method is now removed from your account.

Post-Registration Configuration Options:

1. Access the Identity Self-Service Portal: Navigate to the Identity Self Service Portal through the Access Manager.

2. Single Sign-On (SSO) into the Application: Use SSO to sign into the application where the user will continue their onboarding process.

In the platform, we categorize OAuth clients into two types: public and confidential. Here's a breakdown of the core functionality for both client types and how to manage them.

1. Public Clients

Public clients are used in applications where the code runs on the user's device, making it impossible to store secrets securely. We use Authorization Code Flow with PKCE (Proof of Key Code Exchange) to protect against token theft without needing client secrets.

Using Public clients is recommended for the following application types:

• Browser-based applications (SPAs & Multi-Page Applications)

• Mobile native apps

• Progressive Web Apps (PWAs)

• Desktop applications

Key Configurations for Public Clients:

• Redirect URIs: The allowed URIs for redirecting after authentication.

• Allowed Grant Types: For public clients, typically authorization_code and refresh_token grant types are used.

• Scopes: Permissions requested by the client, such as openid, profile, and email.

2. Confidential Clients

Confidential clients are used in server-based applications, where the client secret can be stored securely. These clients:

• Require secure storage of the client secret.

• Can use advanced authentication methods like private key JWT.

Key Configurations for Confidential Clients:

• Client Secret: A securely stored secret for authenticating with the OAuth server.

• Token Endpoint Authentication Method: Methods such as client_secret_basic or private_key_jwt for securely authenticating to the token endpoint.

• Additional Security Settings: Settings for stronger authentication flows, such as JWT signing.

Creating a Client

Steps to Create a Client

1. Navigate to Client Management Page: Access the admin interface and locate the client management section.

2. Select Client Type: Choose between creating a Public or Confidential client.

3. Configure Settings:

   • Public Clients: Configure settings like redirect URIs, allowed scopes, and grant types.

   • Confidential Clients: Securely store client secrets, configure redirect URIs, and apply advanced security settings such as token endpoint authentication.

4. Save and Register: Once all configurations are made, save the settings and confirm client registration.

Managing Client Settings

Public Client Settings:

• Redirect URIs: List of authorized URLs for redirecting after authentication.

• Allowed Grant Types: Grant types like authorization_code and refresh_token.

• Scopes: Permissions such as openid, email, and profile that the client can request.

Confidential Client Settings:

• Client Secret: Securely stored secret for authenticating the client.

• Token Endpoint Authentication Method: Secure authentication methods such as client_secret_post or private_key_jwt.

• Advanced Security: Additional security configurations for confidential client

• Update Personal Information

• Manage User Preferences

Authentication

1. Enter your phonenumber on the login page.

2. Receive a TOTP (Time-based One-Time Password) in your phonenumber.

3. Enter the TOTP in the provided field.

4. Access your account without a password.

Registration of the Authentication Method

1. Go to the account settings page.

2. Select "Add Authentication Method."

3. Choose "phonenumber with TOTP."

4. Verify your phonenumber by entering the received TOTP.

5. The method is now registered for your account.

Changing the Authentication Method

1. Navigate to the account settings page.

2. Select "Manage Authentication Methods."

3. Choose "Change Authentication Method."

4. Follow the prompts to switch to a new phonenumber or authentication method.

5. Confirm the change via the new method.

Removing the Authentication Method

1. Go to the account settings page.

2. Select "Manage Authentication Methods."

3. Click on "Remove" next to the phonenumber with the TOTP method.

4. Confirm the removal via a phonenumber verification step.

5. The method has been removed from your account.

Communications Feature Documentation

Overview

The Communications feature is an integral part of the platform, offering seamless integration with the IAM (Identity and Access Management) system. This allows for effective communication with your users across various channels such as email, SMS, push notifications, and social media messaging.

Key Features

Analytics: Gain insights into message delivery status and user engagement.

Customization: Tailor messages to fit the specific needs and preferences of your users.

User Management: View and manage user interactions across different channels from a unified interface.

Multi-Channel Messaging: Seamlessly send messages via email, SMS, push notifications, and more.

Sending Messages

Configure additional channels such as SMS, push notifications, and social media messaging. This flexibility ensures that you can reach users through their preferred communication method.

View History

This tab enables you to manage messages sent through the platform using the Omnichannel Dispatcher. Track and review the history of all communications for improved user

Sending Messages

1. Go to the Messages tab.

2. Select the user(s) you wish to contact.

3. Choose the channel and compose your message.

4. Click Send to dispatch the message.

This integrated approach ensures effective communication, enhancing user engagement and satisfaction. To configure communication channels, refer to ...

Account recovery management is enables hub administrators to assist end-users in regaining access to their accounts.