Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Web integration

User enrollment

search

User enrollment

User enrollment consists of creating a FIDO credential for a user.

Prerequisites

Before enrolling a user to FIDO, the user must have already been authenticated. For example, this authentication might happen thanks to a remote FIDO credential, or with another authentication method such as a password or an identity document verification during a service subscription.

Sequence diagrams

User enrollment

Front end

The application front end has to:

  1. Retrieve from the back end the FIDO challenge and options to create the credential (step 2). The format of this communication is specific to the application.

  2. Use the WebAuthn API to create the credential, passing the options prepared by the FIDO server (step 8).

    javascript const credential = await navigator.credentials.create({ publicKey: credentialOptions });

See the WebAuthn specifications for details.

  1. Send the credential description to the back end (step 10). The format of this communication is specific to the application.

Back end

The application back end has to:

  1. Receive the credential creation request from the front end, and send an attestation options request to the FIDO server. The type of expected credential can be customized through the various request input parameters. See the API documentation for the attestation options endpoint. The FIDO response has to be transmitted back to the front end.

  2. Receive the credential creation response from the front end, and submit the corresponding attestation response to the FIDO server. See the API documentation for the attestation verify endpoint. The FIDO server validates the response, and returns the validation status to the back end.

After the credential is successfully created, it can be used for user authentications.

Identifying users

FIDO associates each FIDO credential to a unique user identifier (userId), which is an opaque byte array stored in the FIDO server.

You can use the identifier value of your choice, possibly reusing a user identifier that you already use in other components of your information system. To do so, set the userId value in the attestation options request, and use the same value for all subsequent operations for that same user: additional credential registrations, authentications, or administrative operations.

Note

Pass the username value in the attestation options request. This value is needed to associate a readable identity name (or account reference) to the credential in the authenticator. This name is displayed by the browser when users have multiple credentials for the same relying party, so that users can select which credential to use depending on the account they want to log in. This username value does not have to be unique.

Next steps

On this page