Single Registration: Workstation-to-Web: Admins
HYPR can be configured to only require pairing in one component of the HYPR system, instead of pairing separately with the Device Manager or the HYPR Passwordless client. When paired in one, users will be automatically prompted to complete the pairing on the other, and thereafter that pair will appear universally in all HYPR authentication rosters for that RP Application user.
Setting Up HYPR
Control Center Settings
-
If you have not yet created the Workstation RP Application you will use, go ahead and create it in Control Center Advanced Mode.
-
To make use of any existing Workstation registrations, customers should use the existing app associated with these Workstation registrations.
-
For RP Applications starting with fresh registrations, we recommend creating a fresh RP Application.
-
Generate an API access token (and store it securely) for both that Application and for the Control Center Admin Application before proceeding
-
Both Access tokens should have the Application Configuration permission at minimum
-
-
Configure Device Manager using
cURL
with the RP Application access token:curl
--location
--request PUT "https://<CC URL>/cc/api/appconfig/devicemanager"
--header "Authorization: Bearer <RP APP ACCESS TOKEN>"
--header "Content-Type: application/json"
--data-raw '{
"baseURL": "https://<CC URL>",
"rpAppId": "<RP APP ID>"
}'Example
curl
--location
--request PUT "https://hypr.highlandsbank.com/cc/api/appconfig/devicemanager"
--header "Authorization: Bearer hypap-aed9e093-20b0-49cd0-8388-e6bca0e1e1e80"
--header "Content-Type: application/json"
--data-raw '{
"baseURL": "https://hypr.highlandsbank.com/",
"rpAppId": "highlandsBankWS"
}' -
In the Application's Login Settings, enable one or both of the following:
Download the Desktop Client
Follow the instructions for downloading the Desktop Client to obtain the hypr.json
file that is configured for Single Registration.
For more information on the parameters used in hypr.json
and how to use them, see HYPR Passwordless Installation: Installing Manually.
Setting Up AD
Export the Certificate from Active Directory (AD) Certificate Services (CS)
When configuring a certificate for use with Single Registration: Workstation-to-Web, the Email name must also be checked for the feature to function properly. See Creating a Custom Certificate Template for the full process.
-
Login to AD CS, and export the Certificate Authority (CA) certificate you wish to use in DER format, base64-encoded.
-
Add a domain root certificate to HYPR using
cURL
with the Control Center Admin access token:curl
--location
--request POST "https://<CC URL>/rp/api/domaincertificate"
--header "Authorization: Bearer <RP APP ACCESS TOKEN>"
--header "Content-Type: application/json"
--data-raw '{
"domainCertificate": "<DOMAIN CA CERTIFICATE>"
}'Example
curl
--location
--request POST "https://hypr.highlandsbank.com/rp/api/domaincertificate"
--header "Authorization: Bearer hypap-edba607b-b400-4c57-9d3d-839a6e07a6f1"
--header "Content-Type: application/json"
--data-raw '{
"domainCertificate": "MIIDczCCAlugAwIBAgIQS0n13f/8s5Np+dFMzF++0TANBgkqhkiG9w0BAQsFADBM-RMwEQYKCZImiZPyLGQBGRYDbmV0MRcwFQYKCZImiZPyLGQBGRYHaHlwcmxhYjEcMBoGA1UEAxMTaHlwcmxhYi1BRFNFUlZFUi1DQTAeFw0yMjA4MTEyMzQ4MTZaFw0zMjA4MTEyMzU4MTVaMEwxEzARBgoJkiaJk/IsZAEZFgNuZXQxFzAVBgoJkiaJk/IsZAEZFgdoeXBybGFiMRwwGgYDVQQDExNoeXBybGFiLUFEU0VSVkVSLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuDnPO/GZ1HeNMj1X+yDu46oK1x4mnC8aBDUwVlpzcEv4heLuAWZT/dFVFKKZSNQxbAMubuNwFepySrgp7ThBVp4BGBq7b/LmjZJD9oeqpBhKnryIfYSqLbxY3J2h5YtjQiR7nRr9iNyfT+8I91yyhn95sdtNEyeENlyI+dz41bAj/PksJVtdxhI/ClnJTVSCHFid42jcta0VKgfnmRfvvobX2rOpgmKhAYr9fNZ67TlzTTjji8Hz4vpQGm/9fiLKim4idAksTo1x/w0mOLSbaHTZ/qAUdTyye6aDDw1g9xap3cXPRX82Lstq/4CbhNZRHg1QfFMamghb6siX9KXOhQIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUG9IOpL+oXX7mlkOKNqFPWb/hmp0wEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEBAEGU/5V1evJKwTFaac6MnA02Pgwvmaer8Gycun4cAJbd9HUtenKcw8+oryojouniJ7Bm7NTrGPHDFgTxg1P9fdA8DE8nVCidCYiN3iJOzQ5v593eK08SxExEGOIcFveOZf0uAXgtr2UkqTBp2K8RYUT5nTpjBXUMcQdHO1fXYJ/cKqH25CiGqMwUQx+aNWzc7/LT4nX9A9zMiwALD1IbTZOlzU7R8mt0A3IZClJJvCl9PdAcpqiHqAUnq8ojJN0neeANJyiXixedrTp6gxEpGWV7tR2NuYesnwjFtV2jV0VdcYVmDQVtqdpkxbx93re2IGhNqO+H0Pujtie2TTv7J4kE="
}'
Configure AD Users
Before a user can start the web registration flow, their AD user account must be configured as follows:.
-
In the management console, click Start.
-
Navigate to Active Directory Users and Computers.
-
In the top menu, click View -> Advanced Features.
-
Select the user that you will invite to register.
-
Under the General tab, enter the user's email address into the E-mail field.
-
Click the Attribute Editor.
-
Scroll down, click the mail attribute, and enter the user's email address.