Skip to main content

Single Registration: Workstation-to-Web: Admins

HYPR can be configured to only require pairing in one component of the HYPR system, instead of pairing separately with the Device Manager or the HYPR Passwordless client. When paired in one, users will be automatically prompted to complete the pairing on the other, and thereafter that pair will appear universally in all HYPR authentication rosters for that RP Application user.

Setting Up HYPR

Control Center Settings

  1. If you have not yet created the Workstation RP Application you will use, go ahead and create it in Control Center Advanced Mode.

  2. To make use of any existing Workstation registrations, customers should use the existing app associated with these Workstation registrations.

  3. For RP Applications starting with fresh registrations, we recommend creating a fresh RP Application.

    • Generate an API access token (and store it securely) for both that Application and for the Control Center Admin Application before proceeding

    • Both Access tokens should have the Application Configuration permission at minimum

  4. Configure Device Manager using cURL with the RP Application access token:

    curl
    --location
    --request PUT "https://<CC URL>/cc/api/appconfig/devicemanager"
    --header "Authorization: Bearer <RP APP ACCESS TOKEN>"
    --header "Content-Type: application/json"
    --data-raw '{
      "baseURL": "https://<CC URL>",
      "rpAppId": "<RP APP ID>"
    }'

    Example

    curl
    --location
    --request PUT "https://hypr.highlandsbank.com/cc/api/appconfig/devicemanager"
    --header "Authorization: Bearer hypap-aed9e093-20b0-49cd0-8388-e6bca0e1e1e80"
    --header "Content-Type: application/json"
    --data-raw '{
      "baseURL": "https://hypr.highlandsbank.com/",
      "rpAppId": "highlandsBankWS"
    }'

  5. In the Application's Login Settings, enable one or both of the following:

Download the Desktop Client

Follow the instructions for downloading the Desktop Client to obtain the hypr.json file that is configured for Single Registration.

For more information on the parameters used in hypr.json and how to use them, see HYPR Passwordless Installation: Installing Manually.

Setting Up AD

Export the Certificate from Active Directory (AD) Certificate Services (CS)

Additional Information

When configuring a certificate for use with Single Registration: Workstation-to-Web, the Email name must also be checked for the feature to function properly. See Creating a Custom Certificate Template for the full process.

  1. Login to AD CS, and export the Certificate Authority (CA) certificate you wish to use in DER format, base64-encoded.

  2. Add a domain root certificate to HYPR using cURL with the Control Center Admin access token:

    curl
    --location
    --request POST "https://<CC URL>/rp/api/domaincertificate"
    --header "Authorization: Bearer <RP APP ACCESS TOKEN>"
    --header "Content-Type: application/json"
    --data-raw '{
      "domainCertificate": "<DOMAIN CA CERTIFICATE>"
    }'

    Example

    curl
    --location
    --request POST "https://hypr.highlandsbank.com/rp/api/domaincertificate"
    --header "Authorization: Bearer hypap-edba607b-b400-4c57-9d3d-839a6e07a6f1"
    --header "Content-Type: application/json"
    --data-raw '{
      "domainCertificate": "MIIDczCCAlugAwIBAgIQS0n13f/8s5Np+dFMzF++0TANBgkqhkiG9w0BAQsFADBM-RMwEQYKCZImiZPyLGQBGRYDbmV0MRcwFQYKCZImiZPyLGQBGRYHaHlwcmxhYjEcMBoGA1UEAxMTaHlwcmxhYi1BRFNFUlZFUi1DQTAeFw0yMjA4MTEyMzQ4MTZaFw0zMjA4MTEyMzU4MTVaMEwxEzARBgoJkiaJk/IsZAEZFgNuZXQxFzAVBgoJkiaJk/IsZAEZFgdoeXBybGFiMRwwGgYDVQQDExNoeXBybGFiLUFEU0VSVkVSLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuDnPO/GZ1HeNMj1X+yDu46oK1x4mnC8aBDUwVlpzcEv4heLuAWZT/dFVFKKZSNQxbAMubuNwFepySrgp7ThBVp4BGBq7b/LmjZJD9oeqpBhKnryIfYSqLbxY3J2h5YtjQiR7nRr9iNyfT+8I91yyhn95sdtNEyeENlyI+dz41bAj/PksJVtdxhI/ClnJTVSCHFid42jcta0VKgfnmRfvvobX2rOpgmKhAYr9fNZ67TlzTTjji8Hz4vpQGm/9fiLKim4idAksTo1x/w0mOLSbaHTZ/qAUdTyye6aDDw1g9xap3cXPRX82Lstq/4CbhNZRHg1QfFMamghb6siX9KXOhQIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUG9IOpL+oXX7mlkOKNqFPWb/hmp0wEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEBAEGU/5V1evJKwTFaac6MnA02Pgwvmaer8Gycun4cAJbd9HUtenKcw8+oryojouniJ7Bm7NTrGPHDFgTxg1P9fdA8DE8nVCidCYiN3iJOzQ5v593eK08SxExEGOIcFveOZf0uAXgtr2UkqTBp2K8RYUT5nTpjBXUMcQdHO1fXYJ/cKqH25CiGqMwUQx+aNWzc7/LT4nX9A9zMiwALD1IbTZOlzU7R8mt0A3IZClJJvCl9PdAcpqiHqAUnq8ojJN0neeANJyiXixedrTp6gxEpGWV7tR2NuYesnwjFtV2jV0VdcYVmDQVtqdpkxbx93re2IGhNqO+H0Pujtie2TTv7J4kE="
    }'

Configure AD Users

Before a user can start the web registration flow, their AD user account must be configured as follows:.

  1. In the management console, click Start.

  2. Navigate to Active Directory Users and Computers.

  3. In the top menu, click View -> Advanced Features.

  4. Select the user that you will invite to register.

  5. Under the General tab, enter the user's email address into the E-mail field.

  6. Click the Attribute Editor.

  7. Scroll down, click the mail attribute, and enter the user's email address.