Skip to main content
Version: 10.7.1

Workstation to Web Single Registration

Facts

  • One-way registration flow: Users initiate registration once using HYPR Workforce Access (WFA) Client on their desktop; no explicit web registration required
  • Dual profile creation: HYPR Server creates both desktop and web authentication profiles automatically
  • One-time user experience: From the user's perspective, a single registration ceremony provides access to both platforms
  • Multiple workstations, one web profile: Users can create multiple desktop profiles from different machines; all link to a single web profile
  • Linked deregistration: Deregistering from any workstation removes that desktop profile and deletes the associated web profile, preventing web access after deregistration

Prerequisites

  1. Create and configure rpApp for Workstation
  2. Create and configure rpApp for all web applications requiring passwordless access
  3. Install HYPR Workforce Access Client on end-user workstations
  4. Export Active Directory Certificate Services (AD CS) domain certificate to HYPR Control Center

Configuration

  1. Enable Feature Flags on Workstation rpApp level:

    • WEB_LOGIN_WITH_WFA_REGISTRATION

  2. Enable Feature Flags on Web rpApp level:

    • WEB_TO_WS_SINGLE_REGISTRATION_TRANSLATION
    • RP_APP_WORKSTATION_ENABLED

  3. Upload AD CS Domain CA Certificate to HYPR Control Center:

    • Sign in to AD CS and export the domain certificate in Distinguished Encoding Rules (DER) format with base64 encoding
    • Call the HYPR Control Center API to upload the certificate:
      • API URL: https://<HOST>/rp/api/domaincertificate
      • Request Type: POST
      • Request Payload: {"domainCertificate":"<Base64Encoded>"}
      • Authorization: Bearer <AdminToken>
    curl --location --request POST "https://HOST/rp/api/domaincertificate" \
    --header "Authorization: Bearer hypap-edba607b-b400-4c57-9d3d-839a6e07a6f1" \
    --header "Content-Type: application/json" \
    --data '{"domainCertificate": "MIIDczCCAlugAwIBAgIQS0n13f/8s5Np+dFMzF++0TANBgkqhkiG9w0BAQsFADBM-RMwEQYKCZImiZPyLGQBGRYDbmV0MRcwFQYKCZImiZPyLGQBGRYHaHlwcmxhYjEcMBoGA1UEAxMTaHlwcmxhYi1BRFNFUlZFUi1DQTAeFw0yMjA4MTEyMzQ4MTZaFw0zMjA4MTEyMzU4MTVaMEwxEzARBgoJkiaJk/IsZAEZFgNuZXQxFzAVBgoJkiaJk/IsZAEZFgdoeXBybGFiMRwwGgYDVQQDExNoeXBybGFiLUFEU0VSVkVSLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuDnPO/GZ1HeNMj1X+yDu46oK1x4mnC8aBDUwVlpzcEv4heLuAWZT/dFVFKKZSNQxbAMubuNwFepySrgp7ThBVp4BGBq7b/LmjZJD9oeqpBhKnryIfYSqLbxY3J2h5YtjQiR7nRr9iNyfT+8I91yyhn95sdtNEyeENlyI+dz41bAj/PksJVtdxhI/ClnJTVSCHFid42jcta0VKgfnmRfvvobX2rOpgmKhAYr9fNZ67TlzTTjji8Hz4vpQGm/9fiLKim4idAksTo1x/w0mOLSbaHTZ/qAUdTyye6aDDw1g9xap3cXPRX82Lstq/4CbhNZRHg1QfFMamghb6siX9KXOhQIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUG9IOpL+oXX7mlkOKNqFPWb/hmp0wEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEBAEGU/5V1evJKwTFaac6MnA02Pgwvmaer8Gycun4cAJbd9HUtenKcw8+oryojouniJ7Bm7NTrGPHDFgTxg1P9fdA8DE8nVCidCYiN3iJOzQ5v593eK08SxExEGOIcFveOZf0uAXgtr2UkqTBp2K8RYUT5nTpjBXUMcQdHO1fXYJ/cKqH25CiGqMwUQx+aNWzc7/LT4nX9A9zMiwALD1IbTZOlzU7R8mt0A3IZClJJvCl9PdAcpqiHqAUnq8ojJN0neeANJyiXixedrTp6gxEpGWV7tR2NuYesnwjFtV2jV0VdcYVmDQVtqdpkxbx93re2IGhNqO+H0Pujtie2TTv7J4kE="}'

Registration Scenarios

New Web Profile

When a user registers for the first time from their workstation:

  • User initiates registration via HYPR WFA Client on desktop
  • Desktop profile is created with authentication credentials
  • HYPR Server automatically provisions a new web profile
  • User gains access to both desktop and web applications without separate web registration
  • Prerequisites validated: Email must be in certificate template during registration

Existing Web Profile

When a user with an existing web profile registers from workstation:

  • User initiates registration via HYPR Workforce Access Client
  • New desktop profile is created and linked to the existing web profile
  • Web profile credentials activate for use with the new desktop
  • Administrators must enable the SingleReg feature flag on the web rpApp to support profile linking

Existing Workstation Profile Scenario

Deregistration

Users can deregister from either platform with specific outcomes:

  • When user removes workstation or web profile via HYPR WFA Client or Device Manager
  • Deregistering desktop profile removes linked web profile (user loses web access)
  • Deregistering web profile removes desktop profile (user loses desktop access)
  • Clean state allows re-registration as new user with same credentials