Skip to main content
Version: 10.7.1

Requirements and Specifications for Single Registration Web to Workstation Deployment

Single Registration overview

Single Registration Introduction

Passwordless Authentication using mobile devices as authenticators enhances application security and simplifies user experiences. Users can register their mobile devices to the desktop using HYPR WFA client for passwordless login to their desktop and to the protected browser web applications. The authentication user experience can be taken to the next level by allowing users to register their mobile device once using HYPR single registration mechanism, enabling passwordless login to their desktop and protected web applications without having to register their mobile devices additionally.

Single registration can be achieved from workstation to web or from web to workstation or both directions.

Workstation to Web Single Registration

Facts

  • Workstation to Web Single Registration is a one-way registration flow which allows the user to initiate and complete the registration ceremony once using HYPR WFA Client. The user doesn't have to register explicitly to the configured web applications. After this single registration ceremony, the user can log in to desktop and web applications.

  • From the user's perspective, it is a one-time registration experience; however, from the backend's perspective, HYPR Server creates both desktop and web profiles.

  • This single registration process doesn't stop the user from registering explicitly to the web application and in this case, the web registered profile is not linked with the desktop profile.

  • The user could create multiple desktop profiles for the same user from multiple desktop machines, however all these desktop profiles would be linked with only one web profile.

  • Desktop profile deregistration initiation from any desktop machine would delete that desktop profile and the associated web profile. After this operation, the user would not be able to log in to the web profile.

Pre-Requisites

  1. Create and configure rpApp for Workstation.

  2. Create and configure rpApp for all web applications which users would need to log in to without having to register explicitly for the web.

  3. HYPR WFA Client is required to be installed.

WS To Web Single Registration Sequence Diagrams

  1. New Web Profile Scenario - The user doesn't have any existing web profile.
New web profile scenario
  1. Existing Web Profile Scenario
Existing web profile scenario
  1. Existing Workstation Profile Scenario
Existing workstation profile scenario
  1. Deregistration Scenario
Deregistration scenario

Configuration

  1. Enable below listed FFs on Workstation rpApp level

    a. WEB_LOGIN_WITH_WFA_REGISTRATION

  2. Enable below listed FFs on Web rpApp level

    a. WEB_TO_WS_SINGLE_REGISTRATION_TRANSLATION

    b. RP_APP_WORKSTATION_ENABLED

  3. Upload AD CS domain CA certificate to HYPR CC

    a. Log in to AD CS and export the domain certificate in DER format (base64-encoded).

    b. Make HYPR CC API Call to upload the certificate

    i. API URL - https://<HOST>/rp/api/domaincertificate

    ii. Request Type - POST

    iii. Request Payload - {"domainCertificate":"<Base64Encoded>"}

    iv. Authorization - Bearer <AdminToken>

curl --location --request POST "https://HOST/rp/api/domaincertificate" \
--header "Authorization: Bearer hypap-edba607b-b400-4c57-9d3d-839a6e07a6f1" \
--header "Content-Type: application/json" \
--data '{"domainCertificate": "MIIDczCCAlugAwIBAgIQS0n13f/8s5Np+dFMzF++0TANBgkqhkiG9w0BAQsFADBM-RMwEQYKCZImiZPyLGQBGRYDbmV0MRcwFQYKCZImiZPyLGQBGRYHaHlwcmxhYjEcMBoGA1UEAxMTaHlwcmxhYi1BRFNFUlZFUi1DQTAeFw0yMjA4MTEyMzQ4MTZaFw0zMjA4MTEyMzU4MTVaMEwxEzARBgoJkiaJk/IsZAEZFgNuZXQxFzAVBgoJkiaJk/IsZAEZFgdoeXBybGFiMRwwGgYDVQQDExNoeXBybGFiLUFEU0VSVkVSLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuDnPO/GZ1HeNMj1X+yDu46oK1x4mnC8aBDUwVlpzcEv4heLuAWZT/dFVFKKZSNQxbAMubuNwFepySrgp7ThBVp4BGBq7b/LmjZJD9oeqpBhKnryIfYSqLbxY3J2h5YtjQiR7nRr9iNyfT+8I91yyhn95sdtNEyeENlyI+dz41bAj/PksJVtdxhI/ClnJTVSCHFid42jcta0VKgfnmRfvvobX2rOpgmKhAYr9fNZ67TlzTTjji8Hz4vpQGm/9fiLKim4idAksTo1x/w0mOLSbaHTZ/qAUdTyye6aDDw1g9xap3cXPRX82Lstq/4CbhNZRHg1QfFMamghb6siX9KXOhQIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUG9IOpL+oXX7mlkOKNqFPWb/hmp0wEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEBAEGU/5V1evJKwTFaac6MnA02Pgwvmaer8Gycun4cAJbd9HUtenKcw8+oryojouniJ7Bm7NTrGPHDFgTxg1P9fdA8DE8nVCidCYiN3iJOzQ5v593eK08SxExEGOIcFveOZf0uAXgtr2UkqTBp2K8RYUT5nTpjBXUMcQdHO1fXYJ/cKqH25CiGqMwUQx+aNWzc7/LT4nX9A9zMiwALD1IbTZOlzU7R8mt0A3IZClJJvCl9PdAcpqiHqAUnq8ojJN0neeANJyiXixedrTp6gxEpGWV7tR2NuYesnwjFtV2jV0VdcYVmDQVtqdpkxbx93re2IGhNqO+H0Pujtie2TTv7J4kE="}'

Web to Workstation Single Registration

Facts

  • Web to Workstation Single Registration is a one-way registration flow which allows the user to initiate and complete the registration ceremony once using browser web application interface. The user doesn't have to register explicitly to the desktop using HYPR WFA Client. After this single registration ceremony, the user can log in to desktop and web applications.

  • From the user's perspective, it is a one-time registration experience; however, from the backend's perspective, HYPR Server creates both desktop and web profiles.

Pre-Requisites

  1. Create and configure rpApp for Workstation.

  2. Create and configure rpApp for all web applications which users would need to log in to without having to register explicitly for the web.

  3. HYPR Enrollment Service Deployment and Configuration

  4. HYPR WFA Client Installation (Optional)

Configuration

  1. Enable below listed FF on Global level

    a. WINDOWS_WEB_ENROLLMENT

  2. Enable below listed FFs on Web rpApp level

    a. ASYNC_REGISTRATION

    b. WINDOWS_WEB_ENROLLMENT

    c. RP_APP_WORKSTATION_ENABLED

    d. WEB_TO_WS_SINGLE_REGISTRATION_TRANSLATION

    e. VIRTUAL_DESKTOP_INFRASTRUCTURE

    f. ENDPOINT_API_SECURITY_TOKEN_DEVICE (Enabled by Default)

    g. ENDPOINT_API_SECURITY_TOKEN_WORKSTATION (Enabled by Default)

  3. Enable below listed FFs on Workstation rpApp level

    a. WINDOWS_WEB_ENROLLMENT

    b. RP_APP_WORKSTATION_ENABLED

    c. VIRTUAL_DESKTOP_INFRASTRUCTURE

    d. ENDPOINT_API_SECURITY_TOKEN_DEVICE (Enabled by Default)

    e. ENDPOINT_API_SECURITY_TOKEN_WORKSTATION (Enabled by Default)

HYPR Enrollment Service - Facts

  • HYPR Certificate Enrollment Service is designed to manage authentication certificates for end users enrolling with the web application registration interface or Device Manager.

  • When users add a new mobile device to the web application using the registration interface, HYPR CC Server queues up the certificate request.

  • Enrollment Service is expected to interact with HYPR CC Server in terms of polling for pending cert requests and it sends back the encrypted certificate to the CC server.

  • CC Server transports the certificate to the user's mobile device.

  • Interaction of the Enrollment Service with the HYPR CC Server is controlled by FF (WINDOWS_WEB_ENROLLMENT).

HYPR Enrollment Service - Installation Requirement

  1. The Enrollment Service is distributed as an MSI installer package which has no user interface (HyprEnrollmentService_x64.msi).

  2. It can be installed on a Windows Server with network connectivity to Active Directory Certificate Services (AD CS).

  3. Windows Server is required to have .NET Framework enabled.

  4. It can't be installed on the Domain Controller or the AD CS server.

  5. Refer to the HYPR Public Documentation Guide for the steps to follow for installation of the enrollment service.

Web To WS Single Registration Sequence Diagrams

  1. New Web Profile Scenario - The user doesn't have any existing web profile.
New web profile scenario
  1. Existing Web Profile Scenario
Existing web profile scenario
  1. Existing Workstation Profile Scenario
Existing workstation profile scenario
  1. Deregistration Scenario
Deregistration scenario

Certificate Renewal

HYPR Passwordless authentication uses Active Directory certificates bound to trusted user devices to enable secure, phishing-resistant authentication. As these user login certificates approach expiration, renewal is required to ensure continuous authentication, maintain security posture, and comply with organizational and regulatory requirements.

HYPR Workstation Agent starts notifying the user via system tray 30 days before expiration that a pending renewal awaits and the login certificate on the mobile device can be renewed automatically.

Certificate Renewal - Workstation to Web

Flow Diagram

Certificate renewal workstation to web flow diagram

Flow Description

  • HYPR Workstation Agent detects an upcoming current login certificate expiration.

  • The agent will request a new certificate for the user.

  • The New Certificate is generated and saved locally.

  • The agent waits for the next Unlock request.

  • During the next unlock session using the HYPR Mobile App, the new certificate is transferred to the HYPR Mobile App through the HYPR Server.

  • The subsequent unlock events using the HYPR Mobile App will use the new certificate to establish the login session.

  • The agent marks the certificate renewal successfully completed, runs certain bookkeeping operations and continues the authentication workflow.

Facts

  • Login certificate renewal is initiated by the HYPR Workstation Agent process running on the employee's laptop, which contacts AD CS to enroll a new certificate.

  • Users must be connected to the corporate network (domain/VPN) for the certificate renewal to succeed and complete.

  • The user will receive warnings from the system tray when a certificate must be renewed.

    a. 30 days before expiration to alert the user - Snooze option is available

    b. 7 days before expiration to actively request the user to complete their renewal

    c. 1 day before expiration - Snooze option is not available

  • The new certificate will sit on the Workstation local file system until there is an opportunity to send it to Mobile, which happens during an unlock request initiated by the Mobile App and flows through the HYPR Server.

  • If the new certificate is enrolled and successfully transferred to Mobile App and comes back to Workstation, the very first time, Windows will contact Active Directory to authenticate that certificate, but after success, Windows will cache this certificate.

  • Workstation - connected to corporate network (domain/VPN)

    a. After renewal, first unlock successful

    b. New certificate is used

    c. Mobile App is indicated that new certificate is all set

  • Workstation - not connected to corporate network (domain/VPN)

    a. After renewal, first unlock not successful

    b. Current certificate is used

    c. Pop-up notification to the user to connect to VPN and unlock.

  • Mobile App

    a. Keeps track of two certificates, current and new one.

    b. Sends both certificates during the Unlock request.

    c. Waits for acknowledgment when the new certificate is accepted.

Pre-Requisites

  1. HYPR Server is in a running state

    a. Workstation To Web feature flags are enabled.

  2. Mobile App has workstation registration.

  3. The user workstation is connected to the domain.

Configuration

  1. Enable Auto Enrollment Feature Flag

    a. MOBILE_AUTO_CERT_RENEWAL

Certificate Renewal - Web to Workstation

Flow Diagram

Certificate renewal web to workstation flow diagram

Flow Description

  • Mobile App periodically polls HYPR Server to determine whether a new certificate is available.

  • HYPR Server checks for current certificate expiration.

  • HYPR Server automatically initiates certificate renewal through the HYPR Enrollment Service.

  • The enrollment service requests a new certificate for the user.

  • A new login certificate is generated.

  • Enrollment Service encrypts the certificate and posts the encrypted one to the HYPR Server.

  • The encrypted certificate is temporarily stored on the HYPR server.

  • The new certificate is transferred to the Mobile App from the server during the polling process.

  • Mobile App keeps new and current certificates.

  • The user is required to complete the renewal process by unlocking the workstation.

  • During the next unlock session using the HYPR Mobile App, the new certificate is transferred to the HYPR Mobile App through the HYPR Server.

  • The subsequent unlock events using the HYPR Mobile App will use the new certificate to establish the login session.

  • The workstation agent marks the certificate renewal successfully completed and the new certificate becomes the current one.

Facts

  • Login certificate renewal is initiated automatically by HYPR Server. The HYPR Enrollment Service, running on a Windows server in the customer's network, calls ADCS to request certificate enrollment.

  • Users must be connected to the corporate network (domain/VPN) for completing the renewal process successfully.

  • When a new certificate is ready, the HYPR Mobile App will obtain it as part of its regular communication with the HYPR Server. During the next unlock, the user's mobile device will send both the current and new certificates to the workstation. The workstation will attempt to use the new certificate for authentication. If successful, the new certificate will be cached and used for future authentications. If the workstation cannot reach Active Directory (Ex - VPN is not connected), it will use the current certificate and prompt the user to connect to VPN and unlock again to complete the renewal process.

  • HYPR Server which tracks the certificate expiration dates and automatically initiates renewal through the HYPR Enrollment Service when certificates are approaching expiration (30 days before expiration). Administrators can view pending certificate renewals in the HYPR Server User Management interface.

  • Workstation - connected to corporate network (domain/VPN)

    a. After renewal, first unlock successful

    b. New certificate is used

    c. Mobile App is indicated that new certificate is all set

  • Workstation - not connected to corporate network (domain/VPN)

    a. After renewal, first unlock not successful

    b. Current certificate is used

    c. Pop-up notification to the user to connect to VPN and unlock.

  • Mobile App

    a. Keeps track of two certificates, current and new one.

    b. Sends both certificates during the Unlock request.

    c. Waits for acknowledgment when the new certificate is accepted.

Pre-Requisites

  1. HYPR Server is in a running state

    a. Web to Workstation feature flags are enabled.

  2. Entitlement Server is in a running state

  3. Mobile App has web registration.

  4. The user workstation is connected to the domain.

Configuration

  1. Enable Auto Enrollment Feature Flag

    a. MOBILE_AUTO_CERT_RENEWAL

Testing the Workflow

  1. HYPR CC Console can be used to create a magic link for the web application.

    a. Enter the user's email in the Username field. This is the same email address that is associated with the user profile on Active Directory.

    b. Click Create Magic Link

  2. The user navigates to the Magic Link Web Link URL, which redirects the user to device manager.

  3. The user selects 'Register mobile device' that makes a call to HYPR Server to initiate the web registration.

  4. Wait a few minutes for the server to process the certificate

  5. The user taps on the Pending Computer bubble.

  6. The user scans the QR code on the Windows lock screen to complete the WFA pairing.

  7. Cert Renewal

    a. Test workstation unlock for workstation registrations by making the current certificate in a state where it is close to expiration.

    b. Test workstation unlock for workstation registrations when the current certificate is in expired state.

    c. Test workstation unlock by making the workstation connected to the corporate network (domain/VPN).

    d. Test workstation unlock by making the workstation not connected to the corporate network (domain/VPN).

    e. Test workstation unlock for web registrations when the current certificate is in a state where it is close to expiration.

    f. Test workstation unlock for web registrations when the current certificate is in expired state.

Deployment Strategy

  1. Customer has the existing footprint of passwordless login to desktop - Workstation to Web single registration can be enabled so that web profiles are created for all existing desktop profiles.

  2. Customer has the existing footprint of passwordless login to web application - Web to Workstation single registration can be enabled so that workstation profiles are created for all existing web profiles.

  3. Customer has no footprint - Both Workstation to Web and Web to Workstation single registration can be enabled.

Logs and Audit Trail

  1. HYPR CC Console provides administrators with an Audit Trail mechanism for tracking events that flow through the HYPR components. Refer to HYPR Public Documentation for details.

  2. The Audit Trail events are stored in the HYPR database for a limited time. Customers can integrate their existing SIEM footprint with HYPR Server for permanent storage of these audit events.

Audit trail events
  1. Events related to Single Registration
Event NameEvent Description
WORKSTATION_CERTIFICATE_REQUESTEDWeb registration was done by the user. A certificate request queued up for Enrollment service to process
WORKSTATION_CERTIFICATE_ISSUEDEnrollment service submitted the requested certificate back to the RP server
WORKSTATION_CERTIFICATE_REVOKEDEnrollment service revoked a certificate. Revocation requests come from de-registrations or re-registrations. In the later case, the existing cert is revoked
MOBILE_NOTIFIED_OF_NEW_CERTIFICATEPush notification sent to the mobile, to ask it to collect the newly issued cert
MOBILE_CONFIRMED_NEW_CERTIFICATEMobile confirms that it was able to collect the cert and process it successfully
WORKSTATION_ENROLLEDUser logged into the workstation by scanning the QR on the login screen. The workstation then completed the enrollment successfully
  1. Events related to Certificate Renewal
Event NameEvent Description
WORKSTATION_ACCEPTED_NEW_CERTIFICATEWorkstation received two certificates from Mobile (current and new) and succeeded to unlock Workstation with the new certificate
MOBILE_ACK_NEW_CERTIFICATE_ACCEPTANCEMobile received notification about acceptance of a new certificate
MOBILE_CERTIFICATE_REENROLLMENTRe-enrolled new certificate had been transferred to Mobile