Single Registration: Workstation to Web

HYPR Passwordless

🚧

Beta Feature

This functionality is subject to change as the feature develops and we make improvements.

Single Registration will only function with newly registered accounts.

HYPR can be configured to only require pairing in one component of the HYPR system, instead of pairing separately with the Device Manager or the HYPR Passwordless client. When paired in one, users will be automatically prompted to complete the pairing on the other, and thereafter that pair will appear universally in all HYPR authentication rosters for that RP Application user.

What the User Sees

Following is the process a user experiences when they receive an invitation email:

  1. On the workstation, start the HYPR Passwordless client on the workstation if it isn’t running already.
  2. Click Start Pairing in the HYPR Passwordless client. If you already have a device paired, click Pair New Device. You are presented with the option to pair a Smartphone or a Security Key.
  3. Select Smartphone and a QR code will appear in the dialog.
  4. On the HYPR Mobile App, click the pairing label to open the account screen.
  5. Grant access to the Camera, if necessary, and scan the QR on the workstation screen using the HYPR Mobile App.

After you finish the process, HYPR Passwordless client returns to the main screen. When pairing is completed, HYPR Mobile App displays the pairing on your phone as both a Computer Account and a Web account.

Setting Up HYPR

Control Center Settings

  1. If you have not yet created the Workstation RP Application you will use, go ahead and create it in Control Center Advanced Mode.

  2. To make use of any existing Workstation registrations, customers should use the existing app associated with these Workstation registrations.

  3. For RP Applications starting with fresh registrations, we recommend creating a fresh RP Application.

    • Generate an API access token (and store it securely) for both that Application and for the Control Center Admin Application before proceeding
    • Both Access tokens should have the Application Configuration permission at minimum
  4. Configure Device Manager using cURL with the RP Application access token:

    curl
    --location
    --request PUT "https://<CC URL>/cc/api/appconfig/devicemanager"
    --header "Authorization: Bearer <RP APP ACCESS TOKEN>"
    --header "Content-Type: application/json"
    --data-raw '{
      "baseURL": "https://<CC URL>",
      "rpAppId": "<RP APP ID>"
    }'
    

    Example

    curl
    --location
    --request PUT "https://hypr.highlandsbank.com/cc/api/appconfig/devicemanager"
    --header "Authorization: Bearer hypap-aed9e093-20b0-49cd0-8388-e6bca0e1e1e80"
    --header "Content-Type: application/json"
    --data-raw '{
      "baseURL": "https://hypr.highlandsbank.com/",
      "rpAppId": "highlandsBankWS"
    }'
    
  5. In the Application's Login Settings, enable one or both of the following:

HYPR Feature Flags

Changing Feature Flags requires an access token for each affected Application.

The following feature flag must be enabled:

  • WEB_LOGIN_WITH_WFA_REGISTRATION

To enable the feature flag at the Application level:

curl 
--location --request POST 'https://<YOUR CONTROL CENTER URL>/rp/api/versioned/features/toggle/<FEATURE FLAG NAME>/<YOUR rpAppId>' \
--header 'Connection: keep-alive' \
--header 'Cache-Control: max-age=0' \
--header 'Content-Type: application/json' \
--header 'Accept: */*' \
--header 'Sec-Fetch-Site: same-origin' \
--header 'Sec-Fetch-Mode: cors' \
--header 'Accept-Encoding: gzip, deflate, br' \
--header 'Accept-Language: en-US,en;q=0.9' \
--header 'Authorization: Bearer <YOUR ACCESS TOKEN> \
--data-raw ''

Example

```curl
curl 
--location --request POST 'https://hypr.highlandsbank.com/rp/api/versioned/features/toggle/WEB_LOGIN_WITH_WFA_REGISTRATION/highlandsBankWS' \
--header 'Connection: keep-alive' \
--header 'Cache-Control: max-age=0' \
--header 'Content-Type: application/json' \
--header 'Accept: */*' \
--header 'Sec-Fetch-Site: same-origin' \
--header 'Sec-Fetch-Mode: cors' \
--header 'Accept-Encoding: gzip, deflate, br' \
--header 'Accept-Language: en-US,en;q=0.9' \
--header 'Authorization: Bearer hypap-aed9e093-20b0-49cd0-8388-e6bca0e1e1e80 \
--data-raw ''
```

Download the Desktop Client

Follow the instructions for downloading the Desktop Client to obtain the hypr.json file that is configured for Single Registration.

For more information on the parameters used in hypr.json and how to use them, see HYPR Passwordless Installation: Installing Manually.

Setting Up AD

Export the Certificate from Active Directory (AD) Certificate Services (CS)

πŸ‘

Additional Information

When configuring a certificate for use with Single Registration: Workstation-to-Web, the Email name must also be checked for the feature to function properly. See Creating a Custom Certificate Template for the full process.

  1. Login to AD CS, and export the Certificate Authority (CA) certificate you wish to use in DER format, base64-encoded.

  2. Add a domain root certificate to HYPR using cURL with the Control Center Admin access token:

    curl
    --location
    --request POST "https://<CC URL>/rp/api/domaincertificate"
    --header "Authorization: Bearer <RP APP ACCESS TOKEN>"
    --header "Content-Type: application/json"
    --data-raw '{
      "domainCertificate": "<DOMAIN CA CERTIFICATE>"
    }'
    

    Example

    curl
    --location
    --request POST "https://hypr.highlandsbank.com/rp/api/domaincertificate"
    --header "Authorization: Bearer hypap-edba607b-b400-4c57-9d3d-839a6e07a6f1"
    --header "Content-Type: application/json"
    --data-raw '{
      "domainCertificate": "MIIDczCCAlugAwIBAgIQS0n13f/8s5Np+dFMzF++0TANBgkqhkiG9w0BAQsFADBM-RMwEQYKCZImiZPyLGQBGRYDbmV0MRcwFQYKCZImiZPyLGQBGRYHaHlwcmxhYjEcMBoGA1UEAxMTaHlwcmxhYi1BRFNFUlZFUi1DQTAeFw0yMjA4MTEyMzQ4MTZaFw0zMjA4MTEyMzU4MTVaMEwxEzARBgoJkiaJk/IsZAEZFgNuZXQxFzAVBgoJkiaJk/IsZAEZFgdoeXBybGFiMRwwGgYDVQQDExNoeXBybGFiLUFEU0VSVkVSLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuDnPO/GZ1HeNMj1X+yDu46oK1x4mnC8aBDUwVlpzcEv4heLuAWZT/dFVFKKZSNQxbAMubuNwFepySrgp7ThBVp4BGBq7b/LmjZJD9oeqpBhKnryIfYSqLbxY3J2h5YtjQiR7nRr9iNyfT+8I91yyhn95sdtNEyeENlyI+dz41bAj/PksJVtdxhI/ClnJTVSCHFid42jcta0VKgfnmRfvvobX2rOpgmKhAYr9fNZ67TlzTTjji8Hz4vpQGm/9fiLKim4idAksTo1x/w0mOLSbaHTZ/qAUdTyye6aDDw1g9xap3cXPRX82Lstq/4CbhNZRHg1QfFMamghb6siX9KXOhQIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUG9IOpL+oXX7mlkOKNqFPWb/hmp0wEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEBAEGU/5V1evJKwTFaac6MnA02Pgwvmaer8Gycun4cAJbd9HUtenKcw8+oryojouniJ7Bm7NTrGPHDFgTxg1P9fdA8DE8nVCidCYiN3iJOzQ5v593eK08SxExEGOIcFveOZf0uAXgtr2UkqTBp2K8RYUT5nTpjBXUMcQdHO1fXYJ/cKqH25CiGqMwUQx+aNWzc7/LT4nX9A9zMiwALD1IbTZOlzU7R8mt0A3IZClJJvCl9PdAcpqiHqAUnq8ojJN0neeANJyiXixedrTp6gxEpGWV7tR2NuYesnwjFtV2jV0VdcYVmDQVtqdpkxbx93re2IGhNqO+H0Pujtie2TTv7J4kE="
    }'
    

Configure AD Users

Before a user can start the web registration flow, their AD user account must be configured as follows:.

  1. In the management console, click Start.
  2. Navigate to Active Directory Users and Computers.
  3. In the top menu, click View -> Advanced Features.
  4. Select the user that you will invite to register.
  5. Under the General tab, enter the user's email address into the E-mail field.
  6. Click the Attribute Editor.
  7. Scroll down, click the mail attribute, and enter the user’s email address.