Appkey Biometric Registration

Early Access

Appkeys can be integrated in TrustX using a biometric-bound, solution where the registration is tied to the User's biometric such as face or fingerprint.

This document will describe how to configure a Process Definition and flow that will integrate Appkeys using a biometric-bound registration solution.

Integrating Trust and FIDO SDKs

To successfully capture biometrics (face and fingerprint) for Appkey registration and authentication, integration with the Trust and FIDO SDKs is required.

See the integration guides below for further steps before continuing to create a biometric registration flow.

1. Trust SDK Integration

2. FIDO SDK Integration

Integrating the FIDO SDK with TrustX

Configuring the TrustX Appkey Web SDK

The Daon Appkey Javascript library provides secure biometric registration and authentication capabilities for web and mobile environments. It offers a simple JavaScript API for implementing user registration and authentication workflows that can be integrated with TrustX API.

The Appkey Web SDK can be installed using NPM:

JSON
    
 
// package.json"dependencies": {    ...    "@daon/trustx-appkey": "file:./path/to/DaonAppkey-{version}.tgz"}
Copy

For Android applications, if you are using Typescript, it is also required to add the following:

Typescript
    
 
// index.d.tsdeclare module '@daon/trustx-appkey';
Copy

Usage Example:

Typescript
    
​x
 
import { registration, authentication } from '@daon/trustx-appkey';​// Registrationconst payload = await registration({ appkeyRegClientRequest, language, translations });​// Authenticationconst payload = await authentication({ appkeyAuthClientRequest, language, translations, transactionCallback });
Copy

A full explanation of the SDK can be found in the TrustX Appkey Web SDK guide.

See the Appkey Web SDK API Reference guide for a full API reference.

Configuring the Registration Policy

Before creating a Process Definition, it is important to define the Appkey Registration Policy. This is where the type of key to register can be defined:

Device - The Appkey will be device bound.
Biometric - The Appkey will be bound to a biometric of the end-user.
Device and Biometric - The Appkey will be both device and biometric bound.

To create a new Appkey Policy, follow the steps outlined below.

Navigate to Identity Stores > Policies in the Backoffice application.
Select an Identity Store from which the Appkey Policy will be applied.
Click the 'New Appkey Configuration' button to create a new Appkey policy.

The example in this document will use a Biometric bound policy:

For information on the various configuration options available, see the Managing Policies guide.

Registering via Process Definition

The example Process Definition in this guide will utilize a Custom Data Form to handle the registration of an app key. This process can also be completed using a Custom Page.

Step 1 - Create a Process Definition

Create a new Process Definition by navigating to Process Definitions > New Process Definition in the Backoffice application.
Add a 'Create Start Event' to the Process Designer.

Click the 'Start' event to open the right-side contextual menu and enter a name for the 'Name' input parameter.
Add a 'Create End Event' to the Process Designer and connect it to the 'Start' event using a sequence flow arrow.

Click the 'End' event to open the right-side contextual menu and enter a name for the 'Name' input parameter.

Step 2 - Detect User Agent Capabilities

To determine whether Appkeys is supported for the current device, the 'Detect User Agent Capabilities' activity can be used. This activity will retrieve information about the device currently used by the end-user.

Add the 'Detect User Agent Capabilities' activity to the Process Designer and connect it to the 'Start' event using the 'Global connect tool'.
Connect the 'Timer Boundary Event' to the 'End' event.

Step 3 - Create User External ID Form

To request an External ID from the end-user, a Custom Data Form can be used. This section will describe how to set up a Custom Data Form that accepts user input and pass it to a Cloud Function for processing.

To create a Custom Data Form, navigate to the Integration Hub > Custom Forms section of the Backoffice application.
Click the 'New Custom Form' button located at the top-right of the Custom Forms landing page.
An example JSON form can be found below. This form will request a string as input that requires an identifier to be entered.

JSON
    
 
{    "title": {        "values": {            "en": "Enter your identifier"        },        "isValid": true,        "type": "title"    },    "components": [        {            "type": "text",            "isValid": true,            "readOnly": false,            "id": "userExtId",            "label": {                "values": {                    "en": "Identifier"                }            },            "default": "",            "transient": false,            "validate": {                "required": true,                "minLength": "",                "maxLength": "",                "missingMessage": {                    "values": {                        "en": ""                    }                },                "invalidMessage": {                    "values": {                        "en": ""                    }                },                "invalidLengthMessage": {                    "values": {                        "en": ""                    }                }            },            "index": 0        }    ]}
Copy

In the Process Designer, add a 'Custom Data Form v3' activity and connect it to the 'Detect User Agent Capabilities'.

Step 4 - Process Custom Form with a Cloud Function

Create a new Cloud Function but navigating to the Cloud Functions page in the Backoffice application.
Click the 'New Cloud Function' button on the Cloud Functions landing page to create a new Cloud Function.

Python
    
import jsonfrom cfresults import Outcome, Result, OverallResult, OverallResultEncoder​overallResult = OverallResult(Outcome.APPROVE, {})cfResults = json.loads(OverallResultEncoder().encode(overallResult))results["cfResults"] = cfResults​userExtIdCdfMap = params["vars"].get("_customFormData", {}).get("UserExtIdCdf", {}).get("currentCapture", {}).get("customDataFormDataMap", {})userEnteredExtId = userExtIdCdfMap.get("userExtId")​​pvars = {    "userEnteredExtId": userEnteredExtId}results["executionVariables"] = pvars
Copy

From the Process Definition, add an 'Execute Cloud Function v2' activity and connect it to the 'Custom Data Form v4' activity.

Step 5 - Add a User (Optional)

This step is only required if the User has not been added to the Identity Store. See Managing Users for more information on adding a User.

The 'Add User' activity is used to add a new User to an Identity Store. Find the activity and connect it to the 'Execute Cloud Function v2' activity.
The 'Add User' activity includes two error events. In this example, the error events have been connected to the 'End' event.
1. Failed to add the user - This event is triggered when an error occurs adding the User to the Identity Store.
2. ExtId Not Unique - This event occurs if the External ID provided is not unique.
Click the 'Add User' activity to open the right-side contextual menu. Using the available input parameters, information about the User can be defined, including the External ID and which Identity Store the user will be added to.

When creating a User, the following input parameters are available:

Input Parameter	Type	Description
Store Name*	String	Required - Represents the Identity Store that the User will be added to.
User Attributes	<String, String>	A key-value pair of additional optional attributes used to describe the User.
User Date of Birth	Date	The User's date of birth in the format: "yyyy-mm-dd"
User Email	String	The User's email address in the format: "example@domain.com"
User External ID	String	A unique User ID. If no ID is required, an external ID will be generated automatically by TrustX.
User First Name	String	The first name of the User.
User Key	String	Required - A key used to identify the User.
User Last Name	String	The last name of the User.
User Locale - Country	String	The User country.
User Locale - Language	String	A two-letter ISO-639 formatted language tag.
User Locale - Variant	String	A variant subtag of the User country. 5-8 letters or 4 characters starting with a digit, separated by hyphens.
User Nationalities	String	The nationality of the User.
User Status	String	The User status indicates whether the User is in a pending, active, locked or disabled state.
User Timezone	String	The timezone of the User Country. This value must be in line with TZDB code format. Example: EST.
User Type	String	An optional parameter used for organizing Users into different types. A maximum of 64 characters is allowed.

Step 6 - Start Appkey Registration

The 'Start Appkey Registration' activity will begin the Appkey registration process.

Add the 'Start Appkey Registration' activity to the Process Designer and connect it to the 'Add User' activity using the 'Global connect tool'.

The 'Start Appkey Registration' activity contains 11 input parameters defined accordingly:

Input Parameter	Type	Description
Appkey Registration Key	String	Required - The unique ID associated with the appkey registration activity.
Appkey User Name	String	An informal display name associated with the User.
Challenge	String	The signed challenge is represented by a public key registered to the User. This value is auto-generated.
Create User	Boolean	If enabled, a new User will be created as part of the passkey registration. Default behavior is disabled.
Registration Policy	String	Required - The name of the registration policy.
Relying Party ID	String	Required - The ID of the relying party whose appkey registration configuration will be used.
Server Data	String	This field can contain optional session data that a relying party can associate with the request.
Store Name	String	Required - The name of the Identity Store.
User External ID	String	Required - If the 'Create User' property is enabled, this property must be configured as a unique ID for the newly created User. Optional - If the 'Create User' property is disabled, this property can be used to identify the User that the appkey registration applies to.
User ID	String	The unique ID automatically generated when the User is created. In the context of the 'Start Appkey Registration' activity, this ID can be used to identify the User that the appkey registration applies to.
User Key	String	The User Key that can be used to identify the User that the appkey registration applies to.

Step 7 - Prepare the Custom Page

Create a new Custom Page under the Integration Hub > Custom Pages section of the Backoffice.
Click the 'New Custom Page'
Below is an example Custom Page.

index.html
app.js
style.css
    
 
<!DOCTYPE html><html lang="en"><head>  <meta charset="UTF-8">  <title>Appkey Demo</title>  <link rel="stylesheet" href="style.css" /></head><body>  <form id="registration">    <h1>Register with Appkey's</h1>  </form>​  <script type="module" src="app.js"></script>  <script src="DaonAppkey.v1.0.13.min.js"></script></body></html>
Copy

Once the Custom Page has been created, add a 'Custom Page V3' activity to the Process Definition and connect it to the 'Start Appkey Registration' activity.

Step 8 - Complete Appkey Registration

The 'Complete Appkey Registration' activity is used to finalize the appkey registration process.

Add the 'Complete Appkey Registration' activity after the 'Custom Page V3' activity and connect using a sequence flow arrow.

The 'Complete Appkey Registration' activity has the following configurable input parameters:

Input Parameter	Type	Description
Appkey Name	String	A user friendly name for key supplied in case one.is not supplied by the registered device.
Appkey Registration Browser Response	String	In order to complete the appkey registration, a response from the browser must be provided. This response is returned from the Custom Page and can be entered into the 'Appkey Registration Browser Response' using variable substitution. `${`_`customUis.{{customPageKey}}`_`.currentCapture.customPageParameters.appkey.value}`
Appkey Registration Key	String	The unique ID associated with the appkey registration attempt.
Fail Check On Cancel	Boolean	If enabled, checks will fail if the end-user cancels out of the process. Default behavior is disabled.
List of Screens	List [String]	A list of screens to display to the end-user.
Starting Component ID	String	The ID of the starting component.
UI Component ID	String	The ID of the UI component.

Test Appkey Registration

Test Authentication Flow

This section will demonstrate a simple appkey biometric registration and how to view the results of the Process Instance and device information captured during the Process Instance.

To begin testing, create a new Process Token by following the steps below.

From the Backoffice application, navigate to Process Definitions > Process Tokens.
Click the 'New Process Token' button on the Process Tokens landing page.
Choose the Process Definition and version then click the 'Create Token' button
Access the URL or scan the QR code to begin the flow.
When reaching the TrustWeb flow, the Custom Page requesting an identifier will appear. Enter a unique ID and click the 'Continue' button to complete the process.

View Results

To view the results of the completed Process Instance, navigate to the Process Instances page in the Backoffice application.

Navigate to the Process Instances page and search for the Process Instance completed as part of the Appkey authentication.
From the individual Process Instance page, details about the Appkey authentication can be found listed under the 'Checks' section as 'appkeyRegistration'.

The Client Response retrieved from the Custom Page can be viewed under the 'Custom Pages' section.

Last updated on