Managing Policies

Early Access

A policy defines the method and rules for registration and authentication, which is used to verify the identity of a person. This page will cover the various configuration options available in the Backoffice and TrustX API.

Creating a Policy

To create a new policy from the Backoffice application,

Navigate to Identity Store > Policies.

From the Policies landing page, click the 'New Policy Configuration' button.

The 'New Policy Configuration' popup modal will appear where an Appkey, Passkey or TOTP policy can be created.

Appkey Configuration

This section will describe the steps required for configuring a new Appkey policy using the Backoffice application.

Each Appkey policy must include the following information:

Configuration Name - The name of the Appkey policy
Relying Party ID - The relying party ID.

In relation to Appkeys, a user agent represents the application or service used to initiate the authentication request. The user agent is identified by the facet ID.

The Trusted Facets contain a list of all authorized facet IDs that the relying party should trust. This ensures that only trusted applications are able to initiate an authentication request.

A facet ID is represented as a String. The format depends on the type of user agent:

Android - The facet ID is derived from a Base64-encoded SHA-1 or SHA-256 hash of the APK signing certificate.
iOS - The facet ID is represented as a URI that is formed using the app's bundle ID.
Web - The facet ID is represented by the origin of the web page that triggered the request. For example, https://daon.com

Registration Policies

This section enables the configuration of new registration policies. Multiple configurations can be made by clicking the 'Add New Registration Policy' button.

Parameter	Type	Description
Registration Policy Name	String	The name of the registration policy.
Key Types to Register	String	Determines what type of registration will be used. Device - The Appkey will be device bound. Biometric - The Appkey will be bound to a biometric of the end-user. Device and Biometric - The Appkey will be both device and biometric bound.
Allow External Challenge	Boolean	Determines whether the registration challenge is performed externally or by TrustX. If enabled, the registration challenge is performed externally.
Manage Session Externally	Boolean	If enabled, the session duration will be managed externally. If disabled, the session duration will be managed and set within TrustX.
Session Duration	Integer	Determines how long the session will be alive, defined in minutes.
Store and Audit Record of the Registration	Boolean	If enabled, an audit record will be stored of the registration.

Authentication Policies

This section enables the configuration of new authentication policies. Multiple configurations can be made by clicking the 'Add New Authentication Policy' button.

Parameter	Type	Description
Registration Policy Name	String	The name of the authentication policy.
Authentication Key Type	String	Determines what type of authentication will be used. Device - The Appkey will be device bound. Biometric - The Appkey will be bound to a biometric of the end-user. Device and Biometric - The Appkey will be both device and biometric bound.
Allow External Challenge	Boolean	Determines whether the authentication challenge is performed externally or by TrustX. If enabled, the authentication challenge is performed externally.
Manage Session Externally	Boolean	If enabled, the session duration will be managed externally. If disabled, the session duration will be managed and set within TrustX.
Session Duration	Integer	Determines how long the session will be alive, defined in minutes.
Store and Audit Record of the Authentication	Boolean	If enabled, an audit record will be stored of the authentication.

Passkey Configuration

This section will describe the steps required for configuring a new Passkey policy using the Backoffice application.

Each Passkey policy must include the following information:

Configuration Name - The name of the Passkey policy.
Relying Party ID - The relying party ID.

Restricted Origins

The Restricted Origins section defines a list of acceptable origins. If supplied, passkey authentications will be restricted to the URLs defined in this section. If not supplied, passkey authentications are restricted to the relying party ID domain.

Registration Policies

This section enables the configuration of new registration policies. Multiple configurations can be made by clicking the 'Add New Registration Policy' button.

Parameter	Type	Description
Registration Policy Name	String	The name of the registration policy.
Key Types to Register	String	Determines what type of registration will be used. Currently only 'Platform' is supported, meaning the registration is embedded in the User's device and comprising of biometric and hardware chips for protecting Passkeys.
Allow External Challenge	Boolean	Determines whether the registration challenge is performed externally or by TrustX. If enabled, the registration challenge is performed externally.
Manage Session Externally	Boolean	If enabled, the session duration will be managed externally. If disabled, the session duration will be managed and set within TrustX.
Session Duration	Integer	Determines how long the session will be alive, defined in minutes.
Store an Audit Record of the Registration	Boolean	If enabled, an audit record will be stored of the registration.

Authentication Policies

Parameter	Type	Description
Authentication Policy Name	String	The name of the authentication policy name
Authenticate Key Type	String	Determines what type of authenticator will be used. Currently only 'Platform' is supported, meaning the authenticator is embedded in the User's device and comprising of biometric and hardware chips for protecting Passkeys.
Store an Audit Record of the Registration	Boolean	If enabled, an audit record will be stored of the registration.
Allow External Challenge	Boolean	Determines whether the authentication challenge is performed externally or by TrustX. If enabled, the authentication challenge is performed externally.
Manage Session Externally	Boolean	If enabled, the session duration will be managed externally. If disabled, the session duration will be managed and set within TrustX.
Session Duration	Integer	Determines how long the session will be alive, defined in minutes.

TOTP Configuration

This section will describe the steps required for configuring a new TOTP policy using the Backoffice application.

Parameter	Type	Description
Issuer	String	The name of the issuer of the authentication code, this name will appear in the authenticator app to identify the authenticator when the QR-code is scanned.
Digits	Integer	The length of the generated password in digits.
Period	Integer	The period in seconds that the generated password will be valid before a new password is generated.
Languages	List [String]	The list of supported algorithms that can be used to complete TOTP registration and authentication.
Registration Validity Duration	DateTime	Determines how long a pending registration attempt will be valid before expiring. This field is defined in the format D H M. For example: 2D 5H 30M
Audit Level	String	Whether TOTP authentications are audited. NONE: never FAILED_ONLY: only failed authentications ALL: all authentications
Audit Duration	Integer	Number of days that audit data will be retained.

Push Notification Configuration

This section will describe the various configuration options available when defining a push notification policy.

Configuration Option	Description
Push Notification Policy Name	Mandatory. The name given to the push notification policy.
Description	Optional. An optional description for the push notification policy.
Relying Party ID	Mandatory. The Appkey relying party. Push notifications are only supported for device applications configured for Appkeys.
APNs Configuration
Application Bundle ID	The Bundle ID that uniquely identifies your App, for example com.daon.trustx. To avoid conflicts, Apple encourages developers to use reverse domain name notation for choosing an application's bundle identifier. Must contain only alphanumeric characters (A–Z, a–z, and 0–9), hyphens (-), and periods (.)
Team ID	The issuer key, the value for which is the 10-Character Team ID you use for developing your company apps. Obtain this value from your developer.apple.com account.
Use Sandbox	Optional. Enable APN sandbox environment.
Sound Enabled	Optional. Whether to enable ping sound when notification is sent.
FCM Configuration
FCM URL	The FCM URL - available from https://fcm.googleapis.com/v1/projects/my_project_id/messages:send

APN Configuration

To configure iOS push notifications, you’ll need four pieces of information from your Apple Developer account.

Application Bundle ID
1. Go to https://developer.apple.com/account/resources/identifiers/list.
2. Under Identifiers, find your app.
3. Copy the Bundle ID (e.g., com.yourcompany.yourapp).
Team ID
1. Log in to https://developer.apple.com/account/.
2. Click [Account Name] → Membership Details. in the top-right corner.
3. Copy the Team ID listed there.
Key ID
1. In your Apple Developer account, navigate to Certificates, Identifiers & Profiles → Keys
2. Create a new key (or select an existing one) and enable Apple Push Notifications service (APNs).
3. After creating the key, copy the Key ID.
Token Signing Key
1. When you create the key, download the .p8 file immediately (Apple only allows one download).
2. Open the .p8 file in a text editor.
3. Copy the entire content (including -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----) and paste it into the Token Signing Key field.

You must have an Apple Developer Program membership.
Keep your .p8 file secure—Apple does not allow re-downloading.
If you lose the file, you will need to create a new key.

FCM Configuration

To configure Android push notifications, you’ll need two pieces of information from your Firebase project.

FCM URL
1. Go to https://console.firebase.google.com/.
2. Select your project.
3. Navigate to Project Settings → Cloud Messaging.
4. Copy the FCM endpoint URL (usually https://fcm.googleapis.com/fcm/send).
5. Paste it into the FCM URL field.
Google Application Credentials
1. In the same Cloud Messaging section, click Manage Service Accounts or go to https://console.cloud.google.com/.
2. Create a Service Account for your Firebase project if one does not exist.
3. Generate a JSON key for the service account.
4. Open the downloaded .json file in a text editor.
5. Copy the entire JSON content and paste it into the Google Application Credentials field.

You must have a Firebase project linked to your Android app.
Keep your service account JSON secure—do not share it publicly.
If compromised, revoke the key and generate a new one.

Last updated on