A policy defines the method and rules for registration and authentication, which is used to verify the identity of a person. This page will cover the various configuration options available in the Backoffice and TrustX API.
Creating a Policy
To create a new policy from the Backoffice application,
- Navigate to Identity Store > Policies.
- From the Policies landing page, click the 'New Policy Configuration' button.
- The 'New Policy Configuration' popup modal will appear where an Appkey, Passkey or TOTP policy can be created.
Appkey Configuration
This section will describe the steps required for configuring a new Appkey policy using the Backoffice application.
Each Appkey policy must include the following information:
- Configuration Name - The name of the Appkey policy
- Relying Party ID - The relying party ID.
Trusted Facets
In relation to Appkeys, a user agent represents the application or service used to initiate the authentication request. The user agent is identified by the facet ID.
The Trusted Facets contain a list of all authorized facet IDs that the relying party should trust. This ensures that only trusted applications are able to initiate an authentication request.
A facet ID is represented as a String. The format depends on the type of user agent:
- Android - The facet ID is derived from a Base64-encoded SHA-1 or SHA-256 hash of the APK signing certificate.
- iOS - The facet ID is represented as a URI that is formed using the app's bundle ID.
- Web - The facet ID is represented by the origin of the web page that triggered the request. For example,
https://daon.com
Registration Policies
This section enables the configuration of new registration policies. Multiple configurations can be made by clicking the 'Add New Registration Policy' button.
| Parameter | Type | Description |
|---|---|---|
| Registration Policy Name | String | The name of the registration policy. |
| Key Types to Register | String | Determines what type of registration will be used.
|
| Allow External Challenge | Boolean | Determines whether the registration challenge is performed externally or by TrustX. If enabled, the registration challenge is performed externally. |
| Manage Session Externally | Boolean | If enabled, the session duration will be managed externally. If disabled, the session duration will be managed and set within TrustX. |
| Session Duration | Integer | Determines how long the session will be alive, defined in minutes. |
| Store and Audit Record of the Registration | Boolean | If enabled, an audit record will be stored of the registration. |
Authentication Policies
This section enables the configuration of new authentication policies. Multiple configurations can be made by clicking the 'Add New Authentication Policy' button.
| Parameter | Type | Description |
|---|---|---|
| Registration Policy Name | String | The name of the authentication policy. |
| Authentication Key Type | String | Determines what type of authentication will be used.
|
| Allow External Challenge | Boolean | Determines whether the authentication challenge is performed externally or by TrustX. If enabled, the authentication challenge is performed externally. |
| Manage Session Externally | Boolean | If enabled, the session duration will be managed externally. If disabled, the session duration will be managed and set within TrustX. |
| Session Duration | Integer | Determines how long the session will be alive, defined in minutes. |
| Store and Audit Record of the Authentication | Boolean | If enabled, an audit record will be stored of the authentication. |
Passkey Configuration
This section will describe the steps required for configuring a new Passkey policy using the Backoffice application.
Each Passkey policy must include the following information:
- Configuration Name - The name of the Passkey policy.
- Relying Party ID - The relying party ID.
Restricted Origins
The Restricted Origins section defines a list of acceptable origins. If supplied, passkey authentications will be restricted to the URLs defined in this section. If not supplied, passkey authentications are restricted to the relying party ID domain.
Registration Policies
This section enables the configuration of new registration policies. Multiple configurations can be made by clicking the 'Add New Registration Policy' button.
| Parameter | Type | Description |
|---|---|---|
| Registration Policy Name | String | The name of the registration policy. |
| Key Types to Register | String | Determines what type of registration will be used. Currently only 'Platform' is supported, meaning the registration is embedded in the User's device and comprising of biometric and hardware chips for protecting Passkeys. |
| Allow External Challenge | Boolean | Determines whether the registration challenge is performed externally or by TrustX. If enabled, the registration challenge is performed externally. |
| Manage Session Externally | Boolean | If enabled, the session duration will be managed externally. If disabled, the session duration will be managed and set within TrustX. |
| Session Duration | Integer | Determines how long the session will be alive, defined in minutes. |
| Store an Audit Record of the Registration | Boolean | If enabled, an audit record will be stored of the registration. |
Authentication Policies
| Parameter | Type | Description |
|---|---|---|
| Authentication Policy Name | String | The name of the authentication policy name |
| Authenticate Key Type | String | Determines what type of authenticator will be used. Currently only 'Platform' is supported, meaning the authenticator is embedded in the User's device and comprising of biometric and hardware chips for protecting Passkeys. |
| Store an Audit Record of the Registration | Boolean | If enabled, an audit record will be stored of the registration. |
| Allow External Challenge | Boolean | Determines whether the authentication challenge is performed externally or by TrustX. If enabled, the authentication challenge is performed externally. |
| Manage Session Externally | Boolean | If enabled, the session duration will be managed externally. If disabled, the session duration will be managed and set within TrustX. |
| Session Duration | Integer | Determines how long the session will be alive, defined in minutes. |
TOTP Configuration
This section will describe the steps required for configuring a new TOTP policy using the Backoffice application.
| Parameter | Type | Description |
|---|---|---|
| Issuer | String | The name of the issuer of the authentication code, this name will appear in the authenticator app to identify the authenticator when the QR-code is scanned. |
| Digits | Integer | The length of the generated password in digits. |
| Period | Integer | The period in seconds that the generated password will be valid before a new password is generated. |
| Languages | List [String] | The list of supported algorithms that can be used to complete TOTP registration and authentication. |
| Registration Validity Duration | DateTime | Determines how long a pending registration attempt will be valid before expiring. This field is defined in the format D H M. For example: 2D 5H 30M |
| Audit Level | String | Whether TOTP authentications are audited.
|
| Audit Duration | Integer | Number of days that audit data will be retained. |