Search
Introduction
This document assumes that a User has been added to an Identity Store and that the User has registered a passcode. Please follow the guide first before continuing to the renewal process.
Renewing via Process Definition
Passcode renewal requires three TrustX tasks:
- Start Passcode Renewal activity
- Passcode Renewal form
- End Passcode Renewal activity
A more complex flow may contain custom forms describing errors to the user and transition to a Passcode Registration flow if a passcode doesn’t exist.
Step 1 - Create a Process Definition
- Create a new Process Definition by navigating to Process Definitions > New Process Definition in the Backoffice application.
- Add a 'Create Start Event' to the Process Designer.
- Click the 'Start' event to open the right-side contextual menu and enter a name for the 'Name' input parameter.
- Add a 'Create End Event' to the Process Designer and connect it to the 'Start' event using a sequence flow arrow.
- Click the 'End' event to open the right-side contextual menu and enter a name for the 'Name' input parameter.
Step 2 - Start the Renewal Process
The 'Start Passcode Renewal' activity is used to begin the renewal process.
- In the Process Designer, add the 'Start Passcode Renewal' activity after the 'start' event and connect using a sequence flow arrow.
- The 'Start Passcode Renewal' provides the following configurable parameters described below:
| Parameter | Description | Type | Required | Default | |
|---|---|---|---|---|---|
| Passcode Policy | The passcode policy name. | String | Yes | ||
| Passcode Renewal Key | Represents the passcode renewal attempt. | String | Yes | passcodeRenewal1 | |
| Store Name | The Identity Store containing the policy and User. | String | Yes | ||
| User External ID | Identifies the user whose passcode will be renewed. | String | No | ||
| User ID | Identifies the user whose passcode will be renewed. | String | No | ||
| User Key | The TrustX reference key for the user whose passcode will be renewed.
If the user has already been obtained earlier in the TrustX flow, this field is used to identify the user. If the user has not already been obtained, one of the user ID or user external ID is used to reference the user and the user will be stored under the user key so it can be referenced later in the flow. |
String | Yes | user1 |
- Ensure that each mandatory input parameter is defined. Identify the Identity Store User using the 'Get User' activity or but entering the User ID or User External ID manually.
- When the renewal process is started, the end-user will see a button that allows them to begin the registration process.
Optional - Start Passcode Renewal via API
The following API endpoints perform a passcode renewal where the existing passcode is verified and replaced with a new passcode. This will be a two step process on the server.
- Client gets the initial passcode registration and verification parameters from the server.
- Client derives verification data from the existing passcode and supplies it to the server. The client also validates the new passcode, generates the registration data and supplies it to the server.
There are two API endpoints to initialize passcode renewal for a user.
Permissions:
TNT#{tenant}#createPasscodeRenewalForUserTNT#{tenant}#createUserPasscodeRenewalForUserByExtUserId
Endpoints:
POST tenants/{tenantId}/stores/{storeName}/users/{userId}/passcodes/renewals/{policyName}POST tenants/{tenantId}/stores/{storeName}/users/{extUserId}/passcodes/renewals/{policyName}/ext
Example Request:
xxxxxxxxxxPOST https://{{tenant}}.{{region}}.trustx.com/api/identity-store/stores/{storeName}/users/{userId}/passcodes/renewals/{policyName}Content-Type: application/jsonAuthorization: Bearer {{token}} {}Example Response:
xxxxxxxxxx{ "passcodeRequirements": { "minimumLength": 6, "maximumLength": 12, "digitCount": 1, "symbolCount": 1, "lowerCaseCount": 1, "upperCaseCount": 1, "characterVariety": 1, "passcodeHistory": 1, "requiredRegExes": [ { "pattern": "", "error": "" } ], "allowedRegExes": [ { "pattern": "", "error": "" } ], "disallowedRegExes": [ { "pattern": "", "error": "" } ] }, "algorithmInfo": { "type": "SRP", "parameters": { "i": "{26 character ID"}", "n": "{base-64 encoded value}", "g": 2, "hashAlgorithm": "SHA-256", "salt": "{base-64 url encoded salt value}", "serverPublicKey": "{base-64 encoded value}" } }, "sessionId": "UGIRW7QN727EIV2XLXG4YH42N4"}Step 3 - Configure the Renewal Form
The renewal form is used to accept input from the end-user who will be completing the passcode renewal. In this example, the end-user will be requested to provide the passcode to be renewed.
- Create a new Custom Form from the Integration Hub > Custom Forms section of the Backoffice. For more information using the Custom Form builder, see the Custom Data Forms guide.
- The example below demonstrates a JSON form that requests the old/ existing passcode and a passcode to replace the existing one.
xxxxxxxxxx{ "title": {}, "components": []}- Once the Custom Form has been created, add a 'Passcode Renewal Form' activity to the Process Designer and connect to the 'Start Passcode key Renewal' activity using a sequence flow arrow.
- The 'Passcode Renewal Form' activity includes the following Input Parameters:
| Parameter | Description | Type | Required | Default |
|---|---|---|---|---|
| Data form name | A drop-down list of all available custom forms created in TrustX. The chosen form will be displayed to the end user in the flow. | String | Yes | |
| Data form version | Determines which version of the selected custom form will be displayed. | Integer | Yes | 1 |
| Form data Key | When multiple Custom Data Forms are used in one Process Definition, the form data key will be used as a unique identifier to distinguish Custom Form activities from each other. | String | Yes | passcodeRenewalForm1 |
| Passcode Authentication Key | The key associated with the passcode renewal attempt. | String | Yes | passcodeRenewal1 |
| Starting Component ID | The name of the step to be sent to the UI. | String | Yes | passcode-renewal |
| UI Component ID | The name of the screen used by the UI. | String | Yes | passcode-renewal |
Step 4 - Complete Passcode Renewal
The 'Complete Passcode Renewal' activity is used to finalize the passcode registration process.
- Add the 'Complete Passcode Renewal' activity after the 'Passcode Renewal Form' and connect using a sequence flow arrow.
- The 'Complete Passcode Renewal' activity features the following configurable input parameters:
| Parameter | Description | Type | Required | Default |
|---|---|---|---|---|
| Passcode Renewal Browser Response | In order to complete the passcode renewal, a response from the browser must be provided. This response is returned from the Custom Page and can be entered into the 'Passcode Authentication Browser Response' using variable substitution. | String | No | |
| Passcode Renewal Key | Represents the passcode renewal attempt. | String | Yes | passcodeRenewal1 |
| Starting Component ID | The name of the step to be sent to the UI. | String | Yes | passcode-verify |
| UI Component ID | The name of the screen used by the UI. | String | Yes | renewal |
Optional - Complete Passcode Renewal via API
TrustX provides an API to complete a passcode renewal by validating passcode registration parameters for the new passcode and verification parameters for the existing passcode from the client.
Permission:
TNT#{tenant}#completePasscodeRenewal
Endpoint:
POST tenants/{tenantId}/stores/{storeName}/passcodes/renewals/sessions/{sessionId}
Example Request:
xxxxxxxxxxPOST https://{{tenant}}.{{region}}.trustx.com/api/identity-store/stores/{storeName}/passcodes/renewals/sessions/{sessionId}Content-Type: application/jsonAuthorization: Bearer {{token}} { "srpRegistrationData": { "verifier": "{base-64 encoded value}" }, "srpVerificationData": { "a": "{base-64 encoded value}", "m1": "{base-64 encoded value}" }}Example Response:
xxxxxxxxxx{ "algorithmInfo": { "type": "SRP", "parameters": { "hashAlgorithm": "SHA-256", "m2": "{base-64 encoded value}" } }, "user": {}}Response Codes:
- 200: Success
- 404: Tenant/store/policy/user not found.
- 400: Other error, see processing details.
Step 5 - Add a Simple Decider
A 'Simple Decider' can be used to reach a decision regarding the passcode renewal attempt.
- Add the 'Simple Decider' activity to the Process Designer and connect the activity to the 'Complete Passcode Registration' and 'End' event.
Once all configurations are made, click the 'Save & Deploy' button to finalize the Process Definition.
Test and View Results
To test the flow, create a new Process Token from the Process Definitions page.
- Navigate to the Process Definitions page and find the passcode renewal Process Definition.
- Click the 'key' under the 'Actions' tab to create a new Process Token.
- A pop-up modal will appear where parameters of the token can be defined.
- When the Process Instance starts, the user will be met with the registration form.
- When the passcode has been added successfully, a confirmation screen will appear.
On This Page
Passcode RenewalIntroductionRenewing via Process DefinitionTest and View ResultsStep 1 - Create a Process DefinitionStep 2 - Start the Renewal ProcessStep 3 - Configure the Renewal FormStep 4 - Complete Passcode RenewalStep 5 - Add a Simple DeciderOptional - Start Passcode Renewal via APIOptional - Complete Passcode Renewal via API