Using idenprotect on Android

From idenprotect Knowledge Base
Jump to: navigation, search

Using idenprotect To Authenticate (SSO)

On the main page, you have an option to open a "hamburger" menu or an option to scan a QR code. If you click on "Scan a QR code" you will be presented with your device's camera. With the camera, you can scan a QR code to authenticate to an idenprotect authentication portal that will allow you to access cloud/web services integrated with idenprotect Core Platform.

After scanning a QR code you will be asked to provide a Fingerprint/PIN which will then authenticate you to the service provider, with a success message at the end.

SAML Authentication Success

Push Notifications

To authenticate with a Service Provider / idenprotect Authentication Portal you can also use Push Notifications. When you will follow to your companies Service Provider or idenprotect Authentication Portal after entering the e-mail address you will be sent out a Push Notification automatically if idenprotect Core Platform is set up to send push notification automatically or by pressing a "Push Notification" button.

SAML Authentication Notification

On your device, if it's open you will receive a popup asking if you would like to proceed with authentication to the service provider in this instance "IDP".

SAML Authentication Dialog

After clicking on the OK button you will be asked to provide a Fingerprint and a success popup will appear to notify the user that authentication succeeded.

If idenprotect for BlackBerry application was closed or in the background, you will receive a Push Notification like any other standard notification in your notification tray. You can click on the notification and it will take you to the application to proceed with authentication.

Side Menu

On the top left corner of the screen, you will see a "hamburger" menu button. You can click on this button to view the menu. Alternatively, you can swipe from the left to right to open the menu. To close the menu you can click back on the "hamburger" menu button, swipe or click anywhere on the right side of the screen. There are a few things that you can do from the side menu. You can also see a View Devices button which lets you view all of the devices that belong to the user and you can manage those devices. If you click on the "View Devices" button you will be presented with the Devices table which will show all of the devices belonging to this user.

Side Menu

View Devices

You can view all devices enrolled under your user on the server. You can tap on a device in the list which will reveal extra information regarding the device as outlined below:

In the Information popup you will see details in the order below (with provided examples):

  • Device Name (iPhone-iPhone10,6-11)
  • Device Serial Number (AMP002-CkG766Am-241036)
  • Device State (Enrolled)
  • Device Creation Time (2019-05-21 13:55:59)
  • idenprotect for BlackBerry version (BlackBerry 3.7.3)

Device list

If you would like to remove the device from the idenprotect Core Platform select the device you would like to remove and click delete. A delete pop up window will open like below:

Delete Device Request

The presented popup will ask you if you would like to remove the device (with the device name) if you click "OK" you will be asked to provide a Fingerprint/PIN to proceed. After successful deletion, you will be presented back the current devices with the removed device taken out of the table. The device will also be removed from the idenprotect Core Platform, which means that the device can be re-enrolled again.

The device management screen, also allows you to unenroll your own device. You can select your device from the list (it will be highlighted in blue) and press on delete this will remove your device from the idenprotect Core Platform. After deleting your device you will be redirected to the "Error" screen which will let you know that you have to reinstall the idenprotect for Mobile application and to enroll again.

WebView

Recently added in the 3.15 release for the mobile application is an in-built browser. The browser has the capabilities to inject an Ephemeral Key Pair at run time in order to utilise Certificate-Based Authentication (Mutual TLS) for access to websites and services. This feature can be accessed as long as it has been setup correctly on your idenprotect server and the mobile application type is a non-Blackberry version

  • IMPORTANT NOTICE - This feature does require additional server configuration changes in order to make the WebView operational

Debug mode

On the idenprotect Core Platform, you can set a debugMode policy on. This policy allows the user to view extra information on the mobile client for debugging purposes such as certificates and policies.

Certificates

After you have authenticated to the idenprotect for BlackBerry application you can view certificates that belong to the device the user is using. On the idenprotect Unlocked screen reveal the side menu (by swiping or by clicking on the hamburger icon) and you will see a "View Certificates" button. From the side menu, you can click on the "View Certificates" button and you will be asked to provide Fingerprint biometrics. This will retrieve the data from the secure storage on your device (secure enclave). You will be shown a "Certificates" table which includes all of the users' certificates/signatures on the device.

Certificates Screen

Every row has a title such as Ephemeral Certificates, Signature, Secure Enclave Certificate, etc. if you scroll down you will be able to see more data, with a policies button at the bottom. Clicking on the certificate text will show enhanced details about the certificate.

On this screen you will be able to see:

  • DN - which shows the full domain name
  • Start Date - start date for a certificate
  • Expiry Date - the expiry date of a certificate
  • Public algorithm - public key algorithm
  • Sign algorithm - signing algorithm

Clicking on the policies button will show the current policies that are active on a device, more explanation can be viewed on the idenprotect Core Platform user enrollment properties. This will let the user know what policies are currently active, these policies will be updated and refreshed every time the user authenticates on the idenprotect for BlackBerry.

Policies Screen

PIN Policy

Pin policy is the policy that is set on the idenprotect Core Platform user enrollment configuration. If this policy is set to true, then it means that additionally to the Fingerprint authentication a user will also have to provide a pin that he should create at the enrollment stage. When a user enrolls their device with the PIN policy, the last step of enrollment is to create a PIN.

Create PIN for additional security.

Users will be asked to create a new idenprotect PIN like on a screenshot above. The user has to enter a 4 digit PIN and click on a "Continue" button this will ask you to confirm the PIN that you have created. Enter your PIN again and your device should be fully enrolled. Every time you launch the application, you will be asked to authenticate with a Fingerprint and your enrolled PIN. To authenticate throughout the app, only a biometric will be required.