One Touch

One Touch must be configured before One Touch support can be enabled in OTP Admin and Self Service.

Introduction

One Touch is a mobile application and a PhenixID Server configuration for issuing end user certificates and for creating and verifying end user signature transactions (assignments). One Touch can be used in a multifactor authentication (MFA) scenario.

Before a user can use One Touch, he must be enrolled. One Touch enrollment can be done in Self Service (end users) or in OTP administration (administrators).

System Requirements

Outgoing traffic

PhenixID Server will need access to the following services:

Google: gcm-http.googleapis.com:443

Apple: gateway.push.apple.com:2195 (TLS)

Incoming traffic

If SSL is enabled for incoming traffic, the certificate must be issued by a certificate authority that is trusted by the devices that will have One Touch application installed.

 

If a proxy is used the following rules has to be configured.

        ProxyPass /otpenrollment/otpenrollment/onetouch/provision http://localhost:8444/otpenrollment/otpenrollment/onetouch/provision
        ProxyPassReverse /otpenrollment/otpenrollment/onetouch/provision http://localhost:8444/otpenrollment/otpenrollment/onetouch/provision
        ProxyPass /push http://localhost:8444/push
        ProxyPassReverse /push http://localhost:8444/push
        ProxyPass /pki http://localhost:8444/pki
        ProxyPassReverse /pki http://localhost:8444/pki

Configuration

Issuer

Specify the name of the issuer. This is a logical name used for telling different identities a part on the device.

Issuer name is displayed on the One Touch client. Use a name that maps to the organisation or service.

One Touch communication settings

Specify how One Touch is reached from the device network (i.e Internet). It is also possible to bind One Touch to a custom port.

Endpoint settings:

External address for accessing PhenixID server. This address needs to be accessible to One Touch clients.

The endpoint setting will be the URL prefix used by PhenixID Server to build the complete URL, that will then be used by the One Touch clients.

Additional settings: Enable customized settings such as custom port and HTTP scheme, HTTP/HTTPS

Port: The custom listener port if other than default port is used. If specified, the One Touch module will open and listen to a new/different port than the rest of the modules deployed.

SSL: Enable use of SSL/TLS on custom port. If SSL is enabled, the certificate must be issued by a certificate authority that is trusted by the devices that will have One Touch application installed.

Please see example configuration below.

Push notifications

Enable push notifications for One Touch. If enabled, the device will receive a notification when pending assignments exist.

 Use push notifications to notify users of pending One Touch assignments

 

Example configuration

In the example above, the prefix that will be used by the server to generate the complete URL will be: https://onetouch.org.com/

With this configuration the communication from the One Touch client will be passed directly to the PhenixID Server using https. Without any reverse proxy in between.

In the example above, the prefix that will be used by PhenixID Server to generate the complete URL will be:: https://external.org.com/onetouch

With this configuration the communication from the One Touch client will use https to a proxy server, and the communication will then continue to Phenix ID Server using http on port 8444.