Certified: April 01, 2025

Solution Summary

This article describes the configuration steps in adding ID Dataweb as a user Identity Verification Provider for RSA Cloud Authentication service using OIDC.
After ID Dataweb is added as a user Identity Verification Provider, it can be used in the My Page enrollment and recovery policies.

Use Case

ID Dataweb can be integrated with RSA as an Identity Verification Provider for Cloud Authentication Service using OIDC. For details on overview and solution summary, see RSA & ID Dataweb - Identity Verification. 

Configuration Summary

This section contains instruction steps that show how to configure ID Dataweb with RSA Cloud Authentication Service as a user Identity Verification Provider.
This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products to install the required components. 
All RSA and ID Dataweb components must be installed and working prior to the integration.

Configure RSA Cloud Authentication Service

Perform the steps in this section to configure ID Dataweb as a User Identity Verification Provider.

  
Prerequisites 

• Identity sources with valid users must be configured, or a local user must be created.
• The required attributes, as mentioned in the ID Dataweb documentation for the respective workflow, must be synchronized with the RSA Cloud Authentication Service after the identity source is added.
• My Page enrollment policy or My Page recovery policy under Access > My Page > Enrollment and Recovery tab must be enabled and configured.
• An active ID Dataweb and RSA account (with Super Administrator privileges).
• Follow the instructions in ID Dataweb documentation to set up your ID Dataweb tenant.

Configure Attributes in RSA for ID Dataweb Workflow

Procedure

1. Sign in to Cloud Administration Console as Customer Super Admin.
2. Create and synchronize Identity Source.
3. Navigate to Access > OIDC Settings > Scopes and define a new scope called 'openid'.
   
4. Make a note of the attributes required by ID Dataweb workflow and identify the equivalent attributes in Identity Source in Cloud Authentication Service. For this use case, first name and last name attributes are sent.
   For the latest list of allowable attributes, refer to the ID Dataweb documentation.
   

   ID Dataweb Attribute	Description	Identity Source Attribute in Cloud Authentication Service
   fname	First Name	givenname
   lname	Last Name	sn

5. Navigate to Users > Identity Sources and select the identity source added.
6. Click the User Attributes tab and make sure that the preceding Identity Source Attributes are available to access the policy configuration.
   
   
7. Click Next Step and make sure that mappings for First Name and Last Name attributes are correct.
8. Ensure that the Synchronize user attributes checkbox is selected.
   
9. Click Next Step > Save and Finish.
10. Click Publish Changes.

Configure Identity Verification Provider Connector

Procedure

1. Navigate to Users > Identity Verification Providers. 
   
2. Click the Attribute Mapping tab.
3. (Optional) Provide the Attribute Names you wish to pre-send. We send first name and last name for our use case. Select the identity source and the value. Make sure that the values are stored as expected by ID Dataweb. For example, make sure givenName (as shown in the screenshot) has the first name of the user stored.
   
4. Browse to the well-known URL for production and copy the data that will be used in the next steps.
5. Click the Identity Verification Providers tab and click Add against ID Dataweb.
6. Perform the following steps:
   1. In the Name field, enter a name.
   2. (Optional) In the Description field, enter a description.
      
   3. Set Issuer ID as the value of issuer from the well-known URL.
   4. Set Authorization Endpoint as the value of authorization_endpoint from the well-known URL.
   5. Set Token Endpoint as the value of token_endpoint from the well-known URL.
   6. Set Client ID as the Primary Service API Key value copied from ID Dataweb. (Refer to the Configure ID Dataweb section.)
   7. Set Client Secret as the Shared Secret value copied from ID Dataweb. (Refer to the Configure ID Dataweb section.)
      
   8. (Optional) Select any Attribute Mappings added in the Attribute Mapping tab earlier.
   9. Set Scope as openid.
      
   10. Make a note of the Redirect URI generated. This will be used when configuring ID Dataweb.
        
   11. Set Provider Public Key.  
       1. To get the value of ID Dataweb's public key, open the jwks_uri in a browser from the well-known URL. Copy the public key starting with 
          "-----BEGIN PUBLIC KEY-----" and ending with "-----END PUBLIC KEY-----".”\n” in the beginning and end of the key signifies new line and should not be included (Refer to the preceding screenshot).
   12. Click Save and Finish.
7. Click Publish Changes.

Configure My Page Enrollment and My Page Recovery Policies

Procedure

1. Navigate to Access > My Page and perform the following steps:
   1. To use identity verification for the self-enrollment of users on My Page, on the Enrollment and Recovery tab, enable the allow users self-enrollment option.
      
   2. Click Save and click Publish Changes.
2. Navigate to Access > Policies and perform the following steps:
   1. Click Enable corresponding to My Page Enrollment Policy.
      
      
      1. Select the applicable identity sources and click Next Step.
      2. Make applicable changes on the Rule Sets tab and select Password + Identity Verification Providers as the Method for Identity Verification.
      3. In the Identity Verification Provider list, select the Identity Verification Provider created.
         
      4. Click Save and Finish.
      5. Click Publish Changes.
   2. Click Enable corresponding to My Page Recovery Policy.
      
      
      1. Select the applicable identity sources and click Next Step.
      2. Make applicable changes on the Rule Sets tab and select Password + Identity Verification Providers as the Method for Identity Verification.
      3. In the Identity Verification Provider list, select the Identity Verification Provider created.
         
      4. Click Save and Finish.
      5. Click Publish Changes.

Notes

• My Page enrollment policy can only be used for users who do not have a registered authenticator. My Page recovery policy can only be used for users who have at least one authenticator registered. For more details, refer to the Set Up Enrollment and Recovery Settings section in the Manage My Page article.
• Adding attributes in the Attribute Mapping tab of the connector is an optional step. Refer to ID Dataweb documentation for further details on the supported attributes and format for prefilled information.
• At the time of testing this document, the well-known URL used for the production is https://prod2.iddataweb.com/axn/oauth2/.well-known/openid-configuration. Refer to the ID Dataweb documentation for the latest well-known URLs.

Configure ID Dataweb

Perform these steps to configure ID Dataweb.

Procedure

1. Log in to ID Dataweb admin console.
2. In the left pane, click Workflows.
   The available templates are displayed.
3. Select a template based on your business requirements.
   
4. Click the drop-down arrow against the template for the desired workflow (in this instance, the workflow template of BioGovID is used) and select Open Workflow Details.
   
5. Click the eye icon against Primary Service API Key and Shared Secret and copy the values. Use these values in the Client ID and Client Secret fields respectively in RSA configuration.
   
6. Click Actions in the upper-right corner and select Start Change request.
   
7. Click Start Change Request.
   
8. Scroll down to the Customer Redirect URLs section and click Add Customer Redirect URL.
   
9. Paste the Redirect URI value copied from the RSA configuration into the Redirect URL field and click Save.
   
10. In the upper-right corner, click Save.
    
11. Click on Actions > Deploy Changes Now to deploy the changes made.

The configuration is complete.

User Experience

The configured Identity Verification Provider can be used:

• For the self-enrollment of users on My Page.
• For the recovery of access to the user accounts in case of lost/damaged/stolen authenticator. 

You can test the integration by configuring either of these or both. The following section shows the BIOGovID workflow behavior for self-enrollment.

Self-Enrollment

1. Navigate to Access > My Page > Enrollment and Recovery.
2. Copy the Enrollment URL and browse to this URL in a browser.
   
3. Enter the e-mail address of the user and click Submit.
   
4. On the next screen, enter the user's password and click Submit.
   
5. Select the Country and click Continue.
   
6. Provide the phone number of the user and click Confirm Information.
   
   The user is shown the following message while the given phone number receives a verification link.
   
   Once all the necessary documents are uploaded and the process is completed, ID Dataweb shows a success message (if the provided information is valid), and the user is allowed into My Page.
   

RSA Terminology Changes

The following table describes the differences in the terminologies used in the different versions of RSA products and components. 

Certification Details

RSA Cloud Authentication Service

ID Dataweb

Known Issues

No known issues.