OneSpan (Vasco) Digipass for mobile configuration

The configuration and creation of the "Digipass for Mobile" app is handled by OneSpan (Vasco). This section only describes the configuration that is specific to Airlock IAM.

OneSpan (Vasco) Digipass Configuration

It is important that the Digipass configuration be as secure as possible. In particular, secure hash functions should be chosen and the OTP application should generate long OTPs to prevent brute-forcing of transaction list requests.

The following XML templates contain parameters [iam-host] and [iam-mapping]. These are typically the hostname of the Airlock Gateway (WAF) and the entry path of the IAM mapping.

Important: all requests to Airlock IAM must be configured as POST requests.

Scan and login

For "Scan and Login" (see authentication modes here), a SecureChannelValidation needs to be configured. IAM requires the parameters serial, otp and secureChannelMessage.

Scan and Login configuration

<SecureChannelAction id="saonline" imageFormat="all" responsePattern="XX-XX-XX">
 	<SecureChannelValidation internalValidation="true">
 		<URL method="POST" value="https://[iam-host]/[iam-mapping]/cronto-response">
 			<PayloadParameter key="serial" value="%_SerialNumber_%"/>
 			<PayloadParameter key="otp" value="%_OTP_%"/>
 			<PayloadParameter key="secureChannelMessage" value="%_SecureChannelMessage_%"/>
 		</URL>
	</SecureChannelValidation>
...
</SecureChannelAction>

Push notifications

Because Airlock IAM only supports the secure channel variant of transaction data signing with OneSpan (Vasco) Digipass , Digipass for Mobile version 4.13 or higher is required (or a custom app supporting the same workflow). In the Notifications section of the Digipass configuration XML, four sections have to be configured for push notifications: (1) notification ID registration, (2) transaction list fetching, (3) transaction validation, and (4) transaction rejection. The relevant points for each section are listed below and then an XML snippet shows an example configuration.

The TransactionDataSigningAction element must have the "secureChannelTransaction" parameter set to "true". The "id" (parameterized as [actionId] in the example below) must also be used for the IAM push sender configuration (see above). The "authenticationCryptoAppIndex" (parameterized as [indexOfOTPapplication] in the example below) must be set to the index of the OTP application (type "response only") as determined by the static vector that is used in the OneSpan (Vasco) App. This index can, e.g., be determined with the OneSpan (Vasco)'s Static Vector Analyzer tool that shows the details of a given static vector.