Additional Cronto device activation in authentication flows in the Loginapp REST API

This article describes how to extend an existing authentication flow to allow end-users to activate an additional Cronto device during authentication.

  • Authentication flow step or protected self-service?
  • When using application portals (either the Airlock IAM application portal or a custom portal) configuring a protected self-service is often preferred over configuring the same functionality in an authentication flow. In this case, the self-service link would be offered on the application portal itself.
  • Customers with a customizable target application might want to prefer configuring a protected self-service link on their application page. However, if multiple (i.e. visually different) target applications are offered, configuring device activation in an authentication step instead of placing links on different application pages can be more user-friendly.
  • For customers with target applications that should not be further customized, configuring the device activation in an authentication step might be the best solution.

Prerequisites

  • The steps in this article assume that an authentication flow containing the Cronto Authentication Step as the 2nd factor is already configured.

Use case

On the Cronto authentication page, the user may choose to activate an additional Cronto device after the 2nd factor has been successfully checked. If chosen to do that, a Cronto Activation Step is activated using the dynamic step activation (DSA) feature.

The following screenshot shows the Cronto authentication page with the checkbox activating the Cronto Activation Step:

CrontoAuthStepWithDSA
  • The following diagrams show two authentication flow configurations (both correspond to the above screenshot):
  • auth-flow-1: A simple 3-step version where the Cronto Activation Step is directly activated in the Cronto Authentication Step. This works if activating additional Cronto devices should be always possible.
  • auth-flow-2: A slightly more complex flow with 4 steps where the Cronto Authentication Step activates an intermediate Selection Step. The selection step checks whether activating another Cronto device is possible. If yes, the Cronto Activation Step is executed, if not, the user is informed that activating another device is not possible. This may be useful, if, for example, the number of activatable devices is limited.
CrontoAdditionalDeviceActivation

Configuration example

The following configuration example corresponds to auth-flow-2 in the above diagram. It can also be found in the Demo configuration within the authentication flow for the default target application.

  1. Go to:
    Loginapp >> Authentication Flows >> affected flow >> Cronto Authentication Step.
  2. Add a new Selection Step right after the Cronto Authentication Step.
  3. Check the Requires activation checkbox in the new selection step.
  4. Define a Step ID (e.g. activate-extra-cronto-device) in the new selection step.
  5. To the list of Available Options, add a selection option with the Cronto Activation Step and the Cronto Activation Possible condition.
  6. To the Fallback Flow property, add an Acknowledge Message Step that explains to the end-user why the activation is not possible.
  7. Go back to:
    Loginapp >> Authentication Flows >> affected flow >> Cronto Authentication Step.
  8. In the Dynamic Step Activations property, add a Dynamic Step Activation plugin. Use the step ID defined above (e.g. activate-extra-cronto-device) to refer to the selection step.
  9. The Loginapp will show the checkbox Activate additional Cronto device on the Cronto Authentication page.