Cronto configuration (main settings)

All Cronto-related Airlock IAM features make use of the Cronto Handler plugin. It is configured in MAIN SETTINGS >> Authentication Settings >> CrontoSign Settings.

Vasco Cronto Handler vs. Cronto Engine Handler

New CrontoSign customers use the Vasco Cronto Handler, while customers who have been using CrontoSign since 2014 or earlier can continue with the CrontoEngine Cronto Handler.

It is recommended to configure this plugin in the MAIN SETTINGS and then refer to it from all places where a Cronto Handler is needed. This ensures a consistent configuration of Cronto across different modules. The two Cronto Handler plugins differ in details, but most concepts apply to both versions.

Cronto Handler Settings

The most important Cronto Handler settings are (for both Cronto Handler types):

  • Platform type settings: These settings determine on which platforms (Android, iOS, hardware device, etc) Cronto can be used.
    • The property  Default Allowed Platforms defines which types of platforms can be activated for a newly created activation letter. This can be adjusted later in the Adminapp for individual letters.
    • The property Platform Blacklist defines a global blacklist of platform types that will be blocked, i.e. also already activated devices of blacklisted types are no longer allowed for login or transaction signing. This can be necessary if the CrontoSign app on certain platform types (e.g. rooted Android) becomes unsafe.
    • Note that the platform type is determined at activation time; if a device becomes rooted later, this cannot be detected.
  • Activation letter settings: These settings determine default properties (validity duration and allowed number of usages) for newly created activation letters. The values can be adjusted later in the Adminapp for individual letters.
  • Letter settings:
    • How letters are generated is defined by the "order options". Typical options are "online" or "offline" printing or ordering a Cronto-device to be sent to the customer.
    • These options are stored together with the order of letters. The tasks that handle the actual generation of letters can then be configured to handle only a specific option or a specific combination of options.
    • Make sure to configure a letter generation task for each order option defined.
    • For all available order options, there should be a corresponding resource key in the translations file to allow for the correct display of the options in the Adminapp. The prefix is cronto-order-options. (thus e.g cronto-order-options.online is the key for the online option).
  • Push Notification Settings:
    • Enable Online Validation: enables the Scan&Login feature (i.e. response validation is performed online by the app). See authentication modes above for details. For the CrontoEngine Handler, this is not a separate property but included in the Enable Push Notifications property.
    • Enable Push Notifications: enables login/transaction data signing initiated by push notifications. This requires Online Validation to be enabled as well, and the configuration of the push settings. See CrontoSign push setup for more details.
    • Push Notification Sender: this sub-plugin defines all properties required to connect to the Google and Apple push servers. Note that it is also possible to only configure one of the two servers (e.g. only Google but not Apple), which can be useful in testing environments.
    • Challenge Token Lifetime: Defines how long a challenge can be answered through the asynchronous interface (used by Scan&Login and Push). After this limit, the challenge is deleted and the response is no longer accepted.
  • Vasco Cronto Handler specific settings:
    • The Vasco Handler defines how IAM interacts with the native Vacman Controller library. See Native library setup for Cronto and Digipass OTP on how to include the library.
    • If the crypto application for Cronto cannot be detected automatically, set the Secure Channel Crypto Application Index manually.
    • The Ask for PIN property controls if a PIN will be asked by the Digipass DP780 device each time a transaction is to be signed. Note that this feature is only supported by the DP780 device.

Further information and links

  • Configuration in the Loginapp UI:
    • Authentication: Add a Cronto Authentication Step to the authentication flow.
    • Self-services: Loginapp >> Protected Self-Services >> Cronto Device List and selected Protected Self-Service Flows.
  • Configuration in the Adminapp: Cronto Token Controller configuration
  • Configuration in the Service Container: Cronto activation letter generation
  • Configuration for transaction signing: