Onfido
Overview
Onfido's AI-based technology determines whether a user's government-issued ID is genuine, and then compares their ID against facial biometrics. Companies like Revolut, Zipcar, and Bitstamp use Onfido to onboard customers remotely and securely. Onfido's mission is to create a more open world, where identity is the key to access.
Together, Okta and Onfido provide the ability for organizations to validate their customers with legal identity documents and grant them access to the sites and services they need. Okta provides the authentication and access management needed to manage customer identities, while Onfido provides the means to validate legal identities in a remote setting.
Resources
The Challenge
- Data breaches have become commonplace, and identity fraud is at an all-time high
- Enterprises of all kinds, especially those that handle high- risk transactions such as financial and healthcare organizations, are looking to add deeper levels of security to validate user identity
- Consumers are demanding frictionless user experience with high level of security
The Solution
Together, Okta and Onfido provide the ability for organizations to validate their customers are tied to real legal identity documents and grant them access to the sites and services they need. Okta provides the access management, authentication, and tokenization needed to manage customer identities, while Onfido provides the means to validate their legal identities in a remote setting.
By combining Okta with Onfido, you can enable document identity proofing to your security arsenal
Scanning government IDs, “live-proofing,” and other techniques ensure online customers are who they say they are
Customers, now authenticated and identified in Okta, can then be granted secure access to apps and assets
Overview
This integration guide configures a custom application using the Okta Sign-In Widget and the Onfido SDK to demonstrate how Onfido Identity Verification (IDV) integrates with Okta to create a high trust model using privileged application features.
Prerequisites
Creating and configuring this app integration requires:
- An Okta organization within the okta.com or oktapreview.com domains. You can create a developer org for free.
- An API token created by an administrative account within that domain. See Create an API token. The minimum permission level required to create an Okta API token is "Read Only Administrator".
- An Onfido account. If you don't already have one, you can request a Sandbox Account.
- A NodeJS development environment, version 12 or later.
- A GitHub account.
Procedure
Create an Onfido API token
- Sign in to your Onfido Dashboard.
- From the side navigation, click Developers > Tokens.
- Click Generate API token. You can set the token scope to either Sandbox (recommended for this integration guide) or Live (for production or a live trial). Click Generate.
- Record the API in a secure location, as you can't retrieve this token value after you exit this window. Click Close.
Add an OpenID Connect app integration
- In your Okta org, sign in to the Okta Admin Console.
- From the side navigation, click Applications > Applications.
- Click Add Application and Create New App.
- In the App Integration Wizard, select Single Page App (SPA) as the platform. The sign-on method is set automatically to OpenID Connect. Click Create.
- Give your app integration a unique name and an optional logo.
- In the Login redirect URIs section, click Add URI. Enter
http://localhost:3000/login/callbackas the URI. - In the Logout redirect URIs section, click Add URI. Enter
http://localhost:3000as the URI. - Click Save.
- On the General tab for the app integration, confirm that the Authorization Code is selected in the Allowed grant types section.
- In the Assignments tab for the app integration, assign the application to the users or groups you want to have verified by Onfido.
Extend the default Okta user profile
- In the Okta Admin Console, select Directory > Profile Editor.
- On the User (default) profile, click Profile.
- Click Add Attribute and create the following profile attribute:
- Onfido IDV Status
-
Data type —
string - Display Name — Onfido IDV Status
-
Variable Name —
onfidoIdvStatus
-
Data type —
- Click Save and Add Another
- Onfido Applicant ID
-
Data type —
string - Display Name — Onfido Applicant ID
-
Variable Name —
onfidoApplicantId
-
Data type —
- Click Save
- Onfido IDV Status
- Click Back to profiles.
- In the Profile Editor, find your Open ID Connect app integration, and click Profile.
- Repeat step 3 to create these same attributes for the profile in your app integration.
Note: When creating these attributes in the app integration user profile, select the User personal check box beside the Scope option.
- Click Back to profiles.
- Next, add a mapping for the attributes between the default user profile and your app integration user profile. Click Mappings for your app integration. In the Okta User User Profile column, choose the
user.onfidoIdvStatusfrom the drop-down menu that matches with theonfidoIdvStatusrow under your {App Name} User Profile. In the middle drop-down menu, select Apply mapping on user create and update. - Repeat for the
user.onfidoApplicantIdrow. - Click Save Mappings and Apply updates now.
Add a Trusted Origin in Okta
- From the Okta Admin Console side navigation, click Security > API.
- Click the Trusted Origins tab.
- Click Add Origin.
- Fill in a unique name, along with the origin URL you are using to access the Okta API, including a port number if applicable. For this sample application, the origin URL is
http://localhost:3000. Select both the CORS and Redirect options. Click Save to add the trusted origin.
Configuration
The following steps cover the configuration and deployment of a sample application that enables you to test your Onfido and Okta integration.
-
Clone the example application repository from GitHub to a local folder on your system.
-
Open a terminal and change to the base directory where you cloned the repository. All subsequent directory references assume that you are in that directory.
-
In the terminal window, change to the
backend/directory. Then install the necessary packages and create and configure a file to hold the specific environment variables used in the back-end processes:cd backend/ npm install touch .env -
Open that
.envfile in an editor and add the following lines:APP_SECRET_KEY=SOME-RANDOM-APP_SECRET_KEY OKTA_ORG_URL=https://yourOktaOrgURL OKTA_TOKEN=yourOktaApiToken ONFIDO_TOKEN=yourOnfidoToken PORT=3001The
APP_SECRET_KEYis any long string of random values and is used to secure site cookies. Locate yourOKTA_ORG_URLin your Okta Admin Console by opening the drop-down menu from the top right corner and copying the Okta org domain to the clipboard. TheOKTA_TOKENandONFIDO_TOKENvalues are the API tokens you created at the start of this guide. Save this file. -
Open a second terminal and change to the base directory where you cloned the repository. All subsequent directory references assume that you are in that directory.
-
In the terminal window, change to the
frontenddirectory. Then install the necessary packages used in the front-end processes:cd frontend/ npm install -
Edit the
testenvfile in your project's base directory (where thebackendandfrontendfolders live) to match the following lines:CLIENT_ID=0000000000000000 ISSUER=https://{your-okta-org} OKTA_TESTING_DISABLEHTTPSCHECK=true REACT_APP_BACKEND_URL=http://localhost:3001For the value of these environment variables, enter:
-
CLIENT_ID— In your Okta app integration, click the General tab; this value is the generated Client ID in the Client Credentials pane -
ISSUER— In your Okta app integration, click the Sign On tab, this value is the Issuer field in the OpenID Connect ID Token pane -
OKTA_TESTING_DISABLEHTTPSCHECK— For local development, set this totrue -
REACT_APP_BACKEND_URL— The back-end URL, which in this example ishttp://localhost:3001
-
Your sample application environment is now ready to run the tests between Onfido and Okta.
Test
-
Launch the back-end process from a terminal window:
cd onfido-okta-example/backend npm start -
From a separate terminal window:
cd onfido-okta-example/frontend npm start
When you launch the front end of the sample application, a new browser window opens. THe browser address is http://localhost:3000 and the title is Onfido + Okta Example App.
- Click the Login button.
- Sign in to the example application using a valid Okta account which also has the app integration assigned in your Okta org. The application will successfully sign you in and present an authentication message.
- Click on Profile in the top navigation bar to see your Okta profile information. Note that there are no Onfido claim values in the user profile at this point.
- In a new browser window or tab, open the Onfido Sandbox test documentation site and download the sample driver's license file to test the identity proofing in the following steps.
- Click Protected in the top navigation bar to initiate the Identity Proofing test. Click Verify Identity.
- On the page labeled Verify your Identity, click Verify Identity.
- Click Driver's license.
- Click Upload photo - no scans or photocopies. From the file system, select the
sample_driving_licence.pngfile and click Open. - Check the image and click Confirm.
- On the page labelled Submit license (back), click Upload photo - no scans or photocopies. Again, from the file system, select the
sample_driving_licence.pngfile and click Open. - Check the image and click Confirm.
- On the Take a selfie page, click Continue and grant your browser access to the camera. Position your face in the Take a selfie window and click on the white circle. Onfido does not retain your image as part of the sample application testing.
- Check the selfie picture to confirm that it clearly shows your face, and click Confirm.
- Onfido verifies the identity based on these inputs and returns an Identity Verified! message. You can click View Profile or Profile in the top navigation bar to see the updated user information. Note that the Onfido verification system has populated both the
onfidoApplicantIDandonfidoIdvStatusfields. - You can confirm the updated data in Okta using the Admin Console. From the side navigation, click Directory > People and then click the name of the person you used to run the test verification. Their Profile tab now has the Onfido fields populated with the same values you saw in the sample application.
Related content
- Onfido - Okta Identity Verification example app on GitHub for complete details
- Onfido - API Reference
- Onfido - Sandbox testing
- Okta and Onfido - Digital access verification video
Support
If you need help or have an issue, post a question in the Okta Developer Forum or the Onfido support site.
Provisioning and authentication
Add this integration to enable authentication and provisioning capabilities.
Provisioning
- Create Creates or links a user in the application when assigning the app to a user in Okta.
- Update Okta updates a user's attributes in the app when the app is assigned. Future attribute changes made to the Okta user profile will automatically overwrite the corresponding attribute value in the app.
- Attribute Sourcing The application can be defined as the source of truth for a full user profile or as the source of truth for specific attributes on a user profile.
- Deactivate Deactivates a user's account in the app when it is unassigned in Okta or their Okta account is deactivated. Accounts can be reactivated if the app is reassigned to a user in Okta.
- Sync Password Push either the users Okta password or a randomly generated password to the app. This feature is not required for all federated applications as user authentication takes place in Okta, however some apps still require a password.
- Group Push Push existing Okta groups and their memberships to the application. Groups can then be managed in Okta and changes are reflected in the application.
- Group Linking Link Okta groups to existing groups in the application. Simplifies onboarding an app for Okta provisioning where the app already has groups configured.
- Schema Discovery Import the user attribute schema from the application and reflect it in the Okta app user profile. Allows Okta to use custom attributes you have configured in the application that were not included in the basic app schema.
- Attribute Writeback When the application is used as a profile master it is possible to define specific attributes to be sourced from another location and written back to the app. For example the user profile may come from Active Directory with phone number sourced from another app and written back to Active Directory.
SSO
- SAML Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP) that does not require credentials to be passed to the service provider.
- SWA Secure Web Authentication is a Single Sign On (SSO) system developed by Okta to provide SSO for apps that don't support proprietary federated sign-on methods, SAML or OIDC.
- OIDC OpenID Connect is an extension to the OAuth standard that provides for exchanging Authentication data between an identity provider (IdP) and a service provider (SP) and does not require credentials to be passed from the Identity Provider to the application.
- WS-Federation
