Fido passkey provisioning with Microsoft Entra

This article is new for Identity Manager 5.1.0.

This article describes Fido passkey provisioning with Microsoft Entra.

Prerequisites

Identity Manager 5.1.0 or later versions.
Hermod 4.2 or later versions.
Smart ID Desktop App 2.4 or later versions.

Register a passkey in Entra from an IDM process

To set up a user and an application in Entra, check the Microsoft Entra documentation, for example inhttps://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-passkey-fido2.
To initialize and manage your Fido token, please refer to the documentation of the vendor.

The diagram below shows Entra Fido provisioning with Smart ID.

Demo process

The example process illustrates how passkey provisioning is working and how the new service tasks are interacting. It is using a Parallel Gateway.

Make sure the "Hermod: Fido Create Credential" task has the Async option checked.

The plugout URL form is used to trigger communication with Smart ID Desktop App on the client.
The parallel service task requests the actual creation of the credential from Smart ID Desktop App and runs in the background while the form is shown to the user.
Both parallel executions come together and proceed when creation is ready and the user clicks next on the form.

This demo process is just a simple example. Make sure to add error handling to make it usable in a customer project.

Links to service tasks

“Desktop App: Fido - Start Connection” in Smart ID Messaging - Standard service tasks in Identity Manager
“Desktop App: Fido - Create Credential” in Smart ID Messaging - Standard service tasks in Identity Manager
“Entra: Fido - Get Creation Options” in Miscellaneous standard service tasks in Identity Manager
“Entra: Fido - Create Credential” in Miscellaneous standard service tasks in Identity Manager