Fido passkey provisioning with Microsoft Entra

This article is new for Identity Manager 5.1.0.

This article describes Fido passkey provisioning with Microsoft Entra.

Prerequisites

• Identity Manager 5.1.0 or later versions.

• Hermod 4.2 or later versions.

• Smart ID Desktop App 2.4 or later versions.

Register a passkey in Entra from an IDM process

• To set up a user and an application in Entra, check the Microsoft Entra documentation, for example inhttps://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-passkey-fido2.

• To initialize and manage your Fido token, please refer to the documentation of the vendor.

The diagram below shows Entra Fido provisioning with Hermod.

Demo process

The example process "Entra ID - Hermod Create Fido Passkey" (EntraFidoProvisioningWithHermod.bpmn) in the default.zip illustrates how passkey provisioning is working and how the new service tasks are interacting. It is using a Parallel Gateway.

Make sure the "Hermod: Fido Create Credential" task has the Async option checked.

The plugout URL form is used to trigger communication with Smart ID Desktop App on the client.
The parallel service task requests the actual creation of the credential from Smart ID Desktop App and runs in the background while the form is shown to the user.
Both parallel executions come together and proceed when creation is ready and the user clicks next on the form.

This demo process is just a simple example. Make sure to add error handling to make it usable in a customer project.

Links to service tasks

• “Desktop App: Fido - Start Connection” in Smart ID Messaging - Standard service tasks in Identity Manager

• “Desktop App: Fido - Create Credential” in Smart ID Messaging - Standard service tasks in Identity Manager

• “Entra: Fido - Get Creation Options” in Miscellaneous standard service tasks in Identity Manager

• “Entra: Fido - Create Credential” in Miscellaneous standard service tasks in Identity Manager