Integration Procedure

The following provides an overview of the steps to get started using FIDO Pre-reg with Azure components and Microsoft Entra ID as IdP, to create enrollment credentials and shipments of pre-enrolled YubiKeys.

API Versions

The methods for initiating enrollment credentials and shipment requests for pre-pre-enrolled YubiKeys depend on how your FIDO Pre-reg solution is set up in your IT environment, and the API versions that are implemented in your environment.

The different API versions support different pre-enrollment features, for example shipment-only requests, or multiple keys, multiple credentials, and multiple IdPs in the same request. For more information, see API Version and Feature Support.

Prerequisites

Important

Before you start implementing FIDO Pre-reg, check that your organization has sufficient product inventory allocated, as well as the Customization IDs and Product IDs for the YubiKey models you will be shipping to end users. The IDs are provided by Yubico during onboarding of your organization, and are used for all pre-enrollment requests.

Ensure you have the following before starting the implementation procedure:

  • Provided by Yubico:
    • A Yubico subscription plan. For questions about Yubico subscription services, contact your Yubico sales representative.
    • Yubico Customer Portal access with FIDO Pre-reg enabled. This is provided during onboarding of your organization.
    • Customization ID (CID), Product ID, and Inventory ID for the YubiKey delivery.
    • An ARM (Azure Resource Manager) template JSON file and a Docker image for deploying components in Azure.
    • Credentials for the Yubico container registry for the FIDO Connector app.
    • An Azure Resource Group permissions template.
  • An Azure Portal Subscription with a Resource group supporting the Container app, Azure table, Key Vault, and Logic App resource types.
  • An Office 365 License or another preferred email service to send PINs to end users.
  • A defined method for sourcing shipping addresses for the YubiKey recipients.
  • A defined preference for how recipients will receive YubiKey PINs, for example via email.
  • The following administrative roles are required for the implementation:
    • Application Administrator role in Microsoft Entra ID.
    • Authentication Policy Administrator role in Microsoft Entra ID.
    • Global Administrator role in Microsoft Entra ID.
    • Privileged Role Administrator role in Azure.

Integration Steps

The following steps lets you set up the FIDO Pre-reg integration to be able to request credentials and pre-enrolled YubiKey shipments from your organization’s IT environment:

  1. Configure required Azure permissions for integration developers.
  2. Configure Microsoft Entra ID to enable container authentication.
  3. Deploy Azure components such as Resource group and ARM template.
  4. Test and verify the deployment using for example a Test client.
  5. Request credentials and/or shipment of one or more physical YubiKeys.

The sections in the following describe each step in detail.