Deploying to Azure

Following these steps you will deploy the FIDO Connector app itself along with the underlying infrastructure and required configuration changes. Before you start the deployment, ensure that you have successfully completed the previous steps, and that you have the appropriate permissions to deploy Azure services. See Prerequisites.

Creating an API Token

To create a Yubico API authentication token, sign in to the Customer Portal with the account for the application that will be calling the YubiEnterprise API. Click the organization name on the top of the left menu and select Manage API token. In the token dialog that appears, click Create API token and save the token for future use. For more information, see Creating API Tokens.

Creating a Resource Group

Note

The Subscription Owner role or equivalent is required for this step.

To create a Resource group, do the following:

  1. Login to the Azure Portal.
  2. Search for Resource groups.
  3. Click Create.
  4. Select the appropriate Subscription and Region, and provide the appropriate Resource groupname, for example “Yubico FIDO Pre-reg Service”.
  5. Click Review + create.

Creating a Custom Role

Note

This step is optional if you have the Global Administrator role or, are the owner of the subscription. Otherwise, you will need a role that lets you create a Custom Role.

To create a Custom role, do the following:

  1. In a text editor, open the file yubico-fpr-deploy-custom-role-permissions.json and do the following:
    1. Find and replace {role_name} with a descriptive role name, for example “Yubico FIDO Pre-reg Custom Role”.
    2. Find and replace {subscription_id} with the appropriate subscription ID.
    3. Find and replace {rg_name} with the appropriate resource group name.
  2. Save the JSON file.
  3. In the Azure portal, go to the previously created Resource Group.
  4. Go to Access control (IAM), click Add and select “Add Custom Role”.
  5. For Baseline permissions, select “Start from JSON”.
  6. Select the previously edited yubico-fpr-deploy-custom-role-permissions.json.
  7. The Custom role name field and Assignable scopes tab should have been populated according to the updates made to the JSON file.
  8. Click Review + create.
  9. Verify that everything looks correct and click Create.

Assigning the Custom Role

Note

This step is optional if you have the Global Administrator role or, are the owner of the subscription.

To assign the Custom role to users, do the following:

  1. In the Azure portal, go to the previously created Resource Group.
  2. Go to Access control (IAM).
  3. Click Add > Add role assignment.
  4. Select the Privileged administrator roles tab.
  5. Search for and select the previously created Custom role name.
  6. Click Next.
  7. On the Members tab, verify that the selected role is correct, and select the appropriate members to assign this role to.
  8. Click Next.
  9. On the Conditions tab, verify that the selected role is correct, and select Allow user to assign all roles (highly privileged).
  10. Click Next.
  11. Click Review + assign.
  12. Verify the information and click Review + assign.

Verifying Custom Role Assignment

Note

This step is optional if you have the Global Administrator role or, are the owner of the subscription.

To verify custom role assignments, do the following:

  1. In the Azure portal, go to the previously created Resource Group.
  2. Go to Access control (IAM).
  3. Click Check access.
  4. Search for and select users previously assigned to the custom role.
  5. Under Role assignments, verify that the custom role was assigned to the user.

Deploying the ARM Template

Note

The previously created Custom Role, Global Administrator, or Subscription Owner role is required for this part of the deployment.

To deploy the ARM template, do the following:

  1. Sign in to the Azure portal.
  2. Search for and select Deploy a custom template.
  3. Click Build your own template in the editor.
  4. Click Load file, then select the ARM template file provided by Yubico.
  5. Click Save.
  6. In the configuration menu, provide the following values:
    • Subscription: Select the appropriate subscription.
    • Resource group: Select or create a resource group for this deployment.
    • Region: Select the appropriate region.
    • MS_Login_Online_Endpoint: Use default, only change if your tenant uses a different Microsoft endpoint.
    • MS_Graph_Endpoint: Use default, only change if your tenant uses a different Microsoft endpoint.
    • Azure_Mgmt_Endpoint: Use default, only change if your tenant uses a different Microsoft endpoint.
    • Azure_Vault: Use default, only change if your tenant uses a different Microsoft Login endpoint.
    • Key Vault_Resource_Name: Provide a unique name for your key vault instance.
    • Azure_Storage: Use default, only change if your tenant uses a different Microsoft endpoint.
    • Storage Account_Resource_Name: Provide a unique name for the storage instance.
    • YED_API_TOKEN: Paste the value you saved when creating the API token.
    • Container_App_Name: Provide a unique name in lower case.
    • Container_Registry_Name: The Registry name provided by Yubico.
    • Container_Image_Name_Tag: The Registry Container Image name and version Tag provided by Yubico.
    • Container_Registry_User: The Registry user name provided by Yubico.
    • Container_Registry_Password: The Registry password provided by Yubico.
    • FIDO_Connector_Client_Id: Client ID value from the app registration.
    • FIDO_Connector_Client_Secret: Client Secret value from the app registration.
    • FIDO_Connector_Allowed_Audiences: Value from Exposing the API when registering the app. List of scopes/audiences that a client application must use for calling the app’s API. Default value api://fido-connector-api.{verified domain name}. Ensure this is formatted as an array of strings, for example ["scope_1", "scope_2"].
    • FIDO_Connector_Allowed_Client_Apps: Value from Exposing the API when registering the app. List of app registrations that are allowed to call this app’s API, as registered in app registrations. The optional app registration, if performed, can be used as the ID string. Ensure that the formatting is an array of strings including each client app ID. Example: ["client_app_id_1"].
    • Workflows_Send_shipment_pin_name: Use default, or set a name based on your preferred naming convention.
    • The ARM template includes a reference implementation of the private endpoints listed below, used by the FIDO Connector Container app (default values do not need to be changed):
      • virtualNetworkName: Use default, or set a name based on your preferred naming convention.
      • virtualNetworkAddressPrefix: Use default, or set a desired IP address range.
      • subnetName: Use default, or set a name based on preferred naming convention.
      • subnetAddressPrefix: Use default, or set a desired IP address range.
      • privateEndpointSubnetName: Use default, or set a name based on preferred naming convention.
      • privateEndpointSubnetAddressPrefix: Use default, or set a desired IP address range.
      • keyVaultPrivateEndpointName: Use default, or set a name based on preferred naming convention.
      • tableStorageAccountPrivateEndpointName: Use default, or set a name based on preferred naming convention.
    • For PingOne PingID:
    • For PingOne AIC:
  7. Click Review + create.
  8. After successful deployment, verify that the resources were created.
  9. Open the Container app and save the Application Url value for the parameter FIDO_Connector_Host_URL for later use.

Configuring Container App Permissions

Note

This step requires the Subscription Owner role, or role that can create role assignments.

To configure Key Vault and Storage permissions for the Container App, do the following:

  1. In the Azure portal, go to Resource Group > Container App.
  2. In the left navigation, click Security > Identity.
  3. Click Azure role assignments.
  4. Ensure the correct subscription is selected.
  5. Click Add role assignment and and configure as follows:
    1. For Scope, select “Key Vault”.
    2. For Subscription, enter your subscription.
    3. For Resource, enter the Key Vault you deployed with this template.
    4. For Role, select “Key Vault Administrator”.
    5. Click Save.
  6. Click Add role assignment and configure as follows:
    1. For Scope, select “Storage”.
    2. For Subscription, enter your subscription.
    3. For Resource, enter the Storage Account you deployed with this template.
    4. For Role, select “Storage Table Data Contributor”.
    5. Click Save.
  7. Click Refresh and verify that the two roles were successfully added.

Authorizing Logic App Office 365 Usage

To authorize the Logic App to call the Outlook/Office365 connector, do the following:

  1. In the Azure portal, go to Resource Group > Send_shipment_pin Logic App.
  2. In the left navigation, click Development Tools > API connections.
  3. Select office365.
  4. Go to General > Edit API connection.
  5. Click Authorize.
  6. Click Authorize again.
  7. Sign in with the account that will be used as sender of FIDO Pre-reg PIN emails.
  8. After signing in, select Save.

Configuring Environment Variables

Note

To use PingOne PingID or PingOne AIC as the default IdP, you need to change the environment variables configured in the Container App using the values described in the following. Restart the application when done.

To configure environment variables for the Container app, do the following:

  1. In the Azure portal, go to Resource Group > Send_shipment_pin Logic App.

  2. Save the Workflow URL, this will be used for the Send_PIN_URL value below.

  3. Go to Resource Group > Container App.

  4. In the left navigation, click Application > Containers.

  5. Select the Environment variables tab.

  6. Update the value for EMAIL_API_SEND_ENDPOINT to the value of parameter Send_PIN_URL saved in step 2.

  7. Click Add and add the following Environment variables with source as “Manual Entry”:

    For PingOne PingID:

    Name Value
    IDP_DEFAULT
    pingone
    PINGONE_ENVIRONMENT
    Your PingOne PingID Environment ID, see
    Enabling the Worker App
    PINGONE_DEFAULT_RELYING_PARTY
    pingone.com or custom value.
    PINGONE_AUTH_BASE_URL
    https://auth.pingone.com or custom value.
    PINGONE_API_BASE_URL
    https://api.pingone.com/v1 or or custom value.
    PINGONE_PRE_REGISTRATION_TIMEOUT_DAYS
    15

    For PingOne AIC:

    Name Value
    IDP_DEFAULT
    ping-aic
    PING_AIC_REALM
    Your PingOne AIC environment ID or realm name.
    PING_AIC_DEFAULT_RELYING_PARTY
    Custom value.
    PING_AIC_AUTH_BASE_URL
    Custom value.
    PING_AIC_API_BASE_URL
    Custom value.
    PING_AIC_PRE_REGISTRATION_TIMEOUT_DAYS
    Ping AIC timeout is configured in the Journey.
    PING_AIC_JOURNEY
    Registration Journey name, see
    Creating a Registration Journey

  8. Click Save as a new revision.

  9. Click Overview in the left navigation.

  10. Stop then Start the container to ensure the new environment variables are loaded.