Keep Object HID Origo Model

Please Note that these features are still in development. This site uses Feenics Model Nuget Package Version: 1.9.226.

The following objects are all apart of the Keep object model but for your convenience have been separated into its own section.

From HID Origo Site:

HID Origo was built to accelerate the trend of helping organizations become more secure, efficient and data-driven through cloud technologies. This cloud-based platform provides seamless and consistent service while improving how access control solutions are delivered. In addition, HID Origo opens opportunities for adoption of new, more flexible service subscription models while reducing costs and increasing operational efficiency.

Key Benefits

  • Reliability: Trust a secure infrastructure backed by the world’s leading cloud vendors, validated by industry certifications and delivered via HID Global’s service level agreements and support

  • Connectivity: Access and manage a trusted ecosystem of cloud-connected access control devices, applications and trusted mobile identities in one place

  • Insights: Utilize data to ensure a seamless user experience, provide operational efficiency and make decisions to guide the business forward

Summary

KeepAPI exposes new endpoints / resources and extensions to the existing data model to facilitate integration with the HID Mobile Access Credentials product, Origo. Currently all access to the is through the API, with future plans to incorporate the Origo integration into the Windows and Web Client user interfaces.

Licensing

Origo Integration is a licensable feature. An example license request would be:

{
                    "Environment": "DEV",
                    "InstanceKey": "{{ WorkingInstance.Key }}",
                    "LicensedBy": {
                        "CompanyName": "Feenics Inc",
                        "EmailAddress": "ralph.shillington@feenics.com",
                        "MailingAddress": {
                            "Street": "301 - 2310 St. Laurent Blvd",
                            "City": "Ottawa",
                            "Province": "ON",
                            "Country": "CA",
                            "PostalCode": "K1G 5H9"
                        },
                        "PhoneNumber": "613-520-2455"
                    },
                    "Licensee": {
                        "CompanyName": "Feenics Inc - Development",
                        "EmailAddress": "ralph.shillington@feenics.co",
                        "MailingAddress": {
                            "Street": "302 - 2310 St. Laurent Blvd",
                            "City": "Ottawa",
                            "Province": "ON",
                            "Country": "CA",
                            "PostalCode": "K1C 5J9"
                        },
                        "PhoneNumber": "613-520-2426"
                    },
                    "PurchaseOrder": "RALPH",
                    "RequestingComponents": [
                        {
                            "PrivateProductCode": "ORIGO",
                            "ValueAdded": 1
                        }
                    ]
                }

Permissions

Users that will be configuring the Origo integration must have the OrigoAdmin action attached to the Instance object type. Of course administrators with *,* permissions will automatically have this permission.

Configuration

Configuration can be set or updated by with POST method to the endpoint /api/origo/configuration The currently stored configuration can not be retrieved by the API user since it contains sensitive information. Subsequent POST methods will replace the existing configuration.

Setting the Configuration, will automatically register the instance to receive callback messages.

Response Condition Description
401 NotAuthorized failed to find and operation right for the current user with action of OrigoAdmin on the object type Instance
409 Conflict Missing license for this instance.
400 BadRequest Failed to log into Origo with the supplied credentials
400 BadRequest Failed to register the callback endpoint with Origo
200 Ok Configuration has been saved, and the callback endpoint has been registered with Origo

Example setting configuration

In this example, the [keepcli](/concepts/keepcli/) tool is used to maintain credentials to the KeepApi endpoint. The example configures the default defined instance. The example posts the contents of the file origoconfig.json

INSTANCE=$(keepcli test -j)
BASEADDRESS=$(echo $INSTANCE | jq -r .BaseAddress)
TOKEN=$(echo $INSTANCE | jq -r .Token)

curl -v -X POST -d @origoconfig.json -H 'Content-Type: application/json' -H 'Accept: application/json' -H "Authorization: Bearer ${TOKEN}" ${BASEADDRESS}/api/origo/configuration

C sharp Example

await client.SetOrigoCustomerConfiguration(root, new OrigoCustomerConfiguration {ClientId = "1000582-SRV1620440120", CustomerId = "1000582", DefaultPartNumber = "MID-SUB-CRD_FTPN_30176", GrantType = "client_credentials", ClientSecret = "password_goes_here"});

The contents of the configuration information is obtained from HID by the customer’s administrator using the HID Origo portal. It’s important to note that the user may have access to both a pre-production and production HID portal

{
    "CustomerId":"1000582",
    "ClientId":"1000582-SRV1620440120",
    "ClientSecret":"password_goes_here",
    "GrantType":"client_credentials",
    "DefaultPartNumber":"MID-SUB-CRD_FTPN_30176"
}

Confirm Origo Customer

The Api exposes a new endpoint to get the Origo Customer information for the configured CustomerId: /api/origo/customer. The following script gets the customer information

INSTANCE=$(keepcli test -j)
BASEADDRESS=$(echo $INSTANCE | jq -r .BaseAddress)
TOKEN=$(echo $INSTANCE | jq -r .Token)
curl -s -H 'Accept: application/json' -H "Authorization: Bearer ${TOKEN}" ${BASEADDRESS}/api/origo/customer | json_pp
{
   "Name" : "FEENICS-TP-D_SUB",
   "Id" : "1000582",
   "SubscriptionMode" : "Full term subscription",
   "pendingInvitations" : 0,
   "TotalUsers" : 18,
   "$type" : "Feenics.Keep.Origo.Customer, Feenics.Keep.WebApi.Model",
   "urn:hid:scim:api:ma:2.0:LicenseInfo" : [
      {
         "ConsumedQty" : 0,
         "AvailableQty" : 100,
         "StartDate" : "2019-05-27T00:00:00Z",
         "PartNumber" : "MID-SUB-T100",
         "LicenseState" : "Good Standing",
         "StatusMessage" : "Good Standing",
         "PeriodState" : "Normal",
         "EndDate" : "2020-05-26T00:00:00Z",
         "Name" : "T100 Subscription",
         "$type" : "Feenics.Keep.Origo.License, Feenics.Keep.WebApi.Model"
      }
   ],
   "MobileKeysets" : "MOB0001, MOB0022",
   "ActiveUsers" : 0
}

Normal Operation

Once properly configured, the normal operation of the integration is largely ‘behind the scenes’. There is only one additional Origo specific endpoint that has been added to the PersonInfo resource: /origo/issue.

To issue a mobile credential a cardholder must already exist in the Keep instance. In the case of a Enterprise instances, the card holder may exist in either the root instance, or the shared instance.

Internally the processing of issuing a mobile credential involves several steps:

  1. Confirm the cardholder exists as an Origo user, and if not, then add the user
  2. Create an invitation code, send invitation email, and create credential (all one call to Origo)
  3. Wait for an ISSUED status callback for the requested credential
  4. Create the CardAssignmentInfo object and attach it to the PersonInfo object in Keep.

The ISSUED status will be sent from Origo to Keep (via the preconfigured endpoint that was provisioned at the time of setting the Origo Configuration). This call only occurs after the mobile device has successfully downloaded the credential. It is the callback handler that creates the CardAssignmentInfo object attaches it to the PersonInfo and raises the appropriate event, such that the Mercury Service pushes the Mobile Credential card number to the appropriate controllers.

Example of issuing a new mobile credential

In this example keepcli is being used to provide authentication to the Keep api, using it’s default configuration. A search by moniker is executed for a specific person, and a POST to /origo/issue on Person is called, sending the requested activeOn and expiresOn values (UTC).

In a separate window use keepcli to subscribe to events, to observe the mobile credential being issued.

keepcli subscribe | jq '{d:.PublishedOn."$date"| (. / 1000 | todate),m:.MessageLong,et:.ObjectLinks[] | select(.Relation=="PublishingEventType")|.CommonN
ame,bd:.EventData.BeforeData, ad:.EventData.AfterData}'

With the event subscriber running, issue a new mobile credential.

#!/bin/bash

INSTANCE=$(keepcli test -j)
BASEADDRESS=$(echo $INSTANCE | jq -r .BaseAddress)
TOKEN=$(echo $INSTANCE | jq -r .Token)

BODY='{"activeOn":"2019-09-04T:00:00.0000000+00:00","expiresOn":"2019-09-04T07:00:00.0000000+00:00"}'
PERSON=$(keepcli search -s '{"Monikers":{"$elemMatch":{"Nickname":"ralshi", "Namespace":"feenicsdev.people"}}}' | jq -r .Href)
echo ${BASEADDRESS}${PERSON}/origo/issue

echo ${BODY}

curl -v -X POST -H 'Content-Type: application/json' -H 'Accept: application/json' -H "Authorization: Bearer ${TOKEN}" -d ${BODY} ${BASEADDRESS}${PERSON}/origo/issue

Currently it is possible that the issue request will fail with an HTTP Status of 400 and a response body of:

{
  "$type": "Feenics.Keep.WebApi.ErrorResponse, WebApi",
  "Error": "OrigoOperation",
  "Message": "Failed to get send invite. Status=InternalServerError response: {\"schemas\":[\"urn:hid:scim:api:ma:2.0:Error\"],\"detail\":\"We are unable to continue with your request, due to technical difficulty with Subscription Service. Please try again or contact your support.\",\"status\":500}"
}

This is a known issue with HID Origo, and occurs occasionally when issuing both a new user request immediately followed by a new invitation request. In this circumstance it’s OK to retry the request. On the second call the user will exist in Origo and the new invitation email and invitation code will be sent to the user.

When the user accepts the invitation and receives the credential on the mobile device, Origo will send an ISSUED event to the registered Keep endpoint for the instance and a credential will be issued, which can be observed in the window that is subscribing to events.

{
  "d": "2019-09-04T23:57:10Z",
  "m": "Shillington, Ralph card 24 modified by System Administrator. Action POST",
  "et": "Object Modified",
  "bd": null,
  "ad": {
    "_t": [
      "Item",
      "CardAssignmentInfo"
    ],
    "Href": "/api/f/5d52b8b453b83b0001f25361/people/10436012/cards/5d704f562bc5040001225f80",
    "Key": "5d704f562bc5040001225f80",
    "EncodedCardNumber": 24,
    "DisplayCardNumber": "24",
    "ActiveOn": {
      "$date": 1567486800000
    },
    "ExpiresOn": {
      "$date": 1567494000000
    },
    "PinCode": null,
    "AntiPassbackExempt": false,
    "ExtendedAccess": false,
    "PinExempt": false,
    "IsDisabled": false,
    "ManagerLevel": 0,
    "OriginalUseCount": null,
    "CurrentUseCount": 0,
    "Note": null,
    "HexValue": null,
    "RecordId": 6,
    "LastUsed": null,
    "OrigoCredentialId": 10436012
  }
}

Note the OrigoCredentialId property that is available both in the EventData.AfterData property of the EventMessageData and is also present on the CardAssignment entry for the new mobile credential. This non-zero value is the indicator that the credential is a mobile credential.

Example of revoking a Mobile Credential

In this example, simply setting the expired on value to something less than DateTime.UtcNow on the mobile credential will trigger a call to Origo by the KeepAPI to revoke the credential.

INSTANCE=$(keepcli test -j)
BASEADDRESS=$(echo $INSTANCE | jq -r .BaseAddress)
TOKEN=$(echo $INSTANCE | jq -r .Token)
CARDURL=$(keepcli search -s '{"Monikers":{"$elemMatch":{"Nickname":"ralshi", "Namespace":"feenicsdev.people"}}}' | jq -r .CardAssignments[0].Href)

echo ${BASEADDRESS}${CARDURL}
curl -s -H 'Content-Type: application/json' -H 'Accept: application/json' -H "Authorization: Bearer ${TOKEN}" ${BASEADDRESS}${CARDURL} | jq '.ExpiresOn=.ActiveOn' | \
curl -v -X PUT -H 'Content-Type: application/json' -H 'Accept: application/json' -H "Authorization: Bearer ${TOKEN}" -d @- ${BASEADDRESS}${CARDURL} | jq .

This sample script assumes the first member of the CardAssignments array for the selected person is a mobile credential. Using the card assignment URL, the first cUrl command retrieves the CardAssignmentInfo details, and uses jq to set the ExpiresOn field to the same value as the ActiveOn value (effectively making the card revoked.)

Observe in the event subscriber window the updated CardAssignmentInfo object, immediately followed by an Origo Command Sent event, which instructs Origo to revoke the mobile credential.

{
  "d": "2019-09-05T00:16:42Z",
  "m": "Shillington, Ralph modified by System Administrator. Action PUT",
  "et": "Object Modified",
  "bd": {
    "_t": [
      "Item",
      "[**CardAssignmentInfo**](/object-model/cardassignmentinfo/)"
    ],
    "Href": "/api/f/5d6eac48c198dc0001664425/people/5d704ec62bc5040001225f6c/cards/5d704f562bc5040001225f80",
    "Key": "5d704f562bc5040001225f80",
    "EncodedCardNumber": 24,
    "DisplayCardNumber": "24",
    "ActiveOn": {
      "$date": 1567486800000
    },
    "ExpiresOn": {
      "$date": 1567494000000
    },
    "PinCode": null,
    "AntiPassbackExempt": false,
    "ExtendedAccess": false,
    "PinExempt": false,
    "IsDisabled": false,
    "ManagerLevel": 0,
    "OriginalUseCount": null,
    "CurrentUseCount": 0,
    "Note": null,
    "HexValue": null,
    "RecordId": 6,
    "LastUsed": null,
    "OrigoCredentialId": 10436012
  },
  "ad": {
    "_t": [
      "Item",
      "CardAssignmentInfo"
    ],
    "Href": "/api/f/5d6eac48c198dc0001664425/people/5d704ec62bc5040001225f6c/cards/5d704f562bc5040001225f80",
    "Key": "5d704f562bc5040001225f80",
    "EncodedCardNumber": 24,
    "DisplayCardNumber": "24",
    "ActiveOn": {
      "$date": 1567486800000
    },
    "ExpiresOn": {
      "$date": 1567486800000
    },
    "PinCode": null,
    "AntiPassbackExempt": false,
    "ExtendedAccess": false,
    "PinExempt": false,
    "IsDisabled": false,
    "ManagerLevel": 0,
    "OriginalUseCount": null,
    "CurrentUseCount": 0,
    "Note": null,
    "HexValue": null,
    "RecordId": 6,
    "LastUsed": null,
    "OrigoCredentialId": 10436012
  }
}
{
  "d": "2019-09-05T00:16:43Z",
  "m": "Origo Command Sent",
  "et": "Origo Command Sent",
  "bd": null,
  "ad": null
}