URI's used by PhenixID Authentication Services, PhenixID Password Self Service and PhenixID Signing Services
This document describes the possible URI's used by PhenixID Authentication Services, PhenixID Password Self Service and PhenixID Signing Services. Behind every URI there is an application or a service listener.
Every URI is exposed through configuration, meaning that if an application/service hasn't been configured, the corresponding URI will not be exposed.
Description
When publishing the different web applications and services in PAS, PSS or Signing, best practise is to only allow as little as possible regarding the service. So communication is only allowed to the very specific services needed for the specific configuration. This document will describe what needs to be allowed depending on service and web application used. Example of the communication is available in the end of the document.
Please note that all URI values are configurable! If changed, please adjust your proxy configuration accordingly.
PAS and PPSS
URL's for the different web applications
PhenixID configuration portal:
http(s)://ipordnsnametoserver:port/config
PhenixID MFA Administration:
http(s)://ipordnsnametoserver:port/mfaadmin
PhenixID Self Service:
http(s)://ipordnsnametoserver:port/selfservice
PhenixID Pocket Pass enrollment:
http(s)://ipordnsnametoserver:port/activatepocketpass
PhenixID One Touch enrollment:
http(s)://ipordnsnametoserver:port/activateonetouch
FIDO enrollment:
http(s)://ipordnsnametoserver:port/activatefido
PhenixID MyApps:
http(s)://ipordnsnametoserver:port/myapps
PhenixID Password self service (version 3.2 and later):
http(s)://ipordnsnametoserver:port/pss
URL's for the different services
Web frontend common:
http(s)://ipordnsnametoserver:port/authenticate/*
Web frontend overlays:
http(s)://ipordnsnametoserver:port/overlay/*
SAML IdP:
http(s)://ipordnsnametoserver:port/saml/*
OIDC OP:
http(s)://ipordnsnametoserver:port/oidc/*
http(s)://ipordnsnametoserver:port/<tenant_id>/.well-known/*
http(s)://ipordnsnametoserver:port/api/authentication/*
http(s)://ipordnsnametoserver:port/<tenant_id>/api/authentication/*
HTTP API:
http(s)://ipordnsnametoserver:port/api/authentication/*
http(s)://ipordnsnametoserver:port/<tenant_id>/api/authentication/*
PIPES:
http(s)://ipordnsnametoserver:port/pipes/*
OneTouch enrollment and authentication:
Example of URI's for reverse proxy rules
Self Service:
http://127.0.0.1:8080/selfservice/
Pocket Pass enrollment (if "online key provisioning" has been enabled):
http://127.0.0.1:8080/mfaadmin/otpadmin/api/
http://127.0.0.1:8080/mfaadmin/otpadmin/provision/otpauth
One Touch enrollment:
http://127.0.0.1:8080/mfaadmin/otpadmin/onetouch/enroll
http://127.0.0.1:8080/mfaadmin/otpadmin/onetouch/provision
http://127.0.0.1:8080/mfaadmin/otpadmin/api/
http://127.0.0.1:8080/pki/getactions
http://127.0.0.1:8080/pki/token
http://127.0.0.1:8080/pki/tokens
http://127.0.0.1:8080/tokens/pki
http://127.0.0.1:8080/push (Required if push has been enabled in the profile)
http://127.0.0.1:8080/selfservice/selfservice/js
http://127.0.0.1:8080/selfservice/selfservice/pki/enroll
http://127.0.0.1:8080/pki/token
http://127.0.0.1:8080/selfservice/selfservice/api
http://127.0.0.1:8080/pki/tokens
One Touch auth:
http://127.0.0.1:8080/pki/tokens/
http://127.0.0.1:8080/pki/assignment/
One Touch revoke:
http://127.0.0.1:8080/pki/tokens/
Example of complete communication
Pocket Pass enrollment:
/mfaadmin/otpadmin/api/?tokens/prepare/d67793ed1c4c1dddd7c61cc0982b6917
/mfaadmin/otpadmin/provision/otpauth/?5c73a048-f35a-4872-bc67-4bb28ba02fca
One Touch enrollment:
/mfaadmin/otpadmin/onetouch/enroll/status/5ee705a9-340b-408a-a97b-88fd56f83748
/mfaadmin/otpadmin/onetouch/enroll/start/JTdCJTIydXNlcm5hbWUlMjIlM0ElMjJkNjc3OTNlZDFjNGMxZGRkZDdjNjFjYzA5ODJiNjkxNyUyMiUyQyUyMmRpc3BsYXlfbmFtZSUyMiUzQSUyMm5yNCUyMiUyQyUyMnRpbWVzdGFtcCUyMiUzQSUyMjE1MTYxODg0OTM5OTglMjIlN0Q=
/mfaadmin/otpadmin/onetouch/enroll/status/42e1471b-62c4-4704-b801-dfa389e12734
/mfaadmin/otpadmin/onetouch/provision/start/42e1471b-62c4-4704-b801-dfa389e12734
/mfaadmin/otpadmin/onetouch/provision/chain/42e1471b-62c4-4704-b801-dfa389e12734
/mfaadmin/otpadmin/onetouch/enroll/status/42e1471b-62c4-4704-b801-dfa389e12734
/mfaadmin/otpadmin/api/?d67793ed1c4c1dddd7c61cc0982b6917
/pki/token/register/dd813370-87c3-479e-9ce4-da2a5e4f6fb3
/mfaadmin/otpadmin/onetouch/provision/chain/42e1471b-62c4-4704-b801-dfa389e12734
/pki/tokens/dd813370-87c3-479e-9ce4-da2a5e4f6fb3
/mfaadmin/otpadmin/api/?d67793ed1c4c1dddd7c61cc0982b6917
/pki/tokens/dd813370-87c3-479e-9ce4-da2a5e4f6fb3
/selfservice/selfservice/js/extensions/pki.js
/selfservice/selfservice/pki/enroll/start/JTdCJTIyZGlzcGxheV9uYW1lJTIyJTNBJTIycyUyMiUyQyUyMnRpbWVzdGFtcCUyMiUzQSUyMjE1MTYxODg3ODcxNjclMjIlN0Q=
/selfservice/selfservice/pki/enroll/status/
/selfservice/selfservice/pki/enroll/status/cacfa81f-5d84-428b-a767-8bc6275d88fc
/pki/token/start/12953c01-43e7-4b87-a039-95991ee2d945
/selfservice/selfservice/pki/enroll/status/aeccdc94-ff69-41ca-81e3-3e6f413b09c1
/selfservice/selfservice/api/entity
/pki/token/register/12953c01-43e7-4b87-a039-95991ee2d945
/pki/tokens/12953c01-43e7-4b87-a039-95991ee2d945
One Touch auth:
/pki/tokens/12953c01-43e7-4b87-a039-95991ee2d945
/pki/assignment/confirm/eb2dffbb-3960-43e0-a2a0-aebed7476156
/pki/tokens/12953c01-43e7-4b87-a039-95991ee2d945
One Touch revoke:
/pki/tokens/7b3b2dc3-2b4b-4753-a9ff-d470c71f9190
PhenixID Signing Services
URL's for the different web applications and services
Web frontend common:
http(s)://ipordnsnametoserver:port/authenticate/*
Web frontend overlays:
http(s)://ipordnsnametoserver:port/overlay/*
Federated signing app:
http(s)://ipordnsnametoserver:port/pdf_sign/*
http(s)://ipordnsnametoserver:port/xml_sign/*
Files api:
http(s)://ipordnsnametoserver:port/files/*
Pipes:
http(s)://ipordnsnametoserver:port/pipes/*
Signing and validation app:
http(s)://ipordnsnametoserver:port/signapp/*
http(s)://ipordnsnametoserver:port/validation/*
Seal app:
http(s)://ipordnsnametoserver:port/sealapp/*
http(s)://ipordnsnametoserver:port/validation/*