Integrate Relying Parties for Passkeys (FIDO2) Provisioning

FIDO2 (Fast Identity Online 2) is a passwordless authentication standard that enables secure and phishing-resistant authentication using public-key cryptography. The rapid adoption of passwordless authentication has positioned FIDO2 Passkeys as a key component of modern, secure identity solutions. Organizations using platforms like Microsoft Entra ID, Okta, and other identity providers (IdPs) must ensure seamless FIDO2 credential issuance while enforcing robust security policies. However, managing these credentials across multiple relying parties (RPs) can be complex. The Unifyia Platform simplifies the entire lifecycle of FIDO2 passkeys—including issuance, renewal, PIN changes, resets, and ongoing management—delivering a streamlined experience for both helpdesk personnel and end-users. With single-click credential issuance and support for Microsoft Entra ID, Okta, and other RPs, organizations can achieve the highest level of security (Authenticator Assurance Level) through phishing-resistant, passwordless authentication.

The Unifyia platform allows passkeys (FIDO2) provisioning for relying parties (RPs) by integrating Microsoft Entra ID's FIDO2 provisioning APIs and Okta's user management APIs. These APIs allow fetching user and policy details, posting the registered authenticator information to the relying party, and deleting the provisioned authenticator. The provisioning with the Unifyia platform involves the process of registering, provisioning (issuing), and managing FIDO2 credentials on behalf of relying parties. By leveraging public-key cryptography, strong authentication policies, and multi-device support, RPs can enhance security and user experience while reducing reliance on passwords.

Benefits with the Unifyia Platform

Integrating relying parties such as Entra ID, Okta, or others into the Unifyia platform offers multiple strategic, security, and operational benefits. This integration is essential for delivering a seamless, secure, and scalable passwordless authentication experience across federal, government, and enterprise environments.

  • Centralized Policy Enforcement: Provisioning passkeys through an integrated system allows organizations to enforce uniform authentication policies across all relying parties. This reduces configuration drift and simplifies compliance.
  • Single-Click Issuance and Management: Both operator-assisted and self-service options allow credentials to be issued to multiple relying parties on the same device with a single click , minimizing friction.
  • Streamlined User Experience: Users can register and manage passkeys through a single interface, avoiding redundant setup across different platforms. Once provisioned, passkeys can be used to access multiple relying parties without additional registration steps.
  • Enhanced Security and Phishing Resistance: Passkeys (FIDO2) use public key cryptography, which eliminates shared secrets and significantly reduces phishing risk. Integrating this at the relying party level ensures all authentication flows benefit from strong, modern credential standards.
  • Federated Identity Support: When integrated with an identity broker, relying parties can consume FIDO2-authenticated sessions via federation protocols (SAML, OIDC), allowing passkey authentication to extend to platforms that do not natively support FIDO2.
  • Improved Lifecycle Management: Integrating relying parties allows centralized credential revocation, rotation, and audit tracking. If a passkey is compromised or needs to be removed, administrators can take action that applies across all integrated systems.
  • Regulatory and Standards Alignment: Enterprise adoption of FIDO2 is increasingly aligned with security frameworks such as NIST SP 800-63-4 and Zero Trust Architecture (ZTA). Integrating passkey provisioning supports adherence to these standards with measurable authentication assurance.
  • Scalability and Extensibility: The integration model supports scaling to multiple relying parties and applications without redundant development or configuration efforts. This is ideal for organizations undergoing digital transformation or cloud migration.

Common Parameters

The section outlines the common configurable parameters and their descriptions to add passkeys (FIDO2) policy both for the Unifyia platform and the relying parties.

Parameter Description
Relying Party The list of the supported relying parties. Currently, the platform supports Entra ID and Okta.
Name A unique name to identify the relying party application.
Description Provide a brief description for this configuration.
Client Authentication Method Define the client authentication method used by relying parties during authentication to authenticate to the Authorization Server (the Unifyia platform) using the Token URL. Currently, the following are supported:
  1. Client Secret Sent as Basic Auth: Select this method if the client Secret is to be sent as a part of the basic authentication for the APIs.
  2. JWT Signed With Private Key: Select JSON Web Token (JWT) signed with private key method if the authentication must be done using token signed by the relying party.

Note: The Unifyia platform supports client authentication using JWT signed with a private key for Okta, and client secret sent as basic authentication method for Entra ID.
Token URL This is the relying party endpoint that the Unifyia platform connects to for exchanging the authorization code during the authentication process.
Client ID The client identifier (Application or Client ID created for the Unifyia platform during new application registration on the relying party application) registered with the relying party.
Client Secret This is the client's secret registered with the relying party.
Scopes This field is displayed only when the client authentication method is set to JWT Signed With Private Key. It represents a list of scopes that must be included in the authentication request to obtain authorization. Each scope should be separated by a space. These scopes must be granted during the registration of Unifyia as an application with the relying party.

Note: Since JWT Signed With Private Key is currently supported only for Okta, these scopes must be assigned to the client when configuring the Unifyia platfrom as a client application in Okta.

Public Key This is the public key of the Unifyia platform. This field is visible only when the client authentication method is set to JWT Signed With Private Key and the Unifyia platform's public key is auto-populated.

Add Entra ID as a Relying Party

This section provides instructions on integrating Microsoft's Entra ID as a relying party to enable passkeys (FIDO2) provisioning. You need to have admin credentials to access the Microsoft Entra ID portal and Unifyia platform. The following are the steps:

  1. Step 1: Register Unifyia as an application on the Entra ID application.
  2. Step 2: Complete the integration steps on the Unifyia platform:
    1. Configure connection parameters.
    2. Configure the provisioning API endpoints.

Step 1: Add Unifyia Platform as an Application on the Entra ID Portal

The Unifyia platform needs to be registered as an application with the Microsoft Entra ID (relying party).

Prerequisites

  • You need to have Entra admin credentials to access the Microsoft Entra ID portal.
  • Redirect URI of the Unifyia platform.

Follow the below steps to register Unifyia as an application on Entra ID.

  1. Login as an Entra admin to the Entra ID portal.
  2. In the Microsoft 365 admin center, navigate to Admin Centers > Identity.
  3. In the Microsoft Entra admin center, navigate to Entra ID > App registrations.
  4. Select New registration.
  5. Give the application a user-facing display name, for example, Unifyia Application.
  6. For Supported account types, select Accounts in this organizational directory only (unifyia only - Single tenant).
  7. Select Register. The sub menu for the registered Unifyia web application appears.
  8. Complete the below steps to create a client secret.
    1. Navigate to Manage > Certificates & secrets on the sub menu.
    2. Under Client secrets, select + New client secret.
    3. Enter the following details:
      1. Description: Enter a description for the client's secret being created.
      2. Expires: Select the expiration period for the client secret.
    4. Select Add.
  9. After the client secret string is created, copy its Value to a text editor for later use. You will not be able to copy the value again. Hence, make sure to save it properly.
  10. Navigate to Manage > API permissions on the sub menu. Applications are only authorized to call APIs once they have been granted the necessary permissions by users or admins during the consent process. The list of permissions granted should encompass all the permissions required by the application. In this case, you will need certain delegated and application permissions for the Microsoft Graph APIs. The delegated permissions allow the application to access the APIs as a signed-in user. The application permissions allow the application to run as a background service or daemon without a signed-in user.
  11. Select Add a permission to open the Request API permissions page.
  12. Select Microsoft Graph and assign the delegated and application permissions on the application.
    1. Select Delegated permissions, search for each of the below listed permissions, and check the boxes to select the permissions. Continue till all the permissions are selected and finally select Add Permissions. You will notice that all the permissions are listed under the Configured permissions section.

      2. Permission Type Permission Description
      Directory Directory.AccessAsUser.All
      		 Grants the app the same directory access permissions as the signed-in user.
      SearchConfiguration SearchConfiguration.
      Read.All
      		 Enables the app to read search configuration settings on behalf of the signed-in user.
      SearchConfiguration.
      ReadWrite.All
      		 Enables the app to read and modify search configuration settings on behalf of the signed-in user.
      User User.Read
      		 Allows users to sign-in to the app and enables the app to access the signed-in user's basic profile and company information.
      User.ReadWrite
      		 Allows the app to view and update the signed-in user's profile information.
      User.ReadWrite.All Grants the app permission to view and modify full set of profile details, reports, and managers of other users in the organization, on behalf of the signed-in user.
      UserAuthentication
      Method             		UserAuthenticationMethod.
      Read
      		 Allows the app to access the signed-in user's authentication methods (e.g., phone numbers, Authenticator app settings). Does not allow access to passwords or the ability to sign in on behalf of the user.
      UserAuthenticationMethod.
      ReadWrite
      		 Allows the app to read and update the signed-in user's authentication methods, including phone numbers and Authenticator app settings. Does not permit access to passwords or signing in.
    2. The delegated permissions are listed under the Configured permissions section. The next step is to add application permissions.
    3. Select Add a permission > Microsoft Graph > Application permissions. Search for each of the below listed permissions, and check the boxes to select the permissions. Continue till all the permissions are selected and finally select Add Permissions. You will notice that all the permissions are listed under the Configured permissions section.

      4. Permission Type Permissions Description
      SearchConfiguration SearchConfiguration.
      Read.All
      		Allows the app to read search configuration settings without requiring a signed-in user.
      SearchConfiguration.
      ReadWrite.All       		Allows the app to read and modify search configuration settings without a signed-in user.
      User User.ReadWrite.All
      		 Grants the app permission to view and update user profiles across the organization without a signed-in user.
      UserAuthentication
      Method       		UserAuthenticationMethod.
      ReadWrite.All       		Enables the app to read and update authentication methods (e.g., phone numbers, Authenticator settings) for all users in the organization, without a signed-in user. Passwords and the ability to sign in are not accessible.
      UserAuthenticationMethod.
      Read.All
      		Enables the app to read authentication methods (e.g., phone numbers, Authenticator settings) for all users in the organization, without requiring a signed-in user. Passwords and sign-in capabilities are not accessible.
  13. The next step is to grant admin consent for the requested permissions for all accounts in your Entra ID tenant. Select Grant admin consent for <tenantname> which can be seen right beside the Add a permission option. Select Yes on the Grant admin consent confirmation pop up window. You will notice Granted to <tenantname> under the Status column for each permission. In place of <tenantname>, you will notice your Entra ID's tenant name.
  14. Navigate to Overview on the sub menu. Copy the Application (client) ID to the text editor seen under the Essentials section.
  15. Select Endpoints on the overview page. The list of endpoints is dislayed. Copy the OAuth 2.0 token endpoint (v2) value to the text editor.
  16. The final step is to use the OAuth 2.0 token endpoint (v2), Client Secret Value, and Application (client) ID to integrate Entra ID as a relying party in the Unifyia platform.

Step 2: Integration Steps

Prerequisites

  1. Unifyia is registered as an application on the Entra ID application.
  2. You have the following values:
    1. Token URL (OAuth 2.0 token endpoint (v2))
    2. Application (client) ID
    3. Client Secret Value

In this section, you will find instructions for integrating Entra ID as a relying party on the Unifyia platform.

  1. Log in to the Unifyia platform as an administrator.
  2. Navigate to Integrations > Passkeys (FIDO2) provisioning. The Passkeys (FIDO2) Provisioning page appears.
  3. Select + Add Relying Party. You will find two tabs - Integrate Relying Party and Provisioning APIs.
  4. Under the Integrate Relying Party tab, provide the following information:
    1. Relying Party: Select Microsoft Entra ID.
    2. Name: Provide a name for this configuration, for example, Relying Party - Entra ID.
    3. Description: Provide a brief description for this configuration.
    4. Client Authentication Method: Select Client Secret Sent as Basic Auth.
    5. Token URL: Enter the OAuth 2.0 token endpoint (v2) from step 1 that you copied to the text editor.
    6. Client ID: Enter the Application (client) ID from step 1 that you copied to the text editor.
    7. Client Secret: Enter the Client Secret Value from step 1 that you copied to the text editor.
    8. Select Next to access the Provisioning APIs tab.
  5. Under the Provisioning APIs tab, you will notice that the provisioning API endpoints, API methods, and API URLs for getting policy, registering authenticator, and deleting authenticator are already populated. You must not change any data in this page. Select Save.
  6. You have completed integrating Entra ID as a relying party on the Unifyia platform.

To issue FIDO2 credentials to the users of Entra ID (relying party), ensure to configure a passkeys (FIDO2) policy for Entra ID on the Unifyia platform. Next, create a workflow to issue FIDO2 credentials for the Entra ID users. While creating the workflow, ensure to check the option Enable FIDO2 Passkeys provisioning for relying parties and select Microsoft Entra ID from the displayed dropdown under the FIDO2 Registration section. This will ensure that the details of the issued FIDO2 credential are saved with the Entra ID as well.

Add Okta as a Relying Party

This section provides instructions on integrating Okta as a relying party to enable passkeys (FIDO2) provisioning. You need to have admin credentials to access the Okta application and Unifyia platform. The following are the steps:

  1. Step 1: Add Unifyia as an application on the Okta application.
  2. Step 2: Complete the integration steps:
    1. Configure connection parameters.
    2. Configure the provisioning API endpoints.

Step 1: Add the Unifyia Platform as an Application on Okta

This section provides instructions on how to add Unifyia as an application on the Okta application.

Prerequisites

  • You must have an active admin account with Okta with the necessary subscription.
  • Public Key from the Unifyia platform. To get the public key, follow the below steps:
    1. Log in to the Unifyia platform as an administrator.
    2. Navigate to Integrations > Passkeys (FIDO2) provisioning. The Passkeys (FIDO2) Provisioning page appears.
    3. Select + Add Relying Party. You will find two tabs - Integrate Relying Party and Provisioning APIs.
    4. Under the Integrate Relying Party tab, select the relying party as Okta.
    5. For the Client Authentication, select JWT Signed With Private Key.
    6. For the Public Key field, you will notice that a public key is auto-generated. Copy this and paste it to a text editor. This will be the public key that you would require during the app registration step on the Okta application.

Follow the below steps, to create Unifyia as an client application on the Okta platform.

  1. Log in to Okta with an admin account.
  2. On the Dashboard, navigate to Applications > Applications.
  3. On the Applications page, select Create App Integration.
  4. On the Create a new app integration pop-up, select API Services.
  5. On the New API Services App Integration page, provide a name and select Save.
  6. On the next page, under the General tab, you will notice the Client Credentials. Copy the Client ID to a text editor.
  7. Next, select Edit and choose Public Key/Private Key for Client Authentication. This indicates that API call authentication between the Unifyia platform and the Okta application is performed using a public-private key pair.
  8. Under the PUBLIC KEYS section, select Add Key. A pop-up window will appear prompting you to enter a public key. Paste the Unifyia platform's public key, previously copied to a text editor, into the text box, then select Done.
  9. Under the General Settings section, select Edit, and update as below:
    1. For the field Proof of Possession, uncheck Require Demonstrating Proof of Possession (DPoP) header in token requests.
    2. For the field Grant Type, click the dropdown Advanced and select Token Exchange. Select Save to save the settings.
  10. The next step is to grant required scopes. Select the Okta API Scopes tab, where you'll see a list of available scopes. For each scope listed below, select Grant under the Actions column. When the Grant Okta API Scope pop-up window appears, confirm by selecting Grant Scope.

    11. Scope Description
    okta.apps.manage Allows the Unifyia platform application to create and manage Apps in the Okta organization.
    okta.apps.read Allows the Unifyia platform application to read information about Apps in the Okta organization.
    okta.authorizationServers.manage Allows the Unifyia platform application to create and manage Authorization Servers in the Okta organization.
    okta.authorizationServers.read Allows the Unifyia platform application to read information about Authorization Servers in your Okta organization.
    okta.factors.manage Allows the Unifyia platform application to manage all admin operations for org factors (e.g., activate, deactivate, read).
    okta.factors.read Allows the Unifyia platform application to read org factors information.
    okta.myAccount.appAuthenticator.
    maintenance.manage     		Allows the end user to manage non-sensitive attributes of their app authenticator enrollment.
    okta.myAccount.appAuthenticator.
    maintenance.read     		Allows the end user to read non-sensitive attributes of their app authenticator enrollment.
    okta.myAccount.appAuthenticator.manage Allows the end user to manage their app authenticator enrollment.
    okta.myAccount.appAuthenticator.read Allows the end user to read their app authenticator enrollment.
    okta.oauthIntegrations.manage Allows the Unifyia platform application to create and manage OAuth integrations in the Okta organization.
    okta.oauthIntegrations.read Allows the Unifyia platform application to read information about OAuth integrations in the Okta organization.
    okta.users.manage Allows the Unifyia platform application to create new users and to manage all users' profile and credentials information.
    okta.users.read Allows the the Unifyia platform application to read the existing users' profiles and credentials.
  11. The next step is to create role assignments by selecting the roles and resource sets to which the selected admin should be restricted. Navigate to the Admin roles tab and select Edit Assignments. Select Add Assignments.
    1. Role: Select Application Administrator from the dropdown list.
    2. Applications: For resource sets, select Edit and search the name of the newly created application. Select Add and then Confirm.
    3. On the Complete the assignment page, select Save Changes.
    4. Okta application prompts you to provide the authentication credentials to save the changes. Once completed, you will notice that the application and the role to manage it have been successfully assigned.
  12. You have completed registering the Unifyia platform as an application on the Okta's applciation. You now have Client ID and scopes. To register Okta as an relying party on the Unifyia platform, you also require a Token URL and domain name.
  13. In the top right corner, locate the logged-in user profile. Click the arrow to expand the details. Under the email address, you'll see the tenant URL - copy this to a text editor. This will serve as the domain name.
  14. Follow the next section to learn how to get the Token URL.

Step 2: How do I get Okta's Token URL?

  1. You have copied the Okta's domain name in the previous step.
  2. Open a browser and paste this URL. Append /.well-known/openid-configuration at the end of this URL. For example, https://utopia.oktapreview.com/.well-known/openid-configuration
  3. The OIDC metadata for Okta is displayed.
  4. Check the box Pretty-print. The metadata appears well formatted.
  5. Locate the Token endpoint parameter on the page and copy its value to a text editor. This will serve as the Token URL.

You now have Client ID, Token URL, domain name, list of scopes, and role. You are now all set to configure Okta as a relying party on the Unifyia platform.

Step 3: Integration Steps

Prerequisites

  1. Unifyia is registered as an application on the Okta application.
  2. You have the following values:
    1. Token URL
    2. Domain Name
    3. Client ID
    4. Scopes

In this section, you will find instructions for integrating Okta as a relying party on the Unifyia platform.

  1. Log in to the Unifyia platform as an administrator.
  2. Navigate to Integrations > Passkeys (FIDO2) provisioning. The Passkeys (FIDO2) Provisioning page appears.
  3. Select + Add Relying Party. You will find two tabs - Integrate Relying Party and Provisioning APIs.
  4. Under the Integrate Relying Party tab, provide the following information:
    1. Relying Party: Select Okta.
    2. Name: Provide a name for this configuration, for example, Relying Party - Okta.
    3. Description: Provide a brief description for this configuration.
    4. Client Authentication Method: Select JWT Signed With Private Key.
    5. Token URL: Enter the Token URL from Step 2: How do I get Okta's Token URL? that you copied to a text editor. Ensure that there are no spaces when you paste it.
    6. Client ID: Enter the Client ID from Step 1: Add the Unifyia Platform as an Application on Okta that you copied to a text editor.
    7. Scopes: Enter okta.apps.manage okta.apps.read okta.authorizationServers.manage okta.authorizationServers.read okta.factors.manage okta.factors.read okta.myAccount.appAuthenticator.maintenance.manage okta.myAccount.appAuthenticator.maintenance.read okta.myAccount.appAuthenticator.manage okta.myAccount.appAuthenticator.read okta.oauthIntegrations.manage okta.oauthIntegrations.read okta.users.manage okta.users.read. These are the scopes that you have defined in the Okta application for Unifyia. Ensure that each scope is separated by a space.
    8. Public Key: The public key is auto populated.
    9. Select Next to access the Provisioning APIs tab.
  5. Under the Provisioning APIs tab, you will notice that the provisioning API endpoints, API methods, and API URLs for getting user details, getting policy, registering authenticator, and deleting authenticator are already populated. You must replace the variable $$domain$$ with a valid domain name from Step 1: Add the Unifyia Platform as an Application on Okta in all the provisioning API URLs to direct the query to the specific Okta tenant. Do not change any other variable other than the domain name. Select Save.
  6. You have completed integrating Okta as a relying party on the Unifyia platform.

You have successfully integrated Entra ID and Okta as a relying parties on the Unifyia platform for passkey (FIDO2) provisioning. The next step is to configure the passkey (FIDO2) policy for relying parties. During policy configuration, the integrated relying parties will appear in the Relying Party Application dropdown.

Once the policies are set, proceed to create user groups, define workflows for issuing FIDO2 credentials for both Entra ID and Okta, and create or import Entra ID/Okta users. Credentials can then be issued in a single click.

Users can use their issued FIDO2 credentials to log in to their respective applications—Entra ID or Okta. Ensure that the same user details (especially, username or email address) exist in both the Unifyia platform and the corresponding relying party application.

Manage Relying Parties

This section guides you through the process of editing and deleting a relying party on the Unfiyia platform.

  1. Log into the platform with administrator credentials.
  2. Navigate to Integrations > Passkeys (FIDO2) Provisioning.
  3. A list of configured relying parties is displayed.
  4. To edit a relying party, select the Pencil icon at the end of the selected relying party row and modify the configuration parameters as needed. Select Update to save the changes.
  5. To delete a relying party, select the Bin icon at the end of the selected relying party row. Select Yes to confirm or No to exit the process.

Back Next
On this page
Related Links