Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

OneWelcome Identity Platform
- Explore Thales Docs

IDAAS core
User journey orchestration
Consent and preference management
Delegated user management
- Getting started
- Roles
- Rules
- User management
- Self service page
- Data
- APIs
- Apps
- Jobs
- Reports
Externalized authorization
Identity broker
Mobile identity
- Mobile identity - Access component
- Mobile identity - Tulip
Mobile SDK
API references
Release notes and FAQ
Integrations

All

All

Administrative management

Policy management

IDAAS core
Getting started with the OneWelcome Identity Platform
Manage administrators
Authentication
- FIDO authentication
  - Web integration
    - Web integration
    - User enrollment
    - User authentication
  - Administrative management
    - Admin APIs
    - Authenticator management
    - User management
    - Policy management
  - Authenticator policy
    - Thales FIDO authenticator policy
    - Authenticator policy samples
  - Extensions
    - Thales extensions for FIDO
    - Thales friendly name extension
    - Thales transaction signature extension
    - Thales challenge token extension
- Authentication FAQ
- Password migration
Events
- Public event payload taxonomy
- Export events
Assurance levels
IDAAS core - Access
- Securing resources
- Client authentication methods
- Client application configuration
  - Scope configuration
  - Identity providers
  - Resource gateway configuration
  - Scopes API
  - Scope Verification Service
  - Identity provider API
  - Protected data in single-page apps
- OAuth 2.0 and OpenID Connect
  - OpenID Connect
  - OpenID Connect authentication
  - OpenID Connect scopes and claims
  - User claims and attributes
  - OpenID provider configuration
  - ID token encryption
  - Web clients
    - Resource owner password credentials
    - Uniquely identify guests
    - Migration of web clients with hashed secrets
    - Web clients API
  - Tokens
    - Access tokens
    - ID tokens
    - Refresh tokens
    - Access token API
    - Token introspection API
  - iFrame session monitoring
    - Relying party iFrame
    - End session API
    - Session management APIs
  - OAuth endpoints
  - OAuth configuration
  - Discovery API
  - JSON Web Key Set API
  - User information API
  - OAuth consent API
  - OAuth Token Exchange
- SAML Applications
- Custom authenticators
- General system properties
  - Configure system features
  - Session configuration
  - CORS support
  - Extension engine properties
  - SAML service provider configuration
  - API clients API
  - Responsible disclosure policy
- Access events
  - Audit events
  - Audit log
  - Events API
  - Security events
- Web hooks
  - Web hooks configuration API
- User session API
IDAAS core - Tulip
- Tenants and brands
- Identity store and data model
  - SCIM API
  - SCIM schemas
  - SCIM user management
  - SCIM user attributes
  - SCIM API versions
- Credential store
  - Email address management
  - Password management
  - Password policies
- OAuth 2.0 and OpenID Connect
  - OAuth 2.0 and OpenID Connect setup
  - Device flow
  - OAuth client authentication methods
  - Proof Key for Code Exchange
  - Step-up authentication
  - OAuth 2.0 and OpenID Connect API
  - Dynamic client registration API
  - OAuth OIDC error handling
- Account lockout
- Session management
- Event store
- API rules
- Reports
- Email overview
- Core administration experience
  - Audit logs
- Locales and languages
Customize the user interface

Was this document helpful? Yes No

Feedback Sent!

If you like, you can provide additional feedback.

OneWelcome Identity Platform
IDAAS core
Authentication
FIDO authentication
Administrative management
Policy management

Policy management

This section explains how to manage authenticator policies using the authenticator policy admin API.

The authenticator policy admin API provides operations for configuring policies that control which types of authenticators can be used for registration and authentication.

The authenticator policy admin API allows you to:

Define policies that specify allowed authenticator types.
Control which authenticators can be used for registration.
Control which authenticators can be used for authentication.
Configure attestation requirements and validation rules.
Manage policy lifecycle and updates.

Policy configuration

Authenticator policies typically include:

Allowed authenticator types: Platform, cross-platform, or both
Attestation requirements: None, indirect, direct, or enterprise
User verification: Required, preferred, or discouraged
Authenticator attachment: Platform, cross-platform, or unspecified
Resident key requirements: Required, preferred, or discouraged

Authentication and authorization

All authenticator policy admin API operations require proper authentication:

Operations require specific roles encoded in the JWT token passed as an HTTP Authorization request header with the Bearer authorization scheme.
Each operation specifies the required role in its API documentation.

Next steps

Review the authenticator policy admin API reference for detailed endpoint documentation.
Explore authenticator policy samples for example configurations.
Learn about authenticator management.
Review user management.

On this page

OneWelcome Identity Platform

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Support Contacts
Legal
- End User License Agreement
- Terms of Service

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com