Onfido Identity Verification

Onfido support was added to CAS in version 20210427.

Onfido helps companies see real identity – the humans behind the screens – using world-leading AI and identity experts. Your customers can prove their identities, wherever they are, with just an ID and their face.

- from https://onfido.com/

Onfido needs to communicate with CAS. You’ll need to make a few changes to enable that to happen. Modify your server configuration to expose a subdomain or port for the following required endpoints.

Do not expose these endpoints directly!

You’ll use NGINX or a Cloudflare tunnel for that to reduce any security issue exposure.

• Onfido must be able to contact CAS at:

  1. https://[master IP]:7743/serverapi/apiv1/identity-check/onfidowh

  2. https://[master IP]:7743/serverapi/apiv1/identity-check/submit

• You must build a Verification Site, which will be exposed to the public. It must also contact CAS at:

  1. https://[master IP]:7743/serverapi/apiv1/identity-check/submit

• The endpoints must all be presented/secured as TLS/SSL.

  1. Unencrypted/unprotected endpoints will fail!

1. Use free NGINX and Let’s Encrypt: https://generalbytes.atlassian.net/l/cp/nfb1x7Xd

   • A detailed NGINX server block is described below, click here.

2. Use a non-free Cloudflared tunnel: https://generalbytes.atlassian.net/l/cp/V4Me1X2b

   • Configure the tunnel as HTTPS pointing to [master IP]:7743

The file /batm/config/onfido is normally used to steer the callback and webhook URLs.

• The 2 settings are both optional. Each URL can include a port, but not a path.

• CAS will use the contents of /batm/config/hostname unless the following overrides are present:

  • webhook.onfidofor the URL for Onfido to contact CAS.

  • webhook.verificationSite is the URL for the Verification SIte to contact CAS.

    • Do not confuse this setting with the CAS Organization Verification Site URL (it's different).

• webhook.onfido=https://onfido.yourcasdomain.com demonstrates a Cloudflare tunnel entry.

• webhook.verificationSite=https://yourcasdomain.com:8743 demonstrates an NGINX port (no tunnel).

Navigate to: https://www.entrust.com/products/identity-verification

1. Generate an API token to use in the next stage of configuration (“Api Key”).

Open

2. Register the webhook you created (above) in Part 1: Onfido Webhooks

Open

Shared instructions: Configuring an Identity Verification ProviderPreview

Open

Api Key: Use the API token found in Part 2 (above): Part 2: Onfido Configuration

Verification Site URL

Onfido region: EU, US, or CA (default = “EU”)

These key Onfido components are used in the Verification Flow Chart.

1. User - a customer using ATM and later his mobile to perform the verification.

2. BATM server - operator’s CAS server that contains all identity data and server that communicates with our terminals.

3. Verification site - an opensource web server application that runs on a separate server than CAS is. This is the website to which are customers redirected by ATM and which they open on their mobiles at the beginning of the verification process.

   1. Links (to your Verification Site) expire in 90 minutes.

4. Onfido cloud service - Onfido paid identity verification service. CAS server uses its Onfido Verification Provider to talk and listen to Onfido service calls.

1. User (End Customer) visits ATM and requests a registration.

2. BATM Server obtains an unique applicant’s id and pairs it with an identity (i.e. phone number)

3. BATM Server calls verification site and tells to Verification Site to expect the visit of an applicant XYZ.

4. BATM Server sends SMS to a User with a link to a Verification Site to start verification.

5. User visits the Verification Site, which contains JS+IFRAME to the Onfido verification service.

6. User goes through complete verification.

7. Verification site calls CAS and informs it that the applicant has finished the verification.

8. Onfido performs a background check on the User.

9. CAS is informed by Onfido that the verification is finished (including the particular result). CAS also downloads the Identity information (e.g. ID card photo) from Onfido service.

10. BATM Server informs the User by SMS that their registration is finished, and the result.

11. User is now registered and revisits the ATM and performs the purchase.

12. Alternatively you can use Open Extension to change the automatic registration for example not to autoregister older people or kids.

Open

This demonstration NGINX server block contains typical settings.