Created by lissensj on May 21, 2014

Direct Registration with the Easy Install Feature

About the Easy Install Feature

The Easy Install feature allows qeo users to create a Qeo Realm and register to it without directly having to access the SMS. The name of the created Realm is QeoHome and the username is directly taken from the device. For example, in case of an Android device with a Google account on it, the username will be the name of the Google account (typically the GMail address).

OpenID Account

In order to be able to use this procedure, you need to have an OpenID account. Typical OpenID providers are Google and Yahoo, but there are many others. 

Process

The process is as follows:

  1. The device user starts any Qeo application on a non-registered device.
  2. On an android device, the system will check if the Qeo Service is installed. If not, the user is informed the Qeo Service is not found.
  3. The system requests which Open ID provider is to be used.
  4. The user selects an OpenID provider (e.g. Google, Yahoo).
  5. Using the OpenID account, the system transparently creates a Realm called QeoHome and adds the user and the device to it. OTC exchange is done under the hood.

Note that the user can add more users and devices to the QeoHome Realm.

 

Advanced Direct Registration (OTC login)

Authentication Process

For ease of understanding, this process uses ‘device’ while this actually identifies the device and the user. Refer to Qeo Identity for more information.

Registration and authentication of a device in the Qeo Realm occurs in the following steps:

  1. The Realm Administrator creates an administrator account and realm on the Security Management Server. A realm ID is generated.
  2. The Realm Administrator adds a user in the realm. A userID is generated.
  3. The Realm Administrator adds a device to a user. A deviceID and OTC is generated, and the Server URL is shown. The administrator will pass the OTC and URL to the User.
  4. When a User starts up the first Qeo application on his device, upon pressing the 'OTC login' action bar item, he is requested to enter the One Time Code and Server URL.
  5. The device issues a certificate request (CSR) with the public key that is generated together with the private key via SCEP. 
  6. The device connects to the RA server using SCEP (Simple Certificate Enrollment Protocol) .
  7. The device authenticates itself with the OTC and verifies if the RA server is genuine.  I.e. verifies if the RA certificate is signed by a trusted authority. 
  8. The device sends the CSR to the RA server for signing. 
  9. The RA verifies the CSR and uses the OTC to associate the CSR to the realm, user and new device.
  10. The OTC is made invalid so it cannot be used to register a second device..
  11. The "adapted" CSR is forwarded to the Certificate Authority (CA) for signing. 
  12. The chain of certificates (master CA cert, realm CA cert and user certificate) are sent back to the device. 
  13. The user's device is now ready to authenticate the other Qeo Realm identities and be authenticated by the other Qeo Realm identities. It can also authenticate with the SMS for policy file updates.
Icon

Steps 1, 2 and 3 are not always necessary. Realm, user and device may already exist.

Diagram

Below is a diagram representing the process:

 

Attachments:

image2014-2-20 15:7:12.png (image/png)
image2014-2-20 15:5:20.png (image/png)