1.2 Setup Steps

This page describes the setup steps for each of the services.

1.2.1 Before you Begin

You need to have been set up on Cloudentity and have obtained access to Thredd Certificate Authority. You can then follow the steps for connecting to individual Thredd services.

Setting Up SSO Using Your Provider

The Secure Connectivity Framework allows you to set up Single Sign-On (SSO) to access various Thredd services that use mTLS, for example Thredd Portal. This not mandatory but is recommended.

SSO allows:

• An enhanced user experience for users as it removes the hassle of remembering passwords.

• Companies to save time on maintenance.

• Reductions in overheads when managing accounts.

For more details, see Configuring SSO.

Set Up Cloudentity

• Thredd sets up Cloudentity for you to enable a Single Sign On journey by linking your IdP with Cloudentity. If you do not use an IdP, Cloudentity can act as the IdP.

• A Single Sign On journey is used to access Thredd Certificate Authority (CA) for the creation of certificates, as well when connecting to the Thredd Portal card management application. In both cases, there is at least one additional Admin user, who manages users. Once set up, your organisation is unlikely to need to engage with Thredd for integrating Cloudentity.

• Cloudentity is also used behind-the-scenes for managing access to the REST API as an Authorisation Server.

Set Up Thredd Certificate Authority (CA)

Thredd will provide access to the Thredd CA. Thredd adopts a self-service approach, which allows you to independently manage your certificates.

To request access to Thredd CA, please raise a support ticket.

1.2.2 Steps for Individual Thredd Applications

Secure connections are required to the following Thredd applications:

• SOAP API
• REST API
• External Host Interface (EHI)
• Thredd Portal
• Smart Client

SOAP API

Thredd's SOAP APIs are secured using mTLS. You will need to create Transport Certificates.

For more information, see Creating Client Transport Certificates for SOAP APIs.

REST API

Thredd's REST APIs are secured using mTLS. You should review the following information on how to set up your MTLS connection:

• If you are using Postman to test the Thredd REST APIs for your client application, you can configure Postman to use mTLS. Follow the steps for using Postman as provided on the Cards API Website: Authentication the Cards API with mTLS. You can also view the documentation from the latest Postman collection on the Cards API Website: Using Postman.
• For background details on the Communication Flow between Postman, Thredd Certificate Authority, and Cloudentity, refer to the Communication Flow for Connecting to the REST APIs.
• Before using Postman, you will need to generate Transport Certificates for your client application; see Client Application Certificates for REST APIs. You will also need to generate an obtain an Software Statement Assertion (SSA), which you use to connect to the REST APIs; see Generating and Obtaining a Software Statement Assertion (SSA).
• To help in using the steps in Postman for setting up access to the REST APIs, you should follow the guidance in Using DCR Endpoint Data.
• Postman allows you to generate and obtain SSAs. However, you can generate and obtain SSA using the Thredd CA interface and cURL; see Generating and Obtaining a Software Statement Assertion (SSA).

EHI

Follow the steps below for connecting to EHI:

1. Install Server and Client Certificates.
2. Download Root Certificates and Issuing Certificates. A Root Certificate identifies the Certificate Authority. An Issuing Certificate identifies the system's identity, for example, its public key.
3. Test Client and Server Certificates on your EHI endpoint for mTLS communication.

For more information, see Setting Up EHI with mTLS.

Thredd Portal

You will need to be set up with Cloudentity, enabling authentication using your own Identity Provider (IdP). If you do not use an IdP, Cloudentity can act as the IdP.

For more information, see Connecting to Thredd Portal.

Smart Client and the Card Transaction System (CTS)

• Smart Client Installation: run the Smart Client installer. The installer is bundled with Transport Certificates, which ensure that users in your organisation can connect over mTLS.

• CTS access: CTS can be accessed online. CTS users can use the same credentials as are used to access Smart Client in UAT (provided that CTS has been enabled).

For more information, see Connecting to Smart Client and CTS.

Configuring SSO

Follow these steps for configuring SSO:

• Configuring SSO with Okta (SAML)
• Configuring SSO with Google (SAML)
• Configuring SSO with Okta (OIDC)

Other Services

Other services, including those for Fraud Transaction Monitoring and 3D-Secure, do not require you to set up of secure connections via the Secure Connectivity Framework.