Appendix C. FIDO Device Onboarding Example Flow
This section preserves the RFC text for SCIM device schema extensions, including Device and EndpointApp resource types, BLE, DPP, Ethernet MAB, FDO, Zigbee, endpointAppsExt, JSON Schema, OpenAPI, IANA registrations, and security considerations.
Appendix C. FIDO Device Onboarding Example Flow
The following diagrams are included to demonstrate how FDO can be
used. In this first diagram, a device is onboarded not only to the
device owner process but also to the AAA server for initial
onboarding. The voucher contains a device certificate that is used
by the AAA system for authentication.
,------. ,------. ,-------.
|SCIM | |SCIM | |Owner | ,---.
|Client| |Server| |Service| |AAA|
`---+--' `---+--' `---+---' `-+-'
,------------------------------!. | |
|Voucher contains |_\ | |
|an X.509 cert chain | | |
`--------------------------------' | |
|1 POST [FDO(voucher)] | | |
|/HTTP | | |
|--------------------->| | |
| | | |
| |----. | |
| | | 2 Recover X.509 | |
| |<---' cert chain | |
| | from voucher | |
| | | |
| | | |
| |3 Add device(voucher) | |
| |/HTTP | |
| |--------------------->| |
| | | |
| | 4 200 "ok" | |
| |<---------------------| |
| | | |
| | 5 Add identity |
| |------------------------------->|
| | | |
| | 6 200 "ok" |
| |<-------------------------------|
| | | |
| 7 200 "ok" | | |
|<---------------------| | |
| | | |
| | | |
After this flow is complete, the device can then first provisionally
onboard and then later receive a trust anchor through FDO's Transfer
Ownership Protocol 2 (TO2) process. This is shown below.
,-------. ,------.
|Owner | ,---. |Access| ,------.
|Service| |AAA| |Point | |Device|
`---+---' `-+-' `---+--' `---+--'
| | | ,------------------!.
| | | |Device configured |_\
| | | |with well-known |
| | | |RCOI and for trust |
| | | |on first use |
| | | `--------------------'
| | ,---------------!. |
| | |WLAN configured|_\ |
| | |with well-known | |
| | |RCOI | |
| | `-----------------' |
| | | 1 EAP-TLS/EAPOL |
| | |<-----------------|
| | | |
| |2 EAP-TLS/Radius | |
| |<----------------| |
| | | |
| | ,--------------------------!.
| | |Device skips |_\
| | |server authentication |
| | `----------------------------'
| |3 Result=Success | |
| |---------------->| |
| | | |
| ,-----------------------!. |
| |Limited access |_\ |
| |for now | |
| `-------------------------' |
| | |4 Result=Success |
| | |----------------->|
| | | |
| | 5 FDO TO2 | |
|<----------------------------------------------------|
| | | |
,-------------------------------------------------------------!.
|FSIM, Runtime SSID, |_\
|Credentials incl. |
|local trust anchor |
`---------------------------------------------------------------'
| | | 6 dissasociate |
| | |<-----------------|
| | | |
| | |7 EAP-TLS w/ LSC |
| | |<-----------------|
| | | |
| | | |
. . etc . .