Versions Compared

Old Version 173

changes.mady.by.user Philip Smart

Saved on

compared with

New Version 174

changes.mady.by.user Philip Smart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

File

Description

conf/authn/webauthn.properties

Properties file for configuration the plugin

conf/authn/webauthn-config.xml

XML file for configuration of new beans for the plugin

views/webauthn/webauthn-authn.vm

The authentication view

views/webauthn/webauthn-authn-username.vm

A username view for passwordless authentication

views/webauthn/webauthn-register.vm

The FIDO2 credential registration view

views/webauthn/webauthn-register-username.vm

A username view for the registration view

edit-webapp/css/webauthn.css

Additional styling for the WebAuthn views

edit-webapp/js/webauthn-json.browser-ponyfill.js

Javascript library that wraps the WebAuthn API for encoding binary data

edit-webapp/js/webauthn-support.js

Additional Javascript to support functions on the WebAuthn views

...

Video

...

Description

passwordless--register-authn.mov

...

Register and use a new FIDO2 credential. Use Password and DuoOIDC MFA to authenticate (for the first time) to the registration page

usernameless--no-auth-register-key-authn.mov

...

Try usernameless login with no registered credentials (although some exist in the Chrome password manager). Then, register a new credential and use it as a passkey in a usernameless flow.

admin--authn-admin-remove-key-register-new-authn.mov

...

Overview of Configuration Steps

  • Configure the plugin

    • Add the relyingPartyId to conf/authn/webauthn.properties

    • Add the relyingPartyName to conf/authn/webauthn.properties

  • Decide how the flow should be used.

  • Configure the MFA flow to use the WebAuthn authentication method

    • Add the MFA flow to the idp.authn.flows property in conf/authn/authn.properties.

  • Think about which Authentication Context Class (Supported Principals) the flow should expose

  • Register a FIDO2 credential through the registration admin flow

  • Show your administrator how to remove user credentials

Anchor
ConfigureWebAuthn
ConfigureWebAuthn
Configuration of the WebAuthn Relying Party

The IdP acts as a WebAuthn Relying Party when initiating the Web Authentication API to register and authenticate users. The identity of the Relying Party (IdP) must be configured in conf/authn/webauthn.properties.

  • The relyingPartyId: A valid domain string. Set to the IdP’s origin’s effective domain. FIDO2 credentials are scoped to, and can only be used for, a relying party. It does not include a scheme or port (as a normal origin would). Credentials are scoped to the Relying Party ID.

    • Note, ‘localhost’ can be used for testing.

  • The relyingPartyName: a human-palatable identifier for the relying party. Used for display purposes.

  • Optional allowPortOrigin: If true, any port is allowed for the given origin.

  • Optional allowOriginSubdomain: If true, any subdomain (of any depth) is allowed for the given origin.

  • Optional allowOrigins: Comma-separated set of origins to allow in responses from an authenticator for this Relying Party. If not set, the Relying Party ID is used (assuming the https scheme and the default port). Note, unlike the Relying Party ID, this includes the scheme and port.

Expand
titleExample Relying Party Configuration
Code Block
# The IdP's origin
idp.authn.webauthn.relyingPartyId = localhost
idp.authn.webauthn.relyingPartyName = My IdP Name
# Allow any port of 'localhost'
idp.authn.webauthn.allowOriginPort = true
# Do not allow any subdomain of 'localhost'
idp.authn.webauthn.allowOriginSubdomain = false