Versions Compared

Old Version 173

changes.mady.by.user Philip Smart

Saved on

compared with

New Version Current

changes.mady.by.user Philip Smart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Plugin

Plugin ID

Module(s)

Depends On

Authentication Flow ID

Latest Version

Bug Reporting

WebAuthn Authentication Plugin

net.shibboleth.idp.plugin.authn.webauthn

idp.authn.WebAuthn

authn/WebAuthn

0.9.0-RCRC2

JWEBAUTHN

Installation of Pre-release Plugin

...

File

Description

conf/authn/webauthn.properties

Properties file for configuration the plugin

conf/authn/webauthn-config.xml

XML file for configuration of new beans for the plugin

views/webauthn/webauthn-authn.vm

The authentication view

views/webauthn/webauthn-authn-username.vm

A username view for passwordless authentication

views/webauthn/webauthn-register.vm

The FIDO2 credential registration view

views/webauthn/webauthn-register-username.vm

A username view for the registration view

edit-webapp/css/webauthn.css

Additional styling for the WebAuthn views

edit-webapp/js/webauthn-json.browser-ponyfill.js

Javascript library that wraps the WebAuthn API for encoding binary data

edit-webapp/js/webauthn-support.js

Additional Javascript to support functions on the WebAuthn views

...

Video

...

Description

passwordless--register-authn.mov

...

Register and use a new FIDO2 credential. Use Password and DuoOIDC MFA to authenticate (for the first time) to the registration page

usernameless--no-auth-register-key-authn.mov

...

Try usernameless login with no registered credentials (although some exist in the Chrome password manager). Then, register a new credential and use it as a passkey in a usernameless flow.

admin--authn-admin-remove-key-register-new-authn.mov

...

Overview of Configuration Steps

Anchor
ConfigureWebAuthn
ConfigureWebAuthn
Configuration of the WebAuthn Relying Party

The IdP acts as a WebAuthn Relying Party when initiating the Web Authentication API to register and authenticate users. The identity of the Relying Party (IdP) must be configured in conf/authn/webauthn.properties.

  • The relyingPartyId: A valid domain string. Set to the IdP’s origin’s effective domain. FIDO2 credentials are scoped to, and can only be used for, a relying party. It does not include a scheme or port (as a normal origin would). Credentials are scoped to the Relying Party ID.

    • Note, ‘localhost’ can be used for testing.

  • The relyingPartyName: a human-palatable identifier for the relying party. Used for display purposes.

  • Optional allowPortOrigin: If true, any port is allowed for the given origin.

  • Optional allowOriginSubdomain: If true, any subdomain (of any depth) is allowed for the given origin.

  • Optional allowOrigins: Comma-separated set of origins to allow in responses from an authenticator for this Relying Party. If not set, the Relying Party ID is used (assuming the https scheme and the default port). Note, unlike the Relying Party ID, this includes the scheme and port.

Expand
titleExample Relying Party Configuration
Code Block
# The IdP's origin
idp.authn.webauthn.relyingPartyId = localhost
idp.authn.webauthn.relyingPartyName = My IdP Name
# Allow any port of 'localhost'
idp.authn.webauthn.allowOriginPort = true
# Do not allow any subdomain of 'localhost'
idp.authn.webauthn.allowOriginSubdomain = false