...
The authentication flow comes with a basic, extendable, policy engine for accepting and rejecting FIDO2 credentials at the point of use. To enable policy checks, set the property idp.authn.webauthn.credential.policy.enabled to true in conf/authn/webauthn.properties.
In addition to inspecting the authenticating FIDO2 credential, a policy can also make decisions regarding the authenticator that created the credential, but only if the Authenticator Attestation GUID (AAGUID) was stored with the credential during registration. For guidance on how to configure this, refer to the attestation conveyance registration section.
The default policy is defined by a list shibboleth.authn.WebAuthn.ChainedCredentialPolicyList of policies configured in conf/authn/webauthn-config.xml. Out of the box, the following policies are included:
Policy Name | Description | Value |
|---|
SecondFactorOnlyCredentialPolicyRule | A list of authenticators based on their Authenticator Attestation GUID (AAGUID) that can only be used for second-factor authentication, and will be rejected if used as a sole factor of authentication. Even if the authenticator indicates User Verification during authentication, the credential can still be excluded. This is potentially useful for omitting untrusted software authenticators. | The comma-separated list of authenticators can be directly specified in the XML configuration or, for convenience, set by the idp.authn.webauthn.authenticator.policy.secondFactorOnlyAuthenticators property. |
Reference
| Expand |
|---|
|
Name | Type | Default | Description |
|---|
idp.authn.webauthn.usernameless.enabled | Boolean | false | Which type of flow is supported? Usernameless (true) or passwordless (false) | idp.authn.webauthn.2fa.enabled | Boolean | false | Enable this flow to act as second factor authentication | idp.authn.webauthn.2fa.allowedPreviousFactors | String list | authn/Password | Which previous factors are acceptable to allow the WebAuthn flow to act as a second factor of authentication | idp.authn.webauthn.2fa.forceSecondFactorFlow | Boolean | false | Force second factor even if no acceptable previous factors ran | idp.authn.webauthn.2fa.username.strategy | Bean reference | shibboleth.authn.webauthn.CanonicalUsernameLookupStrategy | The bean name of the username lookup strategy. By default, this comes from the principal name established by the first factor. | dp.authn.webauthn.updateSignatureCount | Boolean | true | Should we update an authenticators signature counter inside the credential repository after each successful authentication? | idp.authn.webauthn.passwordless.signalEventOnNoCredentials | Boolean | false | Should an event be built if there are no credentials found for the given user? Only applicable to passwordless authentication. | idp.authn.webauthn.passwordless.noCredentialsEventId | String | NoRegisteredWebAuthnCredentials | If an event is triggered when no credentials are found for the user, what should the event ID be? | idp.authn.webauthn.signalEventOnNoCredentialsRegisteredForUserHandle | Boolean | false | Should a custom event be built if the userHandle supplied by the authenticator during authentication is not related to any registered credentials? | idp.authn.webauthn.userHandleNoRegisteredCredentialsEventId | String | NoCredentialsRegisteredForUserHandle | If an event is triggered when no credentials can be found for the given userHandle, what should the event ID be? | idp.authn.webauthn.passwordless.username.uppercase | Boolean | false | Basic transformations that should be applied to the username that is collected as part of the passwordless flow | idp.authn.webauthn.passwordless.username.lowercase | Boolean | false | Basic transformations that should be applied to the username that is collected as part of the passwordless flow | idp.authn.webauthn.passwordless.username.trim | Boolean | false | Basic transformations that should be applied to the username that is collected as part of the passwordless flow | idp.authn.webauthn.passwordless.c14n.postUsernameFlows | Bean ref | shibboleth.PostLoginSubjectCanonicalizationFlows | The ID of the bean that supplies the c14n flows that are applied to the username entered during the passwordless flow |
|
...