Overview
The plugin's critical component is the credential repository which stores and loads credential registrations. The default credential repository utilizes the Shibboleth Storage Service, but it's also possible to utilize other repository implementations by extending the WebAuthnCredentialRepository interface. The default repository uses the configured shibboleth.StorageService
, although it is possible to override this by specifying a different bean in the idp.authn.webauthn.StorageService property.
In theory, any implementation of a storage service should be compatible, but it's important to consider its capabilities before using it. For example, for testing, you can use client-storage by referencing (in that property) the bean shibboleth.ClientSessionStorageService
. But that will store your credential registrations in the browser and is not portable across browsers—although the credentials will survive an IdP restart so it might be useful during initial testing.
JDBC Example
In production, you may want to consider using a JDBC storage option. Assuming you do not already have a database suitable for use with the Shibboleth Storage Service (if you do, you can skip to step 3), then:
Install the JDBC storage plugin and create a new schema/database (e.g.
webauthn
) and a new table (e.g.webauthn.StorageRecords
):
## This example is specific to MySQL ## Needed to support case sensitive queries in MySQL CREATE SCHEMA IF NOT EXISTS `webauthn` DEFAULT CHARACTER SET latin1 COLLATE latin1_general_cs ; CREATE TABLE webauthn.StorageRecords ( context varchar(255) NOT NULL, id varchar(255) NOT NULL, expires bigint DEFAULT NULL, value text NOT NULL, version bigint NOT NULL, PRIMARY KEY (context, id) );
Add the following beans to conf/global.xml:
<bean id="JDBCDataSource" class="org.mariadb.jdbc.MariaDbDataSource"> <property name="url" value="jdbc:mariadb://localhost:3306/webauthn" /> <property name="user" value="<user>" /> <property name="password" value="<password>" /> </bean> <bean id="WebAuthnStorageService" parent="shibboleth.JDBCStorageService" p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}" p:dataSource-ref="shibboleth.JDBCDataSource"/>
Set the storage service bean you want to use for WebAuthn (WebAuthnStorageService in this example) using the property idp.authn.webauthn.StorageService in conf/authn/webauthn.properties