Status: Release Candidate version 0.9.0 released. Requires IdP v5 and onward.
Overview
The authn/WebAuthn login flow supports the Web Authentication API (WebAuthn) as part of the FIDO2 standard—enabling FIDO2 authentication. This allows public-key-based strong authentication of users. The plugin can operate as either a single-factor within a wider multi-factor authentication, as a single-factor where the username is supplied by the user (passwordless flow), or as a single-factor where the username is not supplied by the user (usernameless flows using passkeys).
Plugin Installation
Plugin | Plugin ID | Module(s) | Depends On | Authentication Flow ID | Latest Version | Bug Reporting |
|---|---|---|---|---|---|---|
WebAuthn Authentication Plugin | net.shibboleth.idp.plugin.authn.webauthn | idp.authn.WebAuthn | authn/WebAuthn | 0.9.0-RC |
Installation of Pre-release Plugin
In summary, use the plugin command that ships with the IdP to install the plugin from either a local file pre-downloaded from https://shibboleth.net/downloads/prerelease/ or directly via the pluggin URL.
Note: during the Alpha phase, the --noCheck option is required for successful installation.
Installation
C:>\opt\shibboleth-idp\bin\plugin.bat --noCheck -i https://shibboleth.net/downloads/prerelease/idp-plugin-webauthn-0.0.2.tar.gz
or
$ /opt/shibboleth-idp/bin/plugin.sh --noCheck -i https://shibboleth.net/downloads/prerelease/idp-plugin-webauthn-0.0.2.tar.gz
or
$ /opt/shibboleth-idp/bin/plugin.sh --noCheck -i <plugin.tar.gz>
If installing from a local file, you need to ensure the GPG detached signature (e.g. the .asc file) is placed alongside the main plugin archive on disk.
If it has not been seen before, you will be asked to accept the key signing that signed the module into the trust store for this plugin. See PluginTrust for more information on how to ensure the contents of the plugin have not been modified.
Listing Installed Plugins
$ /opt/shibboleth-idp/bin/plugin.sh -l
or
C:>\opt\shibboleth-idp\bin\plugin.bat -l
Enabling the Module
For a detailed guide on configuring modules, see the ModuleConfiguration topic. Once the plugin has been installed, its module should be enabled automatically for you:
Check Module Is Enabled
/%{idp.home}/bin$ ./module.sh -l
...
Module: idp.authn.WebAuthn [ENABLED]
However, if you need to enable it you can using the module command:
Enable the module
/%{idp.home}/bin$ ./module.sh -e idp.authn.WebAuthn
Either manual or automatic module enablement will copy across the following configuration files from the jar:
Configuration files
File | Description |
|---|---|
| Properties file for configuration the plugin |
| XML file for configuration of new beans for the plugin |
| The authentication view |
| A username view for passwordless authentication |
| The FIDO2 credential registration view |
| A username view for the registration view |
| Additional styling for the WebAuthn views |
| Javascript library that wraps the WebAuthn API for encoding binary data |
| Additional Javascript to support functions on the WebAuthn views |
Example videos
Video | Description |
|---|---|
Register and use a new FIDO2 credential. Use Password and DuoOIDC MFA to authenticate (for the first time) to the registration page | |
Try usernameless login with no registered credentials (although some exist in the Chrome password manager). Then, register a new credential and use it as a passkey in a usernameless flow. | |
‘Philsmart’ has a registered credential which can be used to authenticate. The admin ‘pdoe' removes that credential and ‘philsmart’ can no longer authenticate. ‘philsmart’ is forced to register a new credential using Password and DuoOIDC MFA. Once registered ‘philsmart’ can authenticate with their new credential. |