{"type":"doc","content":[{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{"minLevel":{"value":"1"},"maxLevel":{"value":"6"},"outline":{"value":"false"},"style":{"value":"disc"},"type":{"value":"list"},"printable":{"value":"true"}},"macroMetadata":{"macroId":{"value":"efebd759-ed3a-4cee-ac5e-0621304a2af7"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"9ef3e067-466e-442a-a66f-b2cca9765460"}},{"type":"heading","attrs":{"level":2},"content":[{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"anchor","parameters":{"macroParams":{"":{"value":"WebAuthnFlows"},"legacyAnchorId":{"value":"WebAuthnAuthentication-WebAuthnFlows"}},"macroMetadata":{"macroId":{"value":"a6539b5afda7b6e5fda92912c95a5fd6"},"schemaVersion":{"value":"1"},"title":"Anchor"}},"localId":"c13dd864-1363-4280-9432-a428a806a017"}},{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"The WebAuthn flow can run as either a second single-factor authentication (similar to U2F, but using the WebAuthn APIs) or as a first and only (sole) factor of authentication which ","type":"text"},{"text":"could","type":"text","marks":[{"type":"strong"},{"type":"em"}]},{"text":" still satisfy multi-factor requirements (see ","type":"text"},{"text":"Authentication Context Classes","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3878256667#ACR"}}]},{"text":" for more information). ","type":"text"}]},{"type":"paragraph","content":[{"text":"When operating in sole-factor authentication mode, the flow can be set up in two ways: a usernameless (true passkey) authentication mode, where the user is identified implicitly by their chosen credential, or in a passwordless authentication mode, where the user must first provide their username to identify themselves. Deciding between usernameless and passwordless modes is configured by toggling the usernameless property","type":"text"},{"text":" idp.authn.webauthn.usernameless.enabled ","type":"text","marks":[{"type":"strong"}]},{"text":"(it is false by default, denoting a passwordless mode).","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"anchor","parameters":{"macroParams":{"":{"value":"AuthnFlows"},"legacyAnchorId":{"value":"WebAuthnAuthentication-AuthnFlows"}},"macroMetadata":{"macroId":{"value":"c5684245639c301c9a4ee8bc9ac0a50a3115dd25a7e8df9acdc575e4da5a8e59"},"schemaVersion":{"value":"1"},"title":"Anchor"}},"localId":"9fd4f6ce-b47b-4395-9d6f-a62ad3e4a7bc"}},{"text":"Authentication Flows","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"anchor","parameters":{"macroParams":{"":{"value":"usernameless-authn"},"legacyAnchorId":{"value":"WebAuthnAuthentication-usernameless-authn"}},"macroMetadata":{"macroId":{"value":"4a72bb323b73adc6ba750de198d17a4e78275a9eb811a72a29c03c40e372dfe2"},"schemaVersion":{"value":"1"},"title":"Anchor"}},"localId":"227268f2-27b8-4e0b-8cd3-5b2fe6bc9aa3"}},{"text":"Usernameless (Passkey) flow","type":"text"}]},{"type":"paragraph","content":[{"text":"A usernameless flow does not require the user to enter their username during authentication, the user is implicitly identified from the credential they choose on the authenticator. To support a usernameless flow, the authenticator must allow Discoverable Credentials (previously known as a Resident Key and now referred to as a passkey) where the private key and associated metadata are stored on the authenticator (FIDO2 compatible authenticators should work). This is important, as the IdP, without a known username, will not be able to preselect a user and credential to use; this must come instead from the user selecting the correct credential—suitable for the IdPs origin—from the authenticator itself. ","type":"text"}]},{"type":"paragraph","content":[{"text":"During authentication, the authenticator is required to:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"test the user is present by using some form of authorization gesture (for example, by touching the authenticator or clicking on a key to use), and ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"verify the user’s identity by some form of local authorization (for example, using a pin code or biometric recognition). ","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"anchor","parameters":{"macroParams":{"":{"value":"passwordless-authn"},"legacyAnchorId":{"value":"WebAuthnAuthentication-passwordless-authn"}},"macroMetadata":{"macroId":{"value":"1d94fd4906a7087d1451c5355b04b9c64d1efbb996b2cc7e4c0f5152643c8b33"},"schemaVersion":{"value":"1"},"title":"Anchor"}},"localId":"78318027-f8a1-4249-84bd-3b0218e34a1c"}},{"text":"Passwordless flow","type":"text"}]},{"type":"paragraph","content":[{"text":"A passwordless flow first requires the collection of the user’s username, and therefore, does not require storing credentials on the authenticator. Instead, for example, the credential can be encrypted and stored on the server (possibly in the credential ID sent to the server during registration and returned by the IdP during authentication). Additionally, the authenticator can use the set of user credentials known to the IdP to narrow down the possible options available for selection.","type":"text"}]},{"type":"paragraph","content":[{"text":"During authentication, the authenticator is required to:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"test the user is present by using some form of authorization gesture (for example, by touching the authenticator or clicking on a key to use), and ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"verify the user’s identity by some form of local authorization (for example, using a PIN code or biometric recognition), and","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"test the credential requested by the IdP and used by the authenticator is allowed (has been registered with the IdP). ","type":"text"}]}]}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"The passwordless flow will pass the credential IDs of the user to the browser in the ","type":"text"},{"text":"allowCredentials","type":"text","marks":[{"type":"em"}]},{"text":" request option. This could be used to perform ","type":"text"},{"text":"username enumeration","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.w3.org/TR/webauthn-3/#sctn-username-enumeration"}}]},{"text":". If you are worried about this, either configure the usernameless or second factor flows.","type":"text"}]}]},{"type":"heading","attrs":{"level":3},"content":[{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"anchor","parameters":{"macroParams":{"":{"value":"2fa-authn"},"legacyAnchorId":{"value":"WebAuthnAuthentication-2fa-authn"}},"macroMetadata":{"macroId":{"value":"dfbf965a49c133dd4c3f45de95f359cf49ad0017fa1077dc5bc4e3992330d2c2"},"schemaVersion":{"value":"1"},"title":"Anchor"}},"localId":"832417f1-6e0a-4885-9cb8-aeb8c0ec3de1"}},{"text":"Second factor authentication (2FA) flow","type":"text"}]},{"type":"paragraph","content":[{"text":"The WebAuthn flow will operate in second-factor mode automatically if the following three conditions are met. ","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The property ","type":"text"},{"text":"idp.authn.webauthn.2fa.enabled","type":"text","marks":[{"type":"strong"}]},{"text":" is set to true. ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"A previous authentication factor has produced an AuthenticationResult from the MFA context. ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"A principal name has been found through a lookup strategy, by default from the C14N context or the Session Context using the ","type":"text"},{"text":"CanonicalUsernameLookupStrategy","type":"text","marks":[{"type":"em"}]},{"text":". ","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"If these conditions are not met, authentication will revert to either a passwordless or usernameless flow (depending on which is enabled). ","type":"text"}]},{"type":"paragraph","content":[{"text":"The acceptable previous factors can be controlled by listing (comma-separated) authentication flows in the property ","type":"text"},{"text":"idp.authn.webauthn.2fa.allowedPreviousFactors","type":"text","marks":[{"type":"strong"}]},{"text":". The default is ","type":"text"},{"text":"authn/Password","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]},{"type":"paragraph","content":[{"text":"If enabled, and you want to completely bypass the existing logic such that the WebAuthn flow for 2FA is always used, you can set the property ","type":"text"},{"text":"idp.authn.webauthn.2fa.forceSecondFactorFlow","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text","marks":[{"type":"strong"},{"type":"em"}]},{"text":"to ","type":"text"},{"text":"true","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]},{"type":"paragraph","content":[{"text":"When acting as a 2nd factor of authentication, the username is gathered from the principal name as a result of the first factor by lookup strategy and any credentials registered to that username are retrieved. During authentication, the authenticator is then required to:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"test the user is present by using some form of authorization gesture (for example, by touching the authenticator or clicking on a key to use), and ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"test the credential used is allowed (has been registered with the IdP).","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Note, this mode must be used within an appropriate MFA flow, where ","type":"text"},{"text":"authn/WebAuthn","type":"text","marks":[{"type":"code"}]},{"text":" is used as the second factor.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"anchor","parameters":{"macroParams":{"":{"value":"MFAFlowConfig"},"legacyAnchorId":{"value":"WebAuthnAuthentication-MFAFlowConfig"}},"macroMetadata":{"macroId":{"value":"41791e126bd10e985675ddd91b6e1338"},"schemaVersion":{"value":"1"},"title":"Anchor"}},"localId":"26f4b99c-9a0b-4ba9-be47-0e42a0d4a7f4"}},{"text":"Configuration of the MFA flow","type":"text"}]},{"type":"paragraph","content":[{"text":"Before you start, enable the ","type":"text"},{"text":"MFA","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505534"}}]},{"text":" login module and configure the flow in ","type":"text"},{"text":"conf/authn/authn.properties","type":"text","marks":[{"type":"em"}]},{"text":". You could run the plugin as a standalone authentication method for the IdP. However, it is designed to work within a multi-factor authentication (MFA) flow even when used alone to provide single-factor authentication, this design allows for greater flexibility when configuring authentication routes. For example, if no credentials are available for WebAuthn authentication, it can fall back to using a password. ","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"WebAuthn as the sole factor of authentication","type":"text"}]},{"type":"paragraph","content":[{"text":"In its simplest form, you can set up the WebAuthn plugin as the only means of authentication in usernameless or passwordless modes.","type":"text"}]},{"type":"paragraph","content":[{"text":"Note, that configuring only WebAuthn authentication will also require a FIDO2 credential to access the ","type":"text"},{"text":"registration","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3879206915"}}]},{"text":" flow. Consequently, unless you have another mechanism of seeding the registration of credentials within the ","type":"text"},{"text":"credential repository","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3878322213"}}]},{"text":", the user will not be able to access the registration page: please see the final ","type":"text"},{"text":"example","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3878256667#MFAFlowConfigRegistration"}}]},{"text":" for a possible solution to this.","type":"text"}]},{"type":"expand","attrs":{"title":"Sole Factor WebAuthn MFA Config"},"content":[{"type":"paragraph","content":[{"text":"conf/authn/mfa-authn-config.xml","type":"text","marks":[{"type":"strong"},{"type":"em"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":" \n \n \n \n ","type":"text"}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"WebAuthn as a second factor of authentication","type":"text"}]},{"type":"paragraph","content":[{"text":"As described in the ","type":"text"},{"text":"second-factor authentication section","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3878256667#2fa-authn"}}]},{"text":", the WebAuthn flow can be used as a second factor of authentication where the user only needs to demonstrate possession of a registered credential (typically via a user gesture such as pressing a physical or virtual button). A simple MFA configuration which runs the ","type":"text"},{"text":"Password","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505587"}}]},{"text":" flow before determining if the WebAuthn flow should run is shown below:","type":"text"}]},{"type":"expand","attrs":{"title":"2nd Factor WebAuthn MFA Config"},"content":[{"type":"paragraph","content":[{"text":"conf/authn/mfa-authn-config.xml","type":"text","marks":[{"type":"strong"},{"type":"em"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":" \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n ","type":"text"}]}]},{"type":"heading","attrs":{"level":3},"content":[{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"anchor","parameters":{"macroParams":{"":{"value":"MFAFlowConfigRegistration"},"legacyAnchorId":{"value":"WebAuthnAuthentication-MFAFlowConfigRegistration"}},"macroMetadata":{"macroId":{"value":"5547da080bf202ec47d6f238a4c6d88422ca7d82ed0fbc722ae93aabcb9ca696"},"schemaVersion":{"value":"1"},"title":"Anchor"}},"localId":"131fc236-3619-431c-8cad-3c948681b78a"}},{"text":"WebAuthn as the sole factor with password fallback for registration","type":"text"}]},{"type":"paragraph","content":[{"text":"The following MFA configuration establishes the WebAuthn plugin as a sole, single-factor, authentication method. However, it also permits the ","type":"text"},{"text":"auth/Password","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505587"}}]},{"text":" flow to be used if the user is in a WebAuthn registration flow and has not yet enrolled any FIDO2 credentials. This allows users to register their first FIDO2 credential by authenticating against their username and password (and possibly a different second-factor). After the first credential has been enrolled, there is no fallback option, and subsequent registration attempts will require a FIDO2 credential.","type":"text"}]},{"type":"expand","attrs":{"title":"Sole Factor WebAuthn MFA Config With Password Bypass For Registration"},"content":[{"type":"paragraph","content":[{"text":"conf/authn/mfa-authn-config.xml","type":"text","marks":[{"type":"strong"},{"type":"em"}]}]},{"type":"codeBlock","content":[{"text":" \n \n \n \n\n\n\n \n \n \n \n \n \n","type":"text"}]}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"If you follow this approach you MUST ensure you use (and think about) a suitable access control policy to prevent users from ‘downgrading’ the authentication mechanism used, see the ","type":"text"},{"text":"credential registration","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3879206915"}}]},{"text":" section for more information.","type":"text"}]}]},{"type":"heading","attrs":{"level":3},"content":[{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"anchor","parameters":{"macroParams":{"":{"value":"CustomEventsOnNoCreds"},"legacyAnchorId":{"value":"WebAuthnAuthentication-CustomEventsOnNoCreds"}},"macroMetadata":{"macroId":{"value":"26c2d20101705bb87046a39d9c26b1c7ff881af7a96944461fb85485708ca1b1"},"schemaVersion":{"value":"1"},"title":"Anchor"}},"localId":"3795ba38-e3d6-4b4e-bb30-40124185ea71"}},{"text":"Signalling custom events when the user has no registered credentials","type":"text"}]},{"type":"paragraph","content":[{"text":"There are two ways to signal a custom event to the IdP if the user has not registered a FIDO2 credential. The first signal can be emitted after collecting the username for the passwordless or 2FA flows. The second signal can be emitted after the authenticator has sent the attestation (authentication) response back to the IdP—this is the only signal you can expect from the usernameless (passkey) flow since there is no username collection step.","type":"text"}]},{"type":"paragraph","content":[{"text":"For the passwordless and second factor flows, setting ","type":"text"},{"text":"idp.authn.webauthn.passwordless.signalEventOnNoCredentials","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text","marks":[{"type":"strong"},{"type":"em"}]},{"text":"to true will signal a custom event ID (described by the property ","type":"text"},{"text":"idp.authn.webauthn.passwordless.noCredentialsEventId","type":"text","marks":[{"type":"strong"}]},{"text":") If the user identified by the username entered in the username input step has no registered FIDO2 credentials. This is signalled immediately ","type":"text"},{"text":"after","type":"text","marks":[{"type":"strong"}]},{"text":" username collection, ending the flow. To have return controlled to the MFA orchestration layer, the event must be described to the system in the ","type":"text"},{"text":"conf/authn/authn-events-flow.xml","type":"text","marks":[{"type":"em"}]},{"text":" in the ","type":"text"},{"text":"usual way","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505534"}}]},{"text":" (see the example below).","type":"text"}]},{"type":"paragraph","content":[{"text":"For all flows, but specifically for a usernameless (passkey) flow, setting ","type":"text"},{"text":"idp.authn.webauthn.signalEventOnNoCredentialsRegisteredForUserHandle","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text","marks":[{"type":"strong"},{"type":"em"}]},{"text":"to true will signal a custom eventID (described by the property ","type":"text"},{"text":"idp.authn.webauthn.userHandleNoRegisteredCredentialsEventId","type":"text","marks":[{"type":"strong"}]},{"text":") if the user, identified by the userHandle (","type":"text"},{"text":"user.id","type":"text","marks":[{"type":"link","attrs":{"href":"http://user.id"}}]},{"text":") in the authenticator's attestation response, does not belong to a known user with at least one registered FIDO2 credential. The event is signalled","type":"text"},{"text":" before","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text","marks":[{"type":"strong"},{"type":"em"}]},{"text":"the attestation (authentication) response is validated. Again, the event must be described to the system in the ","type":"text"},{"text":"conf/authn/authn-events-flow.xml","type":"text","marks":[{"type":"em"}]},{"text":" in the ","type":"text"},{"text":"usual way","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505534"}}]},{"text":" if it is to be used as a transition in the MFA flow (see the example below).","type":"text"}]},{"type":"expand","attrs":{"title":"Custom Event MFA Usage Example"},"content":[{"type":"paragraph","content":[{"text":" To capture the new event IDs as signals to transition to an end-state of the WebAuthn flow (and not trigger an IdP InvalidEvent):","type":"text"}]},{"type":"paragraph","content":[{"text":"conf/authn/authn-events-flow.xml","type":"text","marks":[{"type":"strong"},{"type":"em"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\n \n \n \n\n \n\n \n \n\n \n \n \n \n \n\n\n","type":"text"}]},{"type":"paragraph","content":[{"text":"Example MFA flow configuration that uses the new events after first running the WebAuthn flow:","type":"text"}]},{"type":"paragraph","content":[{"text":"conf/authn/mfa-authn-config.xml","type":"text","marks":[{"type":"strong"},{"type":"em"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n ","type":"text"}]}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Using this feature needs careful consideration. You probably do not, for example, want to use ","type":"text"},{"text":"signalEventOnNoCredentialsRegisteredForUserHandle","type":"text","marks":[{"type":"strong"},{"type":"em"}]},{"text":" as a signal to allow a user to drop back into a username and password flow because anybody could bypass WebAuthn authentication just by using a credential they know does not exist (although the ‘attacker’ would need to have an authenticator with a credential registered for that TLS protected origin, e.g., a previously registered and removed key for a different account).","type":"text"}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"WebAuthn as the sole factor, using custom events to drive a fallback for registration and authentication","type":"text"}]},{"type":"paragraph","content":[{"text":"Some of the MFA configurations discussed so far allow different authentication methods to run as a fallback if the user has no registered FIDO2 credentials. This requires the registration step to provide its own username collection page so a decision can be made about which flow to follow when the user has not registered any credentials. This only affects registration, if a user performs authentication without first registering a FIDO2 credential, the authentication flow will ultimately fail. This is probably a good thing, however, for flexibility it is possible to disable username collection on the registration flow and delegate ‘NoCredentials’ signalling to the authentication flow using custom events. ","type":"text"}]},{"type":"paragraph","content":[{"text":"To disable username collection on the registration flow, set the ","type":"text"},{"text":"idp.authn.webauthn.registration.collectUsername ","type":"text","marks":[{"type":"strong"}]},{"text":"property","type":"text"},{"text":" ","type":"text","marks":[{"type":"strong"}]},{"text":"to false","type":"text"},{"text":". ","type":"text","marks":[{"type":"strong"}]},{"text":"Then, configure the MFA flow to trigger a different authentication flow if the user has no credentials—following the examples in the ","type":"text"},{"text":"custom events","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3878256667#CustomEventsOnNoCreds"}}]},{"text":" topic. It is worth noting this will affect registration and standard authentication. That is, any user without credentials will end up signalling those custom events, and, if the MFA flow is set up with a fallback flow, they will authenticate using that fallback. For registration you can of course require that the fallback method (all methods really) was of a particular quality by setting the default authentication methods property ","type":"text"},{"text":"idp.authn.webauthn.admin.registration.defaultAuthenticationMethods","type":"text","marks":[{"type":"strong"}]},{"text":" to require MFA (or whatever you want). Similarly, if the Service Provider has requested MFA in their request, the authentication fallback for a standard authentication must produce an authentication result that satisfies the request.","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"WebAuthn as the sole factor, using custom events to drive a different two-factor fallback for authentication and registration","type":"text"}]},{"type":"paragraph","content":[{"text":"Enabling event signaling when a user does not yet have a registered FIDO2 credential allows us to configure an alternative type of two-factor authentication fallback. For example, the following MFA configuration will first initiate the WebAuthn flow, which will fail if the user does not have any registered credentials. If that occurs, the process will then proceed to the ","type":"text"},{"text":"auth/Password","type":"text","marks":[{"type":"code"}]},{"text":" flow. If necessary (for instance, if requested by the service provider), it will also include the ","type":"text"},{"text":"authn/DuoOIDC","type":"text","marks":[{"type":"code"}]},{"text":" flow to perform a second-factor authentication. After users register their first key, they will use the WebAuthn plugin for authentication exclusively.","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"If either registration or admin flows are configured to require MFA (by setting their default authentication methods), they will also fall back to ","type":"text"},{"text":"authn/Password","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"authn/DuoOIDC","type":"text","marks":[{"type":"code"}]},{"text":". ","type":"text"}]}]},{"type":"expand","attrs":{"title":"WebAuthn MFA Flow With Password and Duo fallback"},"content":[{"type":"paragraph","content":[{"text":"conf/authn/mfa-authn-config.xml","type":"text","marks":[{"type":"strong"},{"type":"em"}]}]},{"type":"codeBlock","content":[{"text":"\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n ","type":"text"}]},{"type":"paragraph"}]},{"type":"paragraph"},{"type":"heading","attrs":{"level":3},"content":[{"text":"Prepopulating the WebAuthn username into the authn/Password flow","type":"text"}]},{"type":"paragraph","content":[{"text":"When using the passwordless flow with a fallback to ","type":"text"},{"text":"authn/Password","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505587"}}]},{"text":", you can modify the ","type":"text"},{"text":"login.vm","type":"text","marks":[{"type":"em"}]},{"text":" view to pre-fill the username input with the username entered into the WebAuthn context. For example, at the top of ","type":"text"},{"text":"login.vm","type":"text","marks":[{"type":"em"}]},{"text":":","type":"text"}]},{"type":"codeBlock","content":[{"text":"#set ($webAuthnCtx= $authenticationContext.getSubcontext(\"net.shibboleth.idp.plugin.authn.webauthn.context.WebAuthnAuthenticationContext\"))\n#set ($webAuthnUsername = $webAuthnCtx.getRawUsername())","type":"text"}]},{"type":"paragraph","content":[{"text":"Which you can then use to automatically fill in the username field:","type":"text"}]},{"type":"codeBlock","content":[{"text":"","type":"text"}]},{"type":"paragraph","content":[{"text":"See ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199510790"}},{"text":" for a detailed look at the IdP’s view templates. ","type":"text"}]},{"type":"paragraph","content":[{"text":"A malicious party could still alter the username, preventing which would require server-side measures (e.g. a post-flow step in the ","type":"text"},{"text":"MFA Flow","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/pages/resumedraft.action?draftId=3878256667"}}]},{"text":", or a ","type":"text"},{"text":"post-login authentication flow","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199509815"}}]},{"text":"). However, there is typically no need to add those since the service provider is responsible for determining the strength of the authentication required.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"anchor","parameters":{"macroParams":{"":{"value":"ACR"},"legacyAnchorId":{"value":"WebAuthnAuthentication-ACR"}},"macroMetadata":{"macroId":{"value":"13d88f30e895ef98adff53da03bf282918d1bd795708f1ad9b5036f48163d406"},"schemaVersion":{"value":"1"},"title":"Anchor"}},"localId":"7d583b45-3f69-402e-b7f9-692021d309e4"}},{"text":"Authentication Context Classes (Supported Principals)","type":"text"}]},{"type":"paragraph","content":[{"text":"As with all authentication flows, the WebAuthn plugin exposes a collection of ","type":"text"},{"text":"supportedPrincipals","type":"text","marks":[{"type":"code"}]},{"text":"compatible with the type of authentication mechanism used. By default, the ","type":"text"},{"text":"idp.authn.webauthn.supportedPrincipals ","type":"text","marks":[{"type":"strong"}]},{"text":"property contains placeholder examples for what these could be. ","type":"text"}]},{"type":"paragraph","content":[{"text":"The set you specify for the flow is entirely up to you based on the type of authentication flow you have configured and what authentication assurances you want. For example, when used as a second factor in 2FA mode, it seems feasible to signal MFA from the WebAuthn plugin. On the other hand, using the plugin alone, in either passwordless or usernameless modes, may not be enough to signal MFA unless you are certain that the credential is tied to a specific device (a device-bound passkey)—which cannot currently be determined from the plugin. Even if the typical passkey process—which requires user verification—combines ‘something you are’ (biometrics) or ‘something you know’ (pin) with ‘something you have’ (an authenticator) if the credential is synchronized across multiple devices (as is common with passkey providers like iCloud Keychain and Google Password Manager), it could be argued that the authenticator does not qualify as 'something you have'—although they may still provide adequate multi-factor authentication assurances in certain circumstances. Either way, it is up to you to decide how best to handle this.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Authentication Credential Policies","type":"text"}]},{"type":"paragraph","content":[{"text":"The authentication flow comes with a basic, extendable, policy engine for accepting and rejecting FIDO2 credentials at the point of use. To enable policy checks, set the property ","type":"text"},{"text":"idp.authn.webauthn.credential.policy.enabled","type":"text","marks":[{"type":"strong"}]},{"text":" to true in ","type":"text"},{"text":"conf/authn/webauthn.properties.","type":"text","marks":[{"type":"em"}]}]},{"type":"paragraph","content":[{"text":"In addition to inspecting the authenticating FIDO2 credential, a policy can also make decisions regarding the authenticator that ","type":"text"},{"text":"created","type":"text","marks":[{"type":"strong"}]},{"text":" the credential, but only if the Authenticator Attestation GUID (AAGUID) was stored with the credential during registration. For guidance on how to configure this, refer to the ","type":"text"},{"text":"attestation conveyance","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3879206915#AttestationConveyance"}}]},{"text":" registration section.","type":"text"}]},{"type":"paragraph","content":[{"text":"The default policy is defined by a list ","type":"text"},{"text":"shibboleth.authn.WebAuthn.ChainedCredentialPolicyList","type":"text","marks":[{"type":"strong"}]},{"text":" of policies configured in ","type":"text"},{"text":"conf/authn/webauthn-config.xml. ","type":"text","marks":[{"type":"em"}]},{"text":"Out of the box, the following policies are included:","type":"text"}]},{"type":"table","attrs":{"layout":"default","width":760.0,"localId":"e05c027f-db7c-483f-9aff-17c835f62713"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-accent-gray-subtlest, var(--ds-background-accent-gray-subtlest, #F1F2F4))","rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Policy Name","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-accent-gray-subtlest, var(--ds-background-accent-gray-subtlest, #F1F2F4))","rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-accent-gray-subtlest, var(--ds-background-accent-gray-subtlest, #F1F2F4))","rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Value","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"SecondFactorOnlyCredentialPolicyRule","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"A list of authenticators based on their Authenticator Attestation GUID (AAGUID) that can only be used for second-factor authentication, and will be rejected if used as a sole factor of authentication. ","type":"text"}]},{"type":"paragraph","content":[{"text":"Even if the authenticator indicates User Verification during authentication, the credential can still be excluded. This is potentially useful for omitting untrusted software authenticators.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"The comma-separated list of authenticators can be directly specified in the XML configuration or, for convenience, set by the ","type":"text"},{"text":"idp.authn.webauthn.authenticator.policy.secondFactorOnlyAuthenticators ","type":"text","marks":[{"type":"em"}]},{"text":"property.","type":"text"}]}]}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"In the future, it will be possible to inspect the authenticator used ","type":"text"},{"text":"during","type":"text","marks":[{"type":"em"}]},{"text":" authentication and not just the authenticator that created the credential. This is useful if the credential has been transferred to a different authenticator. ","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Authentication Credential Filter Policies","type":"text"},{"text":"(1.1.0)","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]},{"type":"paragraph","content":[{"text":"In addition to the ","type":"text"},{"text":"Authentication Credential Policy","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3878256667/WebAuthnAuthentication#Authentication-Credential-Policies"}}]},{"text":", which determines whether the credential a user has used for authentication is accepted or rejected, a Filter policy engine can be enabled for passwordless and second-factor authentication flows. This engine restricts the credentials that a user can use ","type":"text"},{"text":"before","type":"text","marks":[{"type":"em"}]},{"text":" they attempt to authenticate. This can not be applied to the usernameless mode, as the user (and credentials) are not identified until ","type":"text"},{"text":"after","type":"text","marks":[{"type":"em"}]},{"text":" the WebAuthn authentication ceremony has been performed.","type":"text"}]},{"type":"paragraph","content":[{"text":"The policy functions similarly to the Authentication Credential Policy and, by default, utilizes the same credential policies defined in the list ","type":"text"},{"text":"shibboleth.authn.WebAuthn.ChainedCredentialPolicyList","type":"text","marks":[{"type":"strong"}]},{"text":". You can change the policy by specifying a new policy bean of type ","type":"text"},{"text":"CredentialPolicy","type":"text","marks":[{"type":"code"}]},{"text":" in the property ","type":"text"},{"text":"idp.authn.webauthn.credential.filter.policy.","type":"text","marks":[{"type":"strong"}]},{"text":" To enable filter checks, set the property ","type":"text"},{"text":"idp.authn.webauthn.credential.filter.policy.enabled","type":"text","marks":[{"type":"strong"}]},{"text":" to true in ","type":"text"},{"text":"conf/authn/webauthn.properties.","type":"text","marks":[{"type":"em"}]},{"text":" ","type":"text"}]},{"type":"paragraph","content":[{"text":"At this point it is worth thinking about what happens if all of a user's credentials have been filtered. If all are filtered and none exist in the call to the WebAuthn API, the authenticator will ask you to choose any of those it has registered for that site, thereby enabling you to select one of the excluded credentials. Despite the final ","type":"text"},{"text":"Authentication Credential Policy","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3878256667/WebAuthnAuthentication#Authentication-Credential-Policies"}}]},{"text":" acting as a guard against accepting this credential, the filter engine will throw a non-proceed event back to the flow if all credentials have been filtered. By default, it signals the ","type":"text"},{"text":"NoCredentials","type":"text","marks":[{"type":"code"}]},{"text":"event, but you can customise that using the ","type":"text"},{"text":"idp.authn.webauthn.credential.filter.policy.noCredentialsEventId","type":"text","marks":[{"type":"strong"}]},{"text":" property.","type":"text"}]},{"type":"paragraph"},{"type":"paragraph","content":[{"text":"At this point, it's important to consider what happens if there are no credentials left after filtering. If that happens, the ","type":"text"},{"text":"allowCredentials","type":"text","marks":[{"type":"code"}]},{"text":" set will be empty in the call to the WebAuthn API, and the authenticator will prompt the user to choose any credential registered to that site: likely allowing the selection of one of the excluded credentials. Despite the final ","type":"text"},{"text":"Authentication Credential Policy","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3878256667/WebAuthnAuthentication#Authentication-Credential-Policies"}}]},{"text":" acting as a guard against accepting this credential, the filter engine will trigger a non-proceed event in the flow if all credentials have been filtered out. By default, it signals a \"NoCredentials\" event, but you can customize this behaviour by setting the ","type":"text"},{"text":"idp.authn.webauthn.credential.filter.policy.noCredentialsEventId","type":"text","marks":[{"type":"strong"}]},{"text":" property.","type":"text"}]},{"type":"paragraph"},{"type":"heading","attrs":{"level":2},"content":[{"text":"Reference","type":"text"}]},{"type":"expand","attrs":{"title":"Properties"},"content":[{"type":"table","attrs":{"layout":"full-width","localId":"5dc312fc-5dab-4c4b-a9a5-9dd022ffe8a3"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"Name","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"Type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.usernameless.enabled","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"Which type of flow is supported? Usernameless (true) or passwordless (false)","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.2fa.enabled","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"Enable this flow to act as second factor authentication","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.2fa.allowedPreviousFactors","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"String list","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"authn/Password","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"Which previous factors are acceptable to allow the WebAuthn flow to act as a second factor of authentication","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.2fa.forceSecondFactorFlow","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"Force second factor even if no acceptable previous factors ran","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.2fa.username.strategy","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"Bean reference","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.webauthn.CanonicalUsernameLookupStrategy","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"The bean name of the username lookup strategy. By default, this comes from the principal name established by the first factor.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"dp.authn.webauthn.updateSignatureCount","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"Should we update an authenticators signature counter inside the credential repository after each successful authentication?","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.passwordless.signalEventOnNoCredentials","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"Should an event be built if there are no credentials found for the given user? Only applicable to passwordless authentication.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.passwordless.noCredentialsEventId","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"String","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"NoRegisteredWebAuthnCredentials","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"If an event is triggered when no credentials are found for the user, what should the event ID be?","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.signalEventOnNoCredentialsRegisteredForUserHandle","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"Should a custom event be built if the userHandle supplied by the authenticator during authentication is not related to any registered credentials?","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.userHandleNoRegisteredCredentialsEventId","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"String","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"NoCredentialsRegisteredForUserHandle","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"If an event is triggered when no credentials can be found for the given userHandle, what should the event ID be?","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.passwordless.username.uppercase","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"Basic transformations that should be applied to the username that is collected as part of the passwordless flow","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.passwordless.username.lowercase","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"Basic transformations that should be applied to the username that is collected as part of the passwordless flow","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.passwordless.username.trim","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"Basic transformations that should be applied to the username that is collected as part of the passwordless flow","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.passwordless.c14n.postUsernameFlows","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ref","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.PostLoginSubjectCanonicalizationFlows","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"The ID of the bean that supplies the c14n flows that are applied to the username entered during the passwordless flow","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.credential.policy.enabled","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph"}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.credential.policy","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"Bean reference","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.WebAuthn.ChainedCredentialPolicy","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"The bean that implements the credential filter policy","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.credential.policy.chainedlist","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"Bean reference","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.WebAuthn.ChainedCredentialPolicyList","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"When using the default shibboleth.authn.WebAuthn.ChainedCredentialPolicy, which policy list should we use","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.authenticator.policy.secondFactorOnlyAuthenticators","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"List","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"When using the default chained list of policies; list authenticators (by attestation GUIDs (AAGUID)) to tag as only allowed for second-factor authentication","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.removeAfterValidation","type":"text"},{"text":"1.1.0","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"Remove the WebAuthnAuthentication context from the tree after authentication","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.2fa.signalEventOnNoCredentials","type":"text"},{"text":"1.1.0","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"Should an event be built if there are no credentials found for the given user? Only applicable to second-factor authentication.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.2fa.noCredentialsEventId","type":"text"},{"text":"1.1.0","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"String","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"NoRegisteredWebAuthnCredentials","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"If an event is triggered when no credentials are found for the user, what should the event ID be?","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.updateLastUsedTime","type":"text"},{"text":"1.1.0","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"Update the last used time of a credential after a successful authentication","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.credential.filter.policy.enabled","type":"text"},{"text":"1.1.0","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"Enable the credential filter policy engine for passwordless and second-factor flows. This runs before the user has had the opportunity to authenticate.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.credential.filter.policy","type":"text"},{"text":"1.1.0","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"Bean reference","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.WebAuthn.ChainedCredentialPolicy","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"The bean that implements the credential filter policy","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[289.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.webauthn.credential.filter.policy.noCredentialsEventId","type":"text"},{"text":"1.1.0","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"String","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[205.0]},"content":[{"type":"paragraph","content":[{"text":"NoCredentials","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[389.0]},"content":[{"type":"paragraph","content":[{"text":"If the user is left with an empty set of credentials after filtering, what non-proceed event should be signalled?","type":"text"}]}]}]}]}]},{"type":"expand","attrs":{"title":"Beans"},"content":[{"type":"table","attrs":{"layout":"full-width","localId":"1bde9086-567d-4522-9351-143a57302138"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[398.0]},"content":[{"type":"paragraph","content":[{"text":"Name","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[294.0]},"content":[{"type":"paragraph","content":[{"text":"Type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[396.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[398.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.WebAuthn.ChainedCredentialPolicyList","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[294.0]},"content":[{"type":"paragraph","content":[{"text":"List","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.List"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[396.0]},"content":[{"type":"paragraph","content":[{"text":"List of credential policies to apply during authentication","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[398.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.WebAuthn.WebAuthnAuthenticationClientFactory","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[294.0]},"content":[{"type":"paragraph","content":[{"text":"WebAuthnAuthenticationClientFactory","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[396.0]},"content":[{"type":"paragraph","content":[{"text":"The WebAuthn client factory that creates a ","type":"text"},{"text":"WebAuthnAuthenticationClient","type":"text","marks":[{"type":"code"}]},{"text":" that performs critical WebAuthn functions.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[398.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.WebAuthn.SecondFactorOverride","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[294.0]},"content":[{"type":"paragraph","content":[{"text":"Predicate","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Predicate"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":">","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[396.0]},"content":[{"type":"paragraph","content":[{"text":"Should the authentication flow run in 2FA mode irrespective of the conventional logic used to determine that.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[398.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.WebAuthn.passwordless.UsernameTransformations","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[294.0]},"content":[{"type":"paragraph","content":[{"text":"List","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.List"}}]},{"text":">","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[396.0]},"content":[{"type":"paragraph","content":[{"text":" Match patterns and replacement strings to apply to the username collected for passwordless authentication","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[398.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.WebAuthn.ChallengeGeneratorStrategy","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[294.0]},"content":[{"type":"paragraph","content":[{"text":"Function","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Function"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",byte[]>","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[396.0]},"content":[{"type":"paragraph","content":[{"text":"The strategy used to generate the WebAuthn challenge","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[398.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.WebAuthn.CredentialRepository","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[294.0]},"content":[{"type":"paragraph","content":[{"text":"WebAuthnCredentialRepository","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[396.0]},"content":[{"type":"paragraph","content":[{"text":"The credential repository to use","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[398.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.WebAuthn.UpdateSignatureCountPredicate","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[294.0]},"content":[{"type":"paragraph","content":[{"text":"Predicate","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Predicate"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":">","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[396.0]},"content":[{"type":"paragraph","content":[{"text":"A predicate that determines if the signature counter should be updated for every authentication operation. ","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[398.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.WebAuthn.RemoveAfterValidation","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[294.0]},"content":[{"type":"paragraph","content":[{"text":"Consumer","type":"text","marks":[{"type":"underline"},{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Consumer"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":">","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[396.0]},"content":[{"type":"paragraph","content":[{"text":"A cleanup hook that is executed on successful authentication.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[398.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.WebAuthn.AuditExtractors","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[294.0]},"content":[{"type":"paragraph","content":[{"text":"MapFactoryBean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[396.0]},"content":[{"type":"paragraph","content":[{"text":"A Map of audit extractors to use","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[398.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.WebAuthn.WebAuthnFidoMetadataServiceFactory","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[294.0]},"content":[{"type":"paragraph","content":[{"text":"FidoMetadataServiceFactory","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[396.0]},"content":[{"type":"paragraph","content":[{"text":"The FIDO metadata factory that creates a ","type":"text"},{"text":"FidoMetadataService","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]}]}]}]}]}],"version":1}

Browser not supported