WebAuthnCredentialManagement

1 Overview
2 Reference

Overview

In addition to user management of their credentials, there is an admin flow for administrators to manage other users' credentials. Specifically, to search for and remove a user's registered credential from the credential repository.

The management flow can be accessed by navigating to:

http[s]://hostname/idp/profile/admin/webauthn-management

As with the registration flow, the management flow will use whichever authentication method is enabled. Importantly, the client and user accessing the management function are subject to an AccessControlConfiguration set by the property idp.authn.webauthn.admin.management.accessPolicy; by default, this is the AccessByAdminpolicy. Given the purpose of this flow, it is important to ensure a suitably restrictive access policy is set. Furthermore, it is essential to ensure that an appropriate authentication method is executed, even if a fallback has been configured for administrators lacking FIDO2 credentials. This is controlled by the idp.authn.webauthn.admin.management.defaultAuthenticationMethods property, which defaults to saml2/<http://example.org/ac/classes/mfa>. This default setting is intentional, careful consideration should be given if you change this setting.

The process is straightforward: initially, you search for a user by their username to display their registered credentials. Subsequently, you have the option to delete one or more of these credentials before completing the process.

Reference

Name	Type	Default	Description

Name	Type	Default	Description
idp.authn.webauthn.admin.management.logging	String	WebAuthnCredentialManagement	The flow logging ID
idp.authn.webauthn.admin.management.accessPolicy	Predicate<ProfileRequestContext>	AccessByAdmin	The access policy to apply.
idp.authn.webauthn.admin.management.resolveAttributes	Boolean	true	Resolve attributes about the user after authentication.
idp.authn.webauthn.admin.management.authenticationFlows	Function<ProfileRequestContext,Collection<String>>		Restrict the usable authentication flows
idp.authn.webauthn.admin.management.postAuthenticationFlows	Function<ProfileRequestContext,Collection<String>>		A list of post-authentication interceptor flows
idp.authn.webauthn.admin.management.defaultAuthenticationMethods	Function<ProfileRequestContext,Collection<Principal>>	saml2/http://example.org/ac/classes/mfa	Limits the authentication flows to use for requests by supported principals
idp.authn.webauthn.admin.management.genericMessageID
idp.authn.webauthn.admin.management.authenticated	Boolean	true	Require management to the registration flow
idp.authn.webauthn.admin.management.infoMessageFunction	Bean reference	DefaultAdminInfoMessageFunction	Information message function to pull out INFO messages for the views
idp.authn.webauthn.admin.management.errorMessageFunction	Bean reference	DefaultAdminErrorMessageFunction	Error message function to pull out ERROR messages for the views
idp.authn.webauthn.admin.management.audit.enabled	Boolean	false	Enable management flow auditing
idp.authn.webauthn.admin.management.audit.format	String	%a\|%T\|%u\|%WebAuthnAdminAO\|%WebAuthnAdminAction\|%WebAuthnAdminCR\|%WebAuthnAdminAU\|%UA	The registration audit format
idp.authn.webauthn.admin.management.audit.category	String	Shibboleth-Audit.WebAuthnManagment	The category name of the registration audit logger.

Name	Type	Description

Name	Type	Description
shibboleth.authn.WebAuthn.WebAuthnAuthenticationClientFactory	WebAuthnAuthenticationClientFactory	The WebAuthn client factory that creates a `WebAuthnAuthenticationClient` that performs critical WebAuthn functions.
shibboleth.authn.WebAuthn.CredentialRepository	WebAuthnCredentialRepository	The credential repository to use
shibboleth.authn.WebAuthn.WebAuthnFidoMetadataServiceFactory	FidoMetadataServiceFactory	The FIDO metadata factory that creates a `FidoMetadataService`.
shibboleth.authn.WebAuthn.registration.audit.AuditExtractors	MapFactoryBean	A Map of audit extractors to use

Identity Provider Plugins

WebAuthnCredentialManagement

Overview

Reference

Related pages