FIDO2 Configuration
This topic provides the description of the parameters each option sets.
Create a FIDO2 Relying Party
When creating a FIDO2 Relying Party there are two distinct configuration modes, each resulting in a FIDO2 Relying Party being configured and functional.
FIDO2 Relying Party Configuration is accessed through AAC > Manage > FIDO2 Configuration.
Simple Configuration
Create a FIDO2 Relying Party using the Simple Configuration results in a relying party with most out of the box configuration defaults selected. Values need to be specified for the following parameters
- Name
- this is the display name for the FIDO2 Relying Party.
- Relying Party ID
- The Relying Party ID is a valid domain string that identifies the WebAuthn Relying Party. When an authenticator is registered to a Relying Party, that registration is only valid for authenticating to that Relying Party. An example Relying Party ID is “example.com”.The following Relying Party ID examples are invalid:
- https://example.com
- Protocol is not included in the Relying Party ID
- example.com/example_path
- Path is not included in the Relying Party ID
Advanced Configuration
Create a FIDO2 Relying Party using the Advanced Configuration results in a fully customized relying party using the options specified. Values need to be specified for the following parameters:
- Name
- this is the display name for the FIDO2 Relying Party.
- Relying Party ID
- The Relying Party ID is a valid domain string that identifies the WebAuthn Relying Party. When an authenticator is registered to a Relying Party, that registration is only valid for authenticating to that Relying Party. An example Relying Party ID is “example.com”.The following Relying Party ID examples are invalid:
- https://example.com- protocol is not included in the Relying Party ID
- example.com/example_path- path is not included in the Relying Party ID
- Administrative Group
- Requests made to the FIDO2 server attestation and assertion endpoints usually contain username information in the message payload. Verify Access enforces that this message payload user information matches the authenticated session user (for example, currently logged in user via Verify Access session cookie) UNLESS the currently authenticated Verify Access user is a member of this administrative group. Membership of this administrative group is intended for application service identities acting on behalf of users they have authenticated locally.
- WebAuthn Specification Enforcement
- The WebAuthn Specification enforces user presence as a requirement during attestation and assertion.
- Attestation Types
- See Attestation.
- Attestation Statement Format
- See Attestation.
- Public Key Algorithms
- See Public Key Algorithms.
- Android SafetyNet Options
- When Android SafetyNet is selected in Attestation Statement Formats, there are several options to specify values for.
- Attestation Max Age
- The maximum age in milliseconds of an attestation that is using the Android SafetyNet Statement Format.
- Clock Skew
- The amount of allowed variance in milliseconds when validating an attestation statement on the appliance.
- Metadata
- See Attestation.The following formats are valid FIDO2 Metadata file formats:
- FIDO MDS document (.json file extension)
- Yubico Metadata (.yubico file extension)
- PEM Certificate (.pem file extension)
More than one Metadata file can be selected for this FIDO2 Relying Party.
- Metadata Enforcement
- When Metadata Enforcement is enabled for a FIDO2 Relying Party, the authenticator metadata is validated against the set of Metadata files enabled for this Relying Party, and the registration fails if this validation fails.
When Metadata Enforcement is disabled for a FIDO2 Relying Party, the authenticator metadata is still validated, however if this validation fails, the registration could still be allowed to succeed.
- Mediator Mapping Rules
- See FIDO2 Mediation.
Leaving the selection as None disables FIDO2 Mediation from occurring on this FIDO2 Relying Party.
- Origins
- Specifies a list of permitted origin URI’s . A FIDO message from a client must contain an origin from this list for the message to be validated. Typically, the origin is the domain name of the website performing FIDO authentication by using https://schema, with the optional addition of a port number.
For information on FIDO2 Metadata and FIDO2 Mediation, see Concepts and FIDO2 Mediation.
Parent topic: FIDO and WebAuthn Support