How can we help?

FIDO2 Support with Thales STA IdP

Ellen Thoren - Versasec
Ellen Thoren - Versasec
  • Updated

Introduction

From version 6.7.2 of vSEC:CMS it is possible to manage and issue any supported FIDO2 credential and push the FIDO2 credential to Thales Safenet Trusted Access (STA) IdP.

vseccms-fido-sta.png

In this article we will describe how you can set this up for use within vSEC:CMS. For details on STA see the Thales article here.

Important
FIDO2 credentials typically use HID interface for communicating with the device. If attempting to use/manage the FIDO2 credential over an RDP connection then this will not be possible as USB forwarding of HID supported devices is not possible out of the box. Therefore, when managing such credentials with vSEC:CMS you need to do this directly on a host where the device is attached to.
Important
It is required to install the RSDM service on any client where self-service FIDO2 operations are to be allowed. The RSDM service will allow for administration operations to be performed when issuing a FIDO2 credential or setting/changing the FIDO2 PIN.
Untitled.png 

Configure STA IdP Connector

Navigate to Options - Connections and select FIDO2 (IdP) if it exist, otherwise click Add and add FIDO2 (IdP)

Click Add and enter a name for the template and select STA IdP from the Type drop-down list. 

In the Host Parameters section enter the Tenant ID applicable to your STA setup. Enter the API key and the Rest API Endpoint url and click Check Connection to ensure successful connectivity.

Select the Mapping Attribute from the drop-down list that is to be used. This is the user directory attribute that will be used when issuing a FIDO2 token. The available options are mail, sAMAccountName and userPrincipalName.

Note
The attribute userPrincipalName is the most common attribute to be used. Therefore, you should select this value in your connection dialog and use this value when logging into STA.

During issuance and depending on what attribute was selected, vSEC:CMS will check with STA to see if such an account exists. If an account does not exist then vSEC:CMS will create one. Additionally, during the issuance vSEC:CMS will send the following attributes from the user directory if a new account is being added to STA: sn and givenName.

In the Relying Party section for the Name enter the human-palatable name of the relaying party. The Id should be a valid domain string identifying the WebAuthn relying party on whose behalf a given registration or authentication ceremony is being performed. The Origin should match the endpoint the user is provided to access the signing service, as is the case in a standard WebAuthn service. The Icon URL is an optional field for the URL of the relaying party icon.

Click Save to save the settings and complete this step.

Untitled.png

Add Token Template

To perform the following actions with the Thales eToken FIDO credential, you will need to use a client that has the vSEC:CMS Admin application installed. If you do not have this application set up already, please refer to the Install Admin Application article to learn how to do so.

Note
If you are using any other credential then check that this credential is ready to be managed by referring to this article.

Navigate to Options - Smart Cards and attach an eToken FIDO2 credential and click Add. A dialog will open and click the Add button. Select the token from the reader drop-down list and click the Get button. You should see similar to below. 

Untitled.png

Click OK to save and close. You should see similar to below.

Untitled.png

Click Save to complete.

Configure Credential Template

It will be required to perform the next steps from a client that has the vSEC:CMS Admin application installed (see the article Install Admin Application on how to set this up if you don't have this setup already).

Navigate to Templates - Card Templates and click Add. Click the Edit link beside General.

Enter a template name and click the Detect button. Make sure that you have the Thales FIDO2 token attached and selected from the reader drop-down list and click Ok. You should see something similar to below. 

Untitled.png

Leave all other settings as is and click Ok.

Untitled.png

In the Issue Card section enable Assign user ID  and select the user directory that you wish to use from the drop-down list.

In the FIDO2 Options section click the Manage button. Click Add. Enter a name and select the STA connector created earlier for the IdP.

Enable Requires Resident Key if your IdP is configured to support this feature. 

You can configure how the authenticator name will be shown in the IdP (if the IdP supports this), either use default or enter a custom name in the Token Name field in the Token Display Name section.

In the FIDO2 PIN section setting of the FIDO2 PIN will be automatically set as this is required in order to be able to use the FIDO2 credential.

Click Save to complete the configuration.

Untitled.png

Enable the FIDO2 Enrollment checkbox and select the template you want to use from the drop-down list.

Leave all other settings as is and click Ok to save and close.

Untitled.png

Click the Edit link for Initiate Card and enable Update Credentials at FIDO2 IdP. This will push the public key credential for the user to STA setting the FIDO2 PIN on the credential.

Untitled.png

Click the Edit link for Revoke Card and enable Update Credentials at FIDO2 IdP. This will update the IdP when the authenticator is revoked. Additionally, enable Force FIDO2 Authenticator data deletion at IdP which will remove the authenticator at the IdP when the credential is revoked.

Untitled.png

Click Ok so save and close the configuration for the template.

Issue FIDO2 Credential

The FIDO2 credential can be issued either using the vSEC:CMS Admin or Agent applications. For either of these application refer to these articles Install Admin Application and Install Agent Application for instructions on how to set these up. 

In this guide we will use the Agent Application.

Navigate to the Life Cycle tab and with a eToken FIDO2 credential attached select the Issued oval along with the template from the available drop-down list and click Execute.

Untitled.png

This will trigger the issuance flow. You will be prompted to select a user from your directory who the token will be issued to.

vSEC:CMS will check if the selected user has an account on STA (vSEC:CMS will request STA to add an account if one does not exist), and it will then generate the FIDO2 credential and publish the public key for the user to STA. The user will be prompted to touch their credential during issuance so important to follow the on-screen prompts during this flow.

At the end of the issuance the token will be Issued. You can activate the token by selecting Active and setting a FIDO2 PIN that can then be used by the end used.

Alternatively, the end user can set the FIDO2 PIN using the vSEC:CMS User application. The vSEC:CMS User application needs to be online and connected to the backend vSEC:CMS service to perform setting a FIDO2 PIN.

Untitled.png Now the user, for example, can try to login to their STA account. 

Untitled.png

You will be prompted to add an authenticator. 

Untitled.png

Then you will be prompted to enter an access code. The access code will be sent to the email address that was retrieved from the user's user directory during the issuance.

Untitled.png

Enter the code to proceed.

Untitled.png

You will then be prompted to touch your token to authenticate and logon.

Untitled.png

From the vSEC:CMS Admin console you can see details about the managed credential from Repository - Smart Cards by selecting a credential and clicking the Details button.

Untitled.png

If you then need to revoke the credential, for whatever reason, the credential will be revoked on the IdP. For example, from the Life Cycle tab search for a user who you wish to revoke and you can then verify that the FIDO2 credential is revoked on the IdP by trying to log in with the eToken credential.