Introduction
From version 6.11.2 of vSEC:CMS it is possible to manage and issue any supported FIDO2 credential and push the FIDO2 credential to Entra ID IdP.
In this article we will describe how you can set this up for use within vSEC:CMS.
FIDO2 credentials typically use HID interface for communicating with the device. If attempting to use/manage the FIDO2 credential over an RDP connection then this will not be possible as USB forwarding of HID supported devices is not possible out of the box. Therefore, when managing such credentials with vSEC:CMS you need to do this directly on a host where the device is attached.
It is required to install the RSDM service on any client where self-service FIDO2 operations are to be allowed. The RSDM service will allow for administration operations to be performed when issuing a FIDO2 credential or setting/changing the FIDO2 PIN.
Configure Entra ID Connector
It will be required that a connection to an Entra ID user directory is already in place. See article here that describes how you can set this up. Additionally, as the Entra ID is in public preview for now the URL for the MS Graph used should be beta, for example https://graph.microsoft.com/beta.
Navigate to Options - Connections and select FIDO2 (IdP) if it exist, otherwise click Add and add FIDO2 (IdP).
Click Add and enter a name for the template and select Entra Id IdP from the Type drop-down list.
In the Host Parameters section select the Entra ID user directory that you should have already setup.
Enable Set Challenge Timeout if it is required to have a timeout period between issuing the credential and the end user setting the actual PIN (also referred to as PIN activation). You can set, in minutes, between 5 and 43200 minutes (30 days).
If you do not enable this setting the default value of 5 minutes will be applied.
For example, an operator may issue the credential on behalf of a user and then ships the token to the user. You may want to ensure that the user sets the PIN within a specified period of time. If the user does not perform the PIN activation within the configured period then the activation with Entra ID will fail and the token would need to be reissued to the end user.
In the Relying Party section for the Name enter the human-palatable name of the relaying party. The Id should be a valid domain string identifying the WebAuthn relying party on whose behalf a given registration or authentication ceremony is being performed. The Origin should match the endpoint the user is provided to access the signing service, as is the case in a standard WebAuthn service. The Icon URL is an optional field for the URL of the relaying party icon.
Click Save to save the settings and complete this step.
Add Token Template
To perform the following actions you will need to use a client that has the vSEC:CMS Admin application installed. If you do not have this application set up already, please refer to the Install Admin Application article to learn how to do so.
If you are using any other credential then check that this credential is ready to be managed by referring to this article.
Navigate to Options - Smart Cards and attach a FIDO2 credential. If the attached credential is known by vSEC:CMS then you should see that it is filtered for and automatically selected. If that is the case then go to the next step.
If the credential is not automatically filtered then click Add. A dialog will open and click the Add button. Select the token from the reader drop-down list and click the Get button. You should see similar to below.
Click OK to save and close. You should see similar to below.
Click Save to complete.
Configure Credential Template for Central Issuance
In this section we will describe how you can configure a credential template where an operator can issue on behalf of an end user.
It will be required to perform the next steps from a client that has the vSEC:CMS Admin application installed (see the article Install Admin Application on how to set this up if you don't have this setup already).
Navigate to Templates - Card Templates and click Add. Click the Edit link beside General.
Enter a template name and click the Detect button. Make sure that you have the FIDO2 token attached and selected from the reader drop-down list and click Ok. You should see something similar to below.
Enable the Enable FIDO2 check box and leave all other settings as is and click Ok.
In the Issue Card section enable Assign user ID and select the Entra ID user directory that you wish to use from the drop-down list.
In the FIDO2 Options section click the Manage button. Click Add. Enter a name and select the Entra ID connector created earlier for the IdP.
The Discoverable Credential and Enable FIDO2 PIN will automatically be selected but will not be configurable as these settings are mandatory for Entra ID. Discoverable credentials store the Entra ID username on the credential thereby allowing the user to activate and authenticate to Entra ID without having to type in their username during the login process. Additionally, a PIN needs to be set to complete the activation of the credential with Entra ID.
Also, the Token Display Name is not supported with Entra ID, therefore it is not configurable.
Enable the Enable BIO Enrollment check box if you are managing a credential that support this feature. Enter the Number of enrollments which is the number of finger prints that can be enrolled when issuing the credential. The Time for Enrollments (ms) is the time (in milliseconds) that you have to touch/swipe during enrollment.
Click Save to complete the configuration.
Leave all other settings as is and click Ok to save and close.
Click the Edit link for Initiate Card and enable Update Credentials at FIDO2 IdP. This will push the public key credential for the user to Entra ID when setting the FIDO2 PIN on the credential.
Click the Edit link for Revoke Card and enable Update Credentials at FIDO2 IdP. This will update the IdP when the authenticator is revoked. Additionally, enable Force FIDO2 Authenticator data deletion at IdP which will remove the authenticator at the IdP when the credential is revoked.
Click Ok so save and close the configuration for the template.
Issue FIDO2 Credential
The FIDO2 credential can be issued either using the vSEC:CMS Admin or Agent applications. For either of these application refer to these articles Install Admin Application and Install Agent Application for instructions on how to set these up.
In this guide we will use the Agent Application.
Navigate to the Life Cycle tab and with a FIDO2 credential attached select the Issued oval along with the template from the available drop-down list and click Execute.
This will trigger the issuance flow. You will be prompted to select a user from your directory who the token will be issued to.
At the end of the issuance the token will be Issued. You can activate the token by selecting Active and setting a FIDO2 PIN that can then be used by the end used.
Alternatively, the end user can set the FIDO2 PIN using the vSEC:CMS User application. The vSEC:CMS User application needs to be online and connected to the backend vSEC:CMS service to perform setting a FIDO2 PIN (see below for more detailed example of this).
Now the user, for example, can try to login to their Entra ID account. Select the external key option.
Then enter your PIN and touch the token when prompted.
From the vSEC:CMS Admin console you can see details about the managed credential from Repository - Smart Cards by selecting a credential and clicking the Details button.
If you then need to revoke the credential, for whatever reason, the credential will be revoked on the IdP. For example, from the Life Cycle tab search for a user who you wish to revoke and you can then verify that the FIDO2 credential is revoked on the IdP by trying to log in with the hardware credential.
Set FIDO2 PIN via Self-Service
In dispersed environments it can be common for end users to set the FIDO2 PIN of their credentials through the self-service application. In this section we will describe how this can be done with vSEC:CMS. We will build on the already created template from the section Configure Credential Template for Central Issuance above and extend this so it can be used in self-service operations.
Setting FIDO2 PIN via Self-Service
If you issued your credentials centrally via a team of operators who issue on behalf of the end users it maybe that the credentials are sent out via post to the end user where the FIDO2 PIN is not already set. In this case the end user can set their PIN using the vSEC:CMS User application. Please refer to the article Installing the vSEC:CMS User Application for instructions on how to install the application.
Additionally, when setting the PIN from the vSEC:CMS User application the user will need to authenticate. In this article we presume that you have the ability to leverage on OAuth2.0 support in Entra ID. Please refer to the article Configure OIDC Support for details on how you can configure support for OAuth.
Extending the existing template we created above navigate to the General section. Click the Manage button in the Self-service using the following template section.
Click Add and enter a template name. In the User Authentication for PIN Unblock select the Entra ID OAuth template that you already created. Leave all other settings like below and click Save to close and save.
Enable Self-service using the following template and select the template from the drop-down list. Click Ok to save and close. Then click Ok again to complete the template changes.
Issue a credential from Agent application. At the end of the issuance the credential will be in an Issued state.
Now lets presume that the credential has been provided to the end user. The end user can open vSEC:CMS User application and navigate to the PIN tab and select Unblock PIN (Crypto). Enter a PIN and confirm, then select Unblock to initiate the setting of the PIN.
You should be prompted to authenticate using your OAuth credential. In the background the PIN will be applied after successfully authenticating the user.
You should now be able to leverage the FIDO2 credential when authenticating to your Entra ID IDP.
Issuing FIDO2 Credential via Self-Service
It maybe required for end users to perform self-service issuance. In this case an end user would be provided with never used before credentials in their default state. Then from the vSEC:CMS User application they can self issue the credential and set a PIN. In this section we will describe how this can be done. We will build on the already created template from the section Self-Service Issuance and Manage Credential above and extend this so it can be used for self-service issuance operations.
Add Self-Service Issuance
Extending the existing template we created in the section Self-Service Issuance and Manage Credential above navigate to the General section. Click the Manage button in the Self-service using the following template section.
Select the template created earlier and click Edit. Enable Self-issuance enabled check box and click Save to close and save. Close the dialog and select Cancel at the bottom of the General dialog.
Select Edit in the Issue Card section.
Enable Automatically initiate cards after issuance and Issue by User(s). Click the Configure button. In the User ID from drop-down select the Entra ID template where the user will be selected from. In the Authenticate user using drop-down select the Entra ID OAuth template that will be used to authenticate the user during credential issuance. Click Ok to save the changes and close.
Click Ok to save and close.
Click Ok to complete and close the template configuration.
Issue from vSEC:CMS User Application
On a client open the vSEC:CMS User application that is already configured to connect to the backend service. Navigate to the Credential tab and select the correct reader that the credential is connected to and click Issue.
From the Credential template select the template created earlier and click Issue.
You will be required to provide your Entra ID account and authenticate using OAuth before the issuance will commence.
Follow the on screen prompts and at the end of the issuance you will be prompted to enter a FIDO2 PIN and confirm to complete the issuance.
You can now use your credential to authenticate to your Entra ID services.