Search

Managing Passkey Lifecycle with Entrust Identity as a Service (IDaaS)

Ellen Thoren - Versasec
Ellen Thoren - Versasec
  • Updated

Introduction

vSEC:CMS enables passkey lifecycle management for Entrust Identity as a Service (IDaaS) IdP, integrating via the Entrust Identity REST API. Using a credential management system to manage your passkeys allows you to:

  • Enforce passkey usage: Require passkeys for authentication within your Entrust Identity environment.
  • Delegate passkey management: Offload the complexities of passkey storage, synchronization, and recovery to specialized third-party providers.
  • Centralize policy enforcement: Maintain control over authentication policies and user access through Entrust Identity.
  • Improve security: Benefit from the enhanced security of passkeys while simplifying user experience.

FIDO management - overview - white.png

FIDO2 credentials typically use HID interface for communicating with the device. If attempting to use/manage the FIDO2 credential over an RDP connection then this will not be possible as USB forwarding of HID supported devices is not possible out of the box. Therefore, when managing such credentials with vSEC:CMS you need to do this directly on a host where the device is attached.

It is required to install the RSDM service on any client where self-service FIDO2 operations are to be allowed. The RSDM service will allow for administration operations to be performed when issuing a FIDO2 credential or setting/changing the FIDO2 PIN.
Untitled.png 

Configure IdP

Navigate to Options - Connections and select FIDO2 (IdP) if it exist, otherwise click Add and add FIDO2 (IdP)

Click Add and enter a name for the template and select Entrust Identity from the Type drop-down list. 

In the Host Parameters section enter the Hostname applicable to your setup. Enter the Admin Application ID, Shared Secret, Authentication Application ID and click Check Connection to ensure successful connectivity.

Select the Mapping Attribute from the drop-down list that is to be used. This is the user directory attribute that will be used when issuing a FIDO2 token. The available options are mail, sAMAccountName and userPrincipalName.

The attribute userPrincipalName is the most common attribute to be used. Therefore, you should select this value in your connection dialog and use this value when logging into the IdP.

During issuance and depending on what attribute was selected, vSEC:CMS will check with the IdP to see if such an account exists. If an account does not exist then vSEC:CMS will create one. Additionally, during the issuance vSEC:CMS will send the following attributes from the user directory if a new account is being added to the IdP: sn and givenName.

Click Save to save the settings and complete this step.

Untitled.png

Configure Credential Template for Central Issuance

If you plan to have operators/helpdesk persons issue credentials on behalf of users then follow the instructions in this section to configure such a template.

It will be required to perform the next steps from a client that has the vSEC:CMS Admin application installed (see the article Install Admin Application on how to set this up if you don't have this setup already).

We need to create a FIDO2 passkey template to begin with. Navigate to Templates - FIDO2 - FIDO2 Passkey Templates and click Add.

Enter a template name. In the Select FIDO2 IdP select the IdP already configured in your system from the drop-down field. You can click Manage to double check that you are going to use the correct one.

In the Display Name field either enter a static value or click the Configure button to use an already configured internal variable that maps to an attribute from the user directory. This might be required to set a more precise name for the display name, such as the users actual name.

The maximum length for the display name is 64 characters. This is enforced by the IdP.

To enable seamless login, activate Force Discoverable Credential. This feature, if supported by the IDP, stores your username within the credential, eliminating the need to type it during authentication.

From Attestation different types are available. These attestation types define the preferred attestation statement (not the attestation object). The Relying Party expresses a preference, allowing the authenticator flexibility.

  • None: For cases where privacy is of utmost concern or synced devices are in play, this type provides no information about the device, ensuring the user's privacy is intact. Another reason to use this value might be to save roundtrip to a certificate authority (CA). None is also the default value.
  • Direct: This is the most transparent form. Here, the relying party tells the authenticator that it wants an attestation statement, so that the relying party gets detailed information about the device, including its brand, model, and other specifics. 
  • Indirect: The relying party prefers to get an attestation but allows the client to decide how to obtain attestation statements. The client may replace the authenticator-generated attestation statements with anonymous attestation statements to protect the user's privacy.

From Algorithm select at least one algorithm for attestation key generation. The order you choose determines the priority. The first selected algorithm is tried first; if unsupported by the IdP, the next is tried, and so on. Reorder algorithms by right-clicking and selecting up or down.

In the Relying Party section for the Name enter the human-palatable name of the relaying party. The RP ID should be a valid domain string identifying the WebAuthn relying party on whose behalf a given registration or authentication ceremony is being performed. The Origin should match the endpoint the user is provided to access the signing service, as is the case in a standard WebAuthn service.

Click Save to save and close.

Untitled.png

Navigate to Templates - Credential Templates and click Add. Click the Edit link beside General.

Enter a template name and click the Detect button. Make sure that you have the FIDO2 token attached and selected from the reader drop-down list and click Ok. You should see something similar to below. 

Untitled.png

Enable the Enable FIDO2 check box and leave all other settings as is and click Ok at the bottom of the dialog.

Untitled.png

In the Issue Credential section enable Assign user ID  and select the user directory that you wish to use from the drop-down list.

In the FIDO2 Options section click the Manage button. Click Add and enter a name for the template.

In the FIDO2 Configuration section

In the FIDO2 Configuration section the following settings can be configured:

  • Perform FIDO2 Reset Before Issuance: Reset the device's FIDO2 applet to its default state before issuance by enabling this setting. This option is only available for devices that do not require detachment and reattachment during a FIDO2 reset.
  • Always Require User Verification: User verification during authentication is optional for some IDPs. To require user verification, enable this setting. This feature is only available for devices supporting CTAP 2.1.
  • Enable BIO Enrollment: Enable this setting if the device supports FIDO2 BIO enrolment.
    • Number of Enrollments: This is the minimum number of finger prints you need to enrol.
    • Enrollment Timeout(ms): This is time (in milliseconds) you have to enrol at least one finger print.
  •  Enable FIDO2 PIN: A FIDO2 PIN is required. This setting is for informational purposes only and cannot be disabled.
  • Set Minimum PIN Length: If configured, this will be the device's minimum PIN length, which will be set within the FIDO2 applet extension minPinLength. This applies to CTAP 2.1 compatible devices.
  • Minimum PIN Length RP ID List: Only specify Relying Party (RP) IDs here if the minPinLength extension is supported. This parameter is strictly prohibited when the extension is not supported. For example, to put this RP ID trustedauth.com double click the label and enter the value. To delete an entry, right click and select Delete. To edit the RP ID double click the entry.

In the Passkey(s) to Issue section enable the check boxes for the IdP(s) used in your environment that you want passkeys issued to.

Untitled.png

Click the Edit link for Initiate Credential and enable Update Credentials at FIDO2 IdP. This will push the passkey for the user to the IdP when setting the FIDO2 PIN on the credential.

Untitled.png

Click the Edit link for Inactivate Credential and enable Update Credentials at FIDO2 IdP. This will disable the passkey on the IdP. You might do this if a user is on leave and you want to temporarily disable their passkey.

Untitled.png

Click the Edit link for Activate Credential and enable Update Credentials at FIDO2 IdP. This will enable the passkey on the IdP. You might do this when a user returns from leave and you need to reactivate their passkey, which you previously disabled.

Untitled.png

Click the Edit link for Revoke Credential and enable Update Credentials at FIDO2 IdP. This will update the IdP when the authenticator is revoked. Additionally, enable Force FIDO2 Authenticator data deletion at IdP which will cancel the credential revocation process if the FIDO2 passkey could not be removed from the IdP.

Untitled.png

Click Ok so save and close the configuration for the template.

Issue Passkey Credential Centrally

The credential can be issued either using the vSEC:CMS Admin or Agent applications. For either of these application refer to these articles Install Admin Application and Install Agent Application for instructions on how to set these up. 

In this guide we will use the Agent Application.

Navigate to the Life Cycle tab and with a credential attached select the Issued oval along with the template from the available drop-down list and click Execute.

Untitled.png

This will trigger the issuance flow. You will be prompted to select a user from your directory who the token will be issued to and follow closely the on-screen prompts to complete the issuance.

At the end of the issuance the token will be Issued. You can activate the token by selecting Active and setting a FIDO2 PIN that can then be used by the end used.

Alternatively, the end user can set the FIDO2 PIN using the vSEC:CMS User application. The vSEC:CMS User application needs to be online and connected to the backend vSEC:CMS service to perform setting a FIDO2 PIN.

Untitled.png

Now the user, for example, can try to login to their IdP.

From the vSEC:CMS Admin console you can see details about the managed credential from Repository - Credentials by selecting a credential and clicking the Details button.

Untitled.png

If you then need to revoke the credential, for whatever reason, the credential will be revoked on the IdP. For example, from the Life Cycle tab search for a user who you wish to revoke and you can then verify that the credential is revoked on the IdP by trying to log in with the hardware credential.