From version 6.3 vSEC:CMS has the ability to manage the life cycle of FIDO2 authenticators. Below is an architectural diagram showing how FIDO2 fits into vSEC:CMS.
Using vSEC:CMS you can register and manage FIDO2 credentials on behalf of a user with an IdP. When a supported FIDO2 credentials is issued with vSEC:CMS, the credential (public key) is sent to the IdP which will use this when authenticating the user post issuance. If the supported FIDO2 credential also has a PKI application then you can leverage on this to issue and manage certificates for other use cases using vSEC:CMS as part of the issuance process.
This article will describe how you can:
- Configure vSEC:CMS to connect to a supported IdP;
- Configure a template to issue a supported FIDO2 credential that can be issued centrally using vSEC:CMS Admin application.
Configure IdP Connector
The first step will be to setup a connection to your IdP. Currently vSEC:CMS supports Okta and Gluu IdPs.
In this article we will show how to configure a connection with Okta and Gluu Server IdP. It is expected that you already have an Okta or Gluu Server setup in your environment. Additional guide on how to setup FIDO application in Okta is provided in the article Okta FIDO2 Setup.
Setup Okta Connector
From Options - Connections click Add. Select FIDO2 (IdP) and add it to the Selected pane and click Ok. Enter a name for the template and select OKTA IdP for the Type.
In the Host Parameters section enter the Client ID applicable to your Okta setup. Browse to the location of the Private Key used when authenticating to Okta OAuth API. This key should have been created when setting up your OAuth API in Okta. This private key is encrypted internally by vSEC:CMS with an AES key. Enter the appropriate URLs for the Authentication URL and Api URL in the fields provided.
In the Relying Party section for the Name enter the human-palatable name of the relaying party. The Id should be a valid domain string identifying the WebAuthn relying party on whose behalf a given registration or authentication ceremony is being performed. The Origin should match the endpoint the user is provided to access the signing service, as is the case in a standard WebAuthn service. The Icon is an optional field for the URL of the relaying party icon.
When all the configurations are set click the Check Authentication and Check API buttons to ensure connectivity and settings are valid.
Setup Gluu Connector
From Options - Connections click Add. Select FIDO2 (IdP) and add it to the Selected pane and click Ok. Enter a name for the template and select Gluu Server IdP for the Type.
vSEC:CMS will connect to the IdP by establishing an SSH tunnel to the IdP. Enter the host name and port for the SSH tunnel along with the LDAP protocol. Enable SSL/TLS (if this is to be used) and enter the credential that you will use to connect to your IdP. Click the Test Connection button to ensure connectivity.
It is expected that you have setup an SSH tunnel using Putty or similar tool.
In the Relying Party for the Name enter the human-palatable name of the relaying party. The Id should be a valid domain string identifying the WebAuthn relying party on whose behalf a given registration or authentication ceremony is being performed. The Origin should match the endpoint the user is provided to access the signing service, as is the case in a standard WebAuthn service. The Icon is an optional field for the URL of the relaying party icon.
The next step will be to configure a template which will be used to manage the FIDO 2 authenticator. From Templates - Card Templates click Add and select Edit for General. Attach a supported FIDO 2 authenticator and click the Detect button to allow vSEC:CMS to determine that you wish to use this template for managing such an authenticator. You should see the FIDO2 support in the Card type drop-down field. Enable Enable FIDO2 check box and leave all other settings as is and Ok.
Click Edit for Issue Card. Enable Assign user ID and select the user directory you wish to use for the provisioning. In the FIDO2 Options section click the Manage button and then the Add button.
Enter a name and from the IdP Connection select the connector created earlier. You can configure how the authenticator name will be shown, either use default or enter a custom name in the Token Name field. Click Save to close.
Select the template in the drop-down field and enable the checkbox FIDO2 Enrollment. Click Ok to save the settings for Issue Card.
In the Initiate Card section enable Update Credentials at FIDO2 IdP. This will write the FIDO2 credentials to the IdP when the authenticator is initiated.
In the Activate Card section enable Update Credentials at FIDO2 IdP. This will update the IdP when the authenticator is activated.
In the Inactivate Card section enable Update Credentials at FIDO2 IdP. This will update the IdP when the authenticator is inactivated.
In the Revoke Card section enable Update Credentials at FIDO2 IdP. This will update the IdP when the authenticator is revoked.
Click Ok to close and save the template configuration.
As Microsoft Webauthn library is used for the FIDO2 feature in Windows environments it is required that you perform issuance directly on the PC/laptop and not on a virtualized machine.
Navigate to the Lifecycle page and with the FIDO 2 authenticator attached click the Issued oval and select the template and Execute. Some dialogs will popup with information you need to ok.
You will be prompted to touch or remove and reinsert the authenticator.
At the end a summary dialog will appear. The authenticator will now be issued.
Next a PIN should be set. Click the Active button and set a PIN.
You can now use the authenticator to log into your IdP. For this example, you would try to log into your Okta IdP. Enter your credential and then you will be prompted to authenticate with your vSEC:CMS managed authenticator.
Then you would be prompted to authenticate using your FIDO2 credential.