In this article I’m going to show you how to configure and use the new FIDO2 Platform Authenticator Inline Registration (PAIR) scenario. This scenario is a good starting point for soliciting users to register their FIDO2 enabled devices (Apple TouchID, Windows Hello etc.)
The following steps assume an appliance with a WebSEAL Reverse Proxy instance configured and a user added to the Registry Directory, in this case I will be using the provided Local LDAP.
The following URL’s will be used for the remainder of these instructions, and it will be assumed you have them in a local hosts file that your browser will use:
- ISAM LMI: https:// isva.fido-demo.ibm.com
- Web Reverse Proxy: https://www.fido-demo.ibm.com
To configure AAC on our Reverse Proxy instance follow these instructions, the screenshots provided should help:
- In the LMI, navigate to Web -> Reverse Proxy
- Select the Web Reverse Proxy that you have already configured (in the screenshot it is named ‘default’)
- Select Manage -> AAC and Federation Configuration -> Authentication and Context Based Access Configuration to start the AAC Configuration Wizard
- From the Main tab, click Next
- On the AAC Runtime tab, enter the hostname to be used by the AAC runtime (‘localhost’ in my example), then enter a password for the ‘easuer’ and click Next
- Now we are looking at the newly added configuration tab, FIDO2 PAIR. This is where a large portion of the required config is performed for the FIDO2 PAIR Scenario.
- Select the two checkboxes shown in the screenshot to enable the Remember Me functionality and insert the JavaScript snippet into the login template page.
- Select the Remember Me Encryption Key Label dropdown and select WebSEAL-Test-Only. If you have another SSL Certificate in the pdsrv key database, you may also select that key label.
- Click Finish to save your configuration and the AAC Configuration will be performed. Deploy the pending changes and we will move onto Relying Party Configuration.
If you decide to use customised template pages for the scenario we are configuring, the following snippet will need to be inserted into the login success page:
<script src="/fido2pair_login_success.js" type="text/javascript" data-fido2pair-token="%HTTPRSPHDR{fido2pair-persistent}%" data-fido2pair-username="%USERNAME%"></script>
Follow the steps below to configure the FIDO2 Relying Party which will be referenced during the scenario configuration:
- In the LMI, navigate to AAC -> FIDO2 Configuration and select Add New Relying Party
- On the Summary tab click Save and deploy the pending changes.
Now that we have the correct configuration on the junction, and a Relying Party to use in our scenario, we will complete the configuration using the Scenario Wizard.
AAC FIDO2 PAIR Scenario Wizard
These final configuration steps will create the branching policy and configure the appropriate template pages.
- In the LMI, navigate to AAC -> Authentication and select the Scenario tab.
- Click Configure FIDO2 PAIR.
- In the FIDO2 PAIR tab select the Relying Party we configured earlier and click Next
- In the Username Password tab enter the details for your LDAP. In my case this is the local LDAP which use the following details:
LDAP Host Name: localhost
LDAP Port: 389
LDAP Bind DN: cn=root,secAuthority=Default
LDAP Bind Password: Enter the password you chose when configuring the Runtime Component
- Now click Save and deploy the pending changes.
We are now ready to invoke the FIDO2 PAIR policy and see how the solicited registration of a FIDO2 platform authenticator works!
Runtime
FIDO2 Solicited Attestation
With all the configuration out of the way, we can now get to the fun part: registering and authenticating with our FIDO2 enabled device!
First step is to navigate to https://www.fido-demo.ibm.com/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:fido2pair from a FIDO2/WebAuthn enabled device and browser (I am using Google Chrome on a Macbook Pro with TouchID).
If this is the first time using the policy in this browser, you will be greeted by the following page, which you can simply enter the username and password for your testing user. I am using the user testuser with the password passw0rd, so after entering those credentials I click Login.
Now that we’ve authenticated as testuser, we will now be asked whether we want to register our device for faster signing in. Clicking Yes will begin the FIDO2 Attestation ceremony.
Clicking Let’s Go will start the attestation, indicated by a modal prompt being shown asking for TouchID confirmation.
After scanning my fingerprint through TouchID the FIDO2 attestation is complete and I can click Done to finish the policy.
A successful login page is displayed and FIDO2 registration is all done!
Authentication
Now that we have a FIDO2 registration, it’s time to use that to authenticate with. Because we just completed a login process, we first need to navigate to the logout endpoint at https://www.fido-demo.ibm.com/pkmslogout
This will end our current session so that we can be prompted again for authentication.
Due to the FIDO2 PAIR scenario being built for both registration and authentication, we simply navigate to the policy again https://www.fido-demo.ibm.com/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:fido2pair
You will notice that the first page presented is very different to the username and password prompt that was shown the first time we invoked the policy.
ISVA has detected the presence of a FIDO2 enabled device and browser, as well as a FIDO2 credential for this domain. Not only this, but thanks to the Remember-Me functionality we enabled during configuration, ISVA can keep track of which user has their FIDO2 credential ready to use.
I have only registered using a single user testuser, so ISVA is offering to allow me to authenticate using FIDO2 for authentication and pre-selected the detected user.
Simply clicking Sign In will start the assertion ceremony.
A FIDO2 prompt is shown by the browser and by scanning our fingerprint, authentication begins and we are very quickly, and conveniently shown the login success page.
That’s all there is to it! Hopefully this article has been helpful in gaining familiarity with FIDO2 in general, and specifically some of the best practices to use in your ISVA protected applications.