Hi all,
we are finally working on Fido2 and finishing our first implementation.
We have nearly everything working as we wish, except for one small detail : we are unable to modify the user's authentication level after a successfull fido2 authentication.
For doing that, we implemented a fido2 mapping rule (called mediators), and if in the "assertion_result" context type, we tried modifying the authentication level :
- directly in the stsuu (won't work, stsuu is readonly as specified in the documentation)
- by using the credentialData Hashmap
We are unable to modify the authentication level.
We think it's because we directly call the FIDO2 endpoints from the browser, instead of calling the fido2 authentication policy.
Can someone confirm that we have to call FIDO2 api via the authentication policy to be able to modify user authentication level ?
Or is there another way to do it when directly calling the FIDO2 endpoints ?
Thanks a lot for any feedback on this last issue we have before being able to validate all the solution end 2 end.
------------------------------
André Leruitte
------------------------------