IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Passkey Related Origins

By KERRY GUNN posted 24 days ago

  

This article describes how to configure IBM Verify Identity Access (IVIA) to enable passkey related origin support.

IVIA passkey support in its default configuration allows an authenticator to be registered to a relying party with a single origin. This origin is a valid domain string such as "www.test.ibm.com". The registration is only valid for authenticating to that relying party using the expected origin.

Related origins allow the registered passkey to be used for authenticating to the relying party on more than one origin.

The configuration has been tested using IVIA 11.0.1.0.

Note: The steps documented here assume a clean install of IVIA with:

  • IBM Verify Identity Access Base Appliance activated.
  • IBM Verify Identity Access Advanced Access Control activated.
  • The Runtime Component configured.
  • A reverse proxy instance created with the name “default”.
  • An ISVA user exists with the name “testuser”.

Procedure

  1. Run the Authentication and Context Based Access Configuration wizard on the default reverse proxy instance.
    • In the LMI open the reverse proxy page:    Web —> Manage —> Reverse Proxy
    • Select the default instance in the list.
    • Start the wizard: Manage --> AAC and Federation Configuration --> Authentication and Context Based Access Configuration
    • Step through the wizard. The only required change is to enter the easuser password.
    • Click Finish to run the configuration.
    • Deploy the changes and restart the default reverse proxy instance.
  2. Create a new Passkey relying party.
    • In the LMI open the FIDO2 Configuration page: AAC --> Manage --> FIDO2 Configuration
    • Click Add a New Relying Party.
    • Enter the Display name. For example "mytest".
    • Enter the Relying Party ID. This is the domain that is the primary origin used for authentication. This is the hostname used to access the reverse proxy instance. For example "www.myhost.ibm.com".
    • Click the Advanced Configuration radio button.
    • Step through the wizard to get to the Mediator and Origins tab.
    • Click the Add Origin button.
    • Add one or more new related origins. 
    • Continue stepping through the wizard. Click Save to create the new relying party. 
    • Deploy the changes.
  3. Create a new .wellknown endpoint on the default reverse proxy. This is used by the browser to determine if the origin is supported by the passkey. For our purpose here this will be a hardcoded response generated using a LUA script.
    • In the LMI open the HTTP Transformation page: Web --> Global Settings --> HTTP Transformation
    • Click New.
    • Enter the resource name as wellknown
    • Click the LUA radio button.
    • Click OK.
    • Select wellknown.lua from the list and click Edit.
    • Replace the content with the following (replace the origins list with the values of your related origins):

function return_error()
        HTTPResponse.setStatusCode(404)
        HTTPResponse.setStatusMsg("NOT FOUND")
        HTTPResponse.setHeader("Content-Type", "text/plain")    
    HTTPResponse.setBody("404 Not Found!")
    Control.responseGenerated(true)
end

if HTTPRequest.getURL() ==  "/.well-known/webauthn" then
    host = HTTPRequest.getHeader("host")
    HTTPResponse.setStatusCode(200)
    HTTPResponse.setStatusMsg("OK")
    HTTPResponse.setHeader("Content-Type", "application/json")  
    HTTPResponse.setBody([[{
        "origins": ["https://www.test.ibm.com"]
    }]])
    Control.responseGenerated(true)
else
    return_error()
end

    • Click OK to save.
    • Deploy the changes
    • Activate the LUA for the required endpoint by updating the reverse proxy configuration file.
    • In the LMI open the reverse proxy page: Web --> Manage --> Reverse Proxy
    • Select the default instance in the list.
    • Open the configuration file editor: Manage --> Configuration --> Edit Configuration File
    • Find the stanza [http-transformations]
    • At the bottom of the stanza add 

wellknown = wellknown.lua

    • Add a new stanza to enable the LUA transformation for the required endpoint.

[http-transformations:wellknown]
request-match = request:GET /.well-known/webauthn *

    • Click Save and Deploy the changes.
    • Restart the default reverse proxy instance.

The configuration is now complete.

For a simple test of the new configuration.

  1. Access the device selection page: https://<reverse_proxy_host>/mga/sps/mga/user/mgmt/html/device/device_selection.html
  2. Under Passkey Registrations click Register New Authenticator.
  3. Follow the wizard to register a new passkey.
  4. Use the Test button to try it out using the default origin.
  5. In the LMI open the Authentication Policies page: AAC --> Policy --> Authentication
  6. Click the + button to create a new authentication policy.
    • Name: testpasskey
    • Identifier: testpasskey
    • Step: FIDO2 WebAuthn Authenticator with the following properties:
      • relyingPartyConfigId --> Your relying party.
      • username --> testuser.
  7. Click Save and deploy the changes.
  8. Test it using default origin: https://<reverse_proxy_host>/mga/sps/authsvc/policy/testpasskey
  9. Test it using the related origin added to the relying party: https://<related_origin>/mga/sps/authsvc/policy/testpasskey
    • For the purpose of this test only, make sure to add a hosts file entry on your test machine to point the related origin at the default reverse proxy hostname/IP.
  10. Both tests should pass. Note that if you did not have a related origin entry for your host, it would fail.
0 comments
8 views

Permalink

https://community.ibm.com/community/user/blogs/kerry-gunn1/2025/06/19/passkey-related-origins