How to Setup WebAuthn Authentication in OpenAM
WebAuthn is W3C and FIDO standard that describes Web public key authentication. For authentication client can use Hardware USB, Bluetooth or NFC tokens, or mobile biometric authentication, such as fingerprint or FaceID. WebAuthn is much harder to compromise compared with, for example, password authentication, because 3d party software will never gain access to the private key.
WebAuthn browser support:
- Google Chrome.
- Mozilla Firefox.
- Microsoft Edge.
- Apple Safari.
- Opera.
More info about WebAuthn browser support: https://caniuse.com/#search=webauthn
The latest W3C WebAuthn Standart: https://w3c.github.io/webauthn/
WebAuthn works only for localhost hostname or for SSL connection
For local development and testing, you can use U2F emulators:
- For Linux: U2F emulator written in Rust https://github.com/danstiner/rust-u2f
- For Mac: U2F Emulator by GitHub https://github.com/github/SoftU2F
WebAuthn works in classic UI (enabled with XUI.enable=false system property)
In this example, an OpenAM realm /users is configured to be protected with WebAuthn authentication.
In OpenAM console, navigate to /users realm and create new WebAuthn Registration Authentication module:
Set up required settings:
| Setting | Description |
|---|---|
| Attestation Type |
Attestation Conveyance Preference. Indicates whether attestation is required by server or not. Possible values are:
|
| Authenticator Type |
Authenticator Attachment Enumeration - specifies authenticator type. Whether it could be platform specific, such as TouchID, or removable, such as USB Token. Possible values are:
|
| Auth Level | Module Authentication Level |
| Timeout | WebAuthn registration timeout in milliseconds |
| User attribute to store Public Keys | User identity attribute to store authentication data |
Create new authentication chain webauthn-registration
Try to login using registration authentication chain and register public key for the user account. Open in browser url https://openam.example.com:8443/openam/UI/Login?org=/users&service=webauthn-registration, (change host and port to yours).
Enter User Name and then click Log In button
Insert USB Token if you have not done it before. Registration successful.
In OpenAM console, navigate to /users realm and create new WebAuthn Authentication module:
Set up required settings:
| Setting | Description |
|---|---|
| Auth Level | Module Authentication Level |
| Timeout | WebAuthn authentication timeout in milliseconds |
| User attribute to retrieve Public Keys | User identity attribute to retrieve authentication data |
Create new authentication chain webauthn-authentication
Try to login using authentication chain and login using registered public key for the user account. Open in browser url https://openam.example.com:8443/openam/UI/Login?org=/users&service=webauthn-authentication, (change host and port to yours)
Enter User Name and then click Log In button
Insert USB Token if you have not done it before. Authentication successful.
