Both sides previous revision Previous revision Next revision | Previous revisionLast revisionBoth sides next revision |
en:shibidp:plugin-fudiscr [2022/05/31 09:05] – [WebAuthn (experimental)] abalke@fu-berlin.de | en:shibidp:plugin-fudiscr [2023/01/27 11:39] – [WebAuthn] hofmann@fu-berlin.de |
---|
* mOTP Token | * mOTP Token |
* Paper Token (PPR) | * Paper Token (PPR) |
* Questionnaire Token _Limitation: If only one answer is requested per directive._ | * Questionnaire Token (Limitation: //If only one answer is requested per directive.//) |
* SMS Token | * SMS Token |
* TAN Token | * TAN Token |
* TOTP | * TOTP |
* WebAuthn (from version 1.1.1) | * WebAuthn (from version 1.2.0) |
| |
Support of //Push Token// is currently in development. | Support of //Push Token// is currently in development. |
</file> | </file> |
| |
Which means the result of the MFA authentication can not be reused. But inside of a multi factor authentication the existing successful result of the username/password authentication (//password//) can be reused, but the result of //fudiscr// can not. | This means the result of the MFA authentication can not be reused. Inside of a multi factor authentication the existing successful result of the username/password authentication (//password//) can be reused, but the result of //fudiscr// can not. |
| |
<alert type="warning">It is recommended to set ''idp.authn.MFA.reuseCondition=shibboleth.Conditions.FALSE'' in case on every authentication request the logic in ''./conf/authn/mfa-authn-config.xml'' is gone through. In the reuse case for instance during a valid SSO session, it is not checked whether a user has a certain affiliation.</alert> | <alert type="warning">It is recommended to set ''idp.authn.MFA.reuseCondition=shibboleth.Conditions.FALSE'' in case on every authentication request the logic in ''./conf/authn/mfa-authn-config.xml'' is gone through. In the reuse case for instance during a valid SSO session, it is not checked whether a user has a certain affiliation.</alert> |
This document might be of help [[https://identity.fu-berlin.de/downloads/shibboleth/idp/plugins/authn/fudiscr/doc/ChallengeResponseFlow.pdf|ChallengeResponseFlow.pdf]]. | This document might be of help [[https://identity.fu-berlin.de/downloads/shibboleth/idp/plugins/authn/fudiscr/doc/ChallengeResponseFlow.pdf|ChallengeResponseFlow.pdf]]. |
| |
===== WebAuthn (experimental) ===== | ===== WebAuthn ===== |
Starting from version 1.1.1 WebAuthn token can be used. | Starting from version 1.2.0 WebAuthn token can be used. |
| |
Version 1.1.1 is considered 'experimental' for now and is not installed during regular updates. | |
| |
If you want to update the plugin to this version, please run: | |
| |
<code> | |
%{idp.home}/bin/plugin.sh -u de.zedat.fudis.shibboleth.idp.plugin.authn.fudiscr -fu 1.1.1 | |
</code> | |
| |
A fresh installation of this version can be done by: | |
<code> | |
%{idp.home}/bin/plugin.sh -i https://identity.fu-berlin.de/downloads/shibboleth/idp/plugins/authn/fudiscr/1.1.1/fudis-shibboleth-idp-plugin-authn-fudiscr-1.1.1.tar.gz | |
</code> | |
| |
<alert type="warning"> | <alert type="warning"> |
//rpId// (relying party Id), //challenge//, //userVerification// and //timeout// are identical. | //rpId// (relying party Id), //challenge//, //userVerification// and //timeout// are identical. |
| |
If a user owns multiple active WebAuthn tokens and you set ''fudiscr.user_token_selection=multipleToken'' or ''fudiscr.user_token_selection=multipleTokenTypeGroup'' in ''%{idp.home}/conf/authn/fudiscr.properties'', | If a user owns multiple active WebAuthn tokens and you set ''fudiscr.user_token_selection=none'', ''fudiscr.user_token_selection=multipleToken'' or ''fudiscr.user_token_selection=multipleTokenTypeGroup'' in ''%{idp.home}/conf/authn/fudiscr.properties'', |
you have to set ''fudiscr.privacyidea.single_trigger_challenges=false'' as well. | you have to set ''fudiscr.privacyidea.single_trigger_challenges=false'' as well. |
</alert> | </alert> |
There is no preliminary filtering done in order to check if the domain of the Identity Provider is compatible to the //rpId// of the WebAuthn token. | There is no preliminary filtering done in order to check if the domain of the Identity Provider is compatible to the //rpId// of the WebAuthn token. |
| |
There are changes to previous version in the velocity templates ''main.vm'' and ''insert-response.vm'' in ''%{idp.home}/views/fudiscr/''. | ===== Release Notes ==== |
In ''main.vm'' the form only got the additional attribute ''id="fudiscr-form"''. In ''insert-response.vm'' there are extensive changes. | * 1.0.0 |
| *plugin release |
| * 1.1.0 |
| * privacyIDEA version 3.7 is also supported |
| * in case of invalid/empty input the message ''FudiscrNoResponse'' is written to the ''AuthenticationErrorContext'' |
| * in case of incorrect validation of a response (e.g. OTP) the message ''FudiscrInvalidResponse'' is written to the ''AuthenticationErrorContext'' |
| * ''login-error.vm'' is included by ''insert-response.vm'' |
| * ''fudiscr.UserHasAnyTokenPredicate'': Predicate tests if a user owns any token, no matter in which state. |
| * 1.2.0 |
| * WebAuthn is supported |
| * ''main.vm'' and ''insert-response.vm'' were changed |
| * Important bugfix: Due to missing ''@NameParameter'' annotation in ''ChallengeResponseTokenIdPrincipal'' a serializer could not be assigned. This had an effect on all principal serializers. Randomly different serializers were used. |
| |
===== Further resources ==== | ===== Further resources ==== |