Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
Last revisionBoth sides next revision
en:shibidp:plugin-fudiscr [2022/06/20 10:00] – [WebAuthn (experimental)] hofmann@fu-berlin.deen:shibidp:plugin-fudiscr [2023/01/27 11:39] – [WebAuthn] hofmann@fu-berlin.de
Line 433: Line 433:
 //rpId// (relying party Id), //challenge//, //userVerification// and //timeout// are identical. //rpId// (relying party Id), //challenge//, //userVerification// and //timeout// are identical.
  
-If a user owns multiple active WebAuthn tokens and you set ''fudiscr.user_token_selection=multipleToken'' or ''fudiscr.user_token_selection=multipleTokenTypeGroup'' in ''%{idp.home}/conf/authn/fudiscr.properties'',+If a user owns multiple active WebAuthn tokens and you set ''fudiscr.user_token_selection=none'', ''fudiscr.user_token_selection=multipleToken'' or ''fudiscr.user_token_selection=multipleTokenTypeGroup'' in ''%{idp.home}/conf/authn/fudiscr.properties'',
 you have to set ''fudiscr.privacyidea.single_trigger_challenges=false'' as well. you have to set ''fudiscr.privacyidea.single_trigger_challenges=false'' as well.
 </alert> </alert>
Line 439: Line 439:
 In general it applies that the domain of the Identity Provider has to either be identical to the //rpId// from WebAuthn or a subdomain of it. In general it applies that the domain of the Identity Provider has to either be identical to the //rpId// from WebAuthn or a subdomain of it.
 There is no preliminary filtering done in order to check if the domain of the Identity Provider is compatible to the //rpId// of the WebAuthn token. There is no preliminary filtering done in order to check if the domain of the Identity Provider is compatible to the //rpId// of the WebAuthn token.
 +
 +===== Release Notes ====
 +   * 1.0.0
 +      *plugin release
 +   * 1.1.0
 +      * privacyIDEA version 3.7 is also supported
 +      * in case of invalid/empty input the message ''FudiscrNoResponse'' is written to the ''AuthenticationErrorContext''
 +      * in case of incorrect validation of a response (e.g. OTP) the message ''FudiscrInvalidResponse'' is written to the ''AuthenticationErrorContext''
 +      * ''login-error.vm'' is included by ''insert-response.vm''
 +      * ''fudiscr.UserHasAnyTokenPredicate'': Predicate tests if a user owns any token, no matter in which state.
 +   * 1.2.0
 +      * WebAuthn is supported
 +      * ''main.vm'' and ''insert-response.vm'' were changed
 +      * Important bugfix: Due to missing ''@NameParameter'' annotation in ''ChallengeResponseTokenIdPrincipal'' a serializer could not be assigned. This had an effect on all principal serializers. Randomly different serializers were used.
 +
 ===== Further resources ==== ===== Further resources ====
   * Documents from the [[de:aai:events:ws2022|Shibboleth Workshops February 2022]] (in German)   * Documents from the [[de:aai:events:ws2022|Shibboleth Workshops February 2022]] (in German)
  • Last modified: 9 months ago