Differences

This shows you the differences between two versions of the page.

--- en:shibidp:plugin-fudiscr [2022/05/31 08:36] – created jhoffman@fu-berlin.de
+++ en:shibidp:plugin-fudiscr [2023/09/14 19:57] (current) – [Release Notes] hofmann@fu-berlin.de
@@ Line 29: / Line 29: @@
   * mOTP Token
   * Paper Token (PPR)
-  * Questionnaire Token _Limitation: If only one answer is requested per directive._
+  * Questionnaire Token (Limitation: //If only one answer is requested per directive.//)
   * SMS Token
   * TAN Token
   * TOTP
-  * WebAuthn (from version 1.1.1)
+  * WebAuthn (from version 1.2.0)
 Support of //Push Token// is currently in development.
@@ Line 166: / Line 166: @@
 %{idp.home}/bin/module.sh -e idp.authn.MFA
 </code>
 In ''%{idp.home}/conf/authn/authn.properties'' the following settings should be done:
@@ Line 278: / Line 279: @@
 **Example 3**: After authentication with username and password we request a token based authentication using fudiscr if the AuthenticationContextClass required by the service provider is not sufficient or if the user belongs to the group 'employee' according to eduPersonAffiliation.
 <file xml ./conf/authn/mfa-authn-config.xml>
 <?xml version="1.0" encoding="UTF-8"?>
@@ Line 347: / Line 349: @@
 <alert type="warning">version >=1.1.0</alert>
 After authentication with username and password we request a token based authentication using fudiscr if the AuthenticationContextClass required by the service provider is not sufficient
-or if the user owns at least one token. The state of the tokens is not checked here, so a deactivated token would result in 'fudiscr.UserHasAnyTokenPredicate'' returning ''true''. This predicate
+or if the user owns at least one token. The state of the tokens is not checked here, so a deactivated token would result in ''fudiscr.UserHasAnyTokenPredicate'' returning ''true''. This predicate
 was introduced primarily for rollout scenarios.
 <file xml ./conf/authn/mfa-authn-config.xml>
 <?xml version="1.0" encoding="UTF-8"?>
@@ Line 407: / Line 410: @@
 Using the following configuration you can achieve that username and password is requested only once inside a SSO session, but token based authentication is requested once on every service provider authentication.
 <file properties ./conf/authn/authn.properties>
 idp.authn.MFA.reuseCondition=shibboleth.Conditions.FALSE
@@ Line 412: / Line 416: @@
 idp.authn.fudiscr.reuseCondition=shibboleth.Conditions.FALSE
 </file>
-Which means the result of the MFA authentication can not be reused. But inside of a multi factor authentication the existing successful result of the username/password authentication (//password//) can be reused, but the result of //fudiscr// can not.
+This means the result of the MFA authentication can not be reused. Inside of a multi factor authentication the existing successful result of the username/password authentication (//password//) can be reused, but the result of //fudiscr// can not.
 <alert type="warning">It is recommended to set ''idp.authn.MFA.reuseCondition=shibboleth.Conditions.FALSE'' in case on every authentication request the logic in ''./conf/authn/mfa-authn-config.xml'' is gone through. In the reuse case for instance during a valid SSO session, it is not checked whether a user has a certain affiliation.</alert>
-==== Weitere Konfigurationsoptionen ====
+==== Further Configuration ====
-You can find furhter configuration options in ''%{idp.home}/conf/authn/fudiscr.properties''.
+You can find further configuration options in ''%{idp.home}/conf/authn/fudiscr.properties''.
 This document might be of help [[https://identity.fu-berlin.de/downloads/shibboleth/idp/plugins/authn/fudiscr/doc/ChallengeResponseFlow.pdf|ChallengeResponseFlow.pdf]].
-===== WebAuthn (experimental) =====
+===== WebAuthn =====
-Starting from version 1.1.1 WebAuthn token can be used.
+Starting from version 1.2.0 WebAuthn token can be used.
-Version 1.1.1 is considered 'experimental' for now and is not installed during regular updates.
-If you want to update the plugin to this version, please run:
-<code>
-%{idp.home}/bin/plugin.sh -u de.zedat.fudis.shibboleth.idp.plugin.authn.fudiscr -fu 1.1.1
-</code>
-A fresh installation of this version can be done by:
-<code>
-%{idp.home}/bin/plugin.sh -i https://identity.fu-berlin.de/downloads/shibboleth/idp/plugins/authn/fudiscr/1.1.1/fudis-shibboleth-idp-plugin-authn-fudiscr-1.1.1.tar.gz
-</code>
+<alert type="warning">
 The fudiscr plugin offers some options which permit multiple selection of tokens. If multiple tokens are selected during login it is assumed that the parameters
 //rpId// (relying party Id), //challenge//, //userVerification// and //timeout// are identical.
+If a user owns multiple active WebAuthn tokens and you set ''fudiscr.user_token_selection=none'', ''fudiscr.user_token_selection=multipleToken'' or ''fudiscr.user_token_selection=multipleTokenTypeGroup'' in ''%{idp.home}/conf/authn/fudiscr.properties'',
+you have to set ''fudiscr.privacyidea.single_trigger_challenges=false'' as well.
+</alert>
 In general it applies that the domain of the Identity Provider has to either be identical to the //rpId// from WebAuthn or a subdomain of it.
 There is no preliminary filtering done in order to check if the domain of the Identity Provider is compatible to the //rpId// of the WebAuthn token.
-There are changes to previous version in the veocity templates ''main.vm'' and ''insert-response.vm'' in ''%{idp.home}/views/fudiscr/''.
-In ''main.vm'' the form only got the additional attribute 'id="fudiscr-form"''. In ''insert-response.vm'' there are extensive changes.
 ===== Further resources ====
-  * Documents from the [[de:aai:events:ws2022|Shibboleth Workshops February 2022]]
+  * Documents from the [[de:aai:events:ws2022|Shibboleth Workshops February 2022]] (in German)
 {{tag>2FA MFA two-factor-authentication multi-factor-authentication}}

2fa mfa two-factor-authentication multi-factor-authentication