Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
en:shibidp:plugin-fudiscr [2022/05/31 08:42] jhoffman@fu-berlin.deen:shibidp:plugin-fudiscr [2023/09/14 19:57] (current) – [Release Notes] hofmann@fu-berlin.de
Line 29: Line 29:
   * mOTP Token   * mOTP Token
   * Paper Token (PPR)   * Paper Token (PPR)
-  * Questionnaire Token _Limitation: If only one answer is requested per directive._+  * Questionnaire Token (Limitation//If only one answer is requested per directive.//)
   * SMS Token   * SMS Token
   * TAN Token   * TAN Token
   * TOTP   * TOTP
-  * WebAuthn (from version 1.1.1)+  * WebAuthn (from version 1.2.0)
  
 Support of //Push Token// is currently in development. Support of //Push Token// is currently in development.
Line 417: Line 417:
 </file> </file>
  
-Which means the result of the MFA authentication can not be reused. But inside of a multi factor authentication the existing successful result of the username/password authentication (//password//) can be reused, but the result of //fudiscr// can not.+This means the result of the MFA authentication can not be reused. Inside of a multi factor authentication the existing successful result of the username/password authentication (//password//) can be reused, but the result of //fudiscr// can not.
  
 <alert type="warning">It is recommended to set ''idp.authn.MFA.reuseCondition=shibboleth.Conditions.FALSE'' in case on every authentication request the logic in ''./conf/authn/mfa-authn-config.xml'' is gone through. In the reuse case for instance during a valid SSO session, it is not checked whether a user has a certain affiliation.</alert> <alert type="warning">It is recommended to set ''idp.authn.MFA.reuseCondition=shibboleth.Conditions.FALSE'' in case on every authentication request the logic in ''./conf/authn/mfa-authn-config.xml'' is gone through. In the reuse case for instance during a valid SSO session, it is not checked whether a user has a certain affiliation.</alert>
Line 426: Line 426:
 This document might be of help [[https://identity.fu-berlin.de/downloads/shibboleth/idp/plugins/authn/fudiscr/doc/ChallengeResponseFlow.pdf|ChallengeResponseFlow.pdf]]. This document might be of help [[https://identity.fu-berlin.de/downloads/shibboleth/idp/plugins/authn/fudiscr/doc/ChallengeResponseFlow.pdf|ChallengeResponseFlow.pdf]].
  
-===== WebAuthn (experimental) ===== +===== WebAuthn ===== 
-Starting from version 1.1.WebAuthn token can be used. +Starting from version 1.2.WebAuthn token can be used.
- +
-Version 1.1.1 is considered 'experimental' for now and is not installed during regular updates. +
- +
-If you want to update the plugin to this version, please run: +
- +
-<code> +
-%{idp.home}/bin/plugin.sh -u de.zedat.fudis.shibboleth.idp.plugin.authn.fudiscr -fu 1.1.1 +
-</code> +
- +
-A fresh installation of this version can be done by: +
-<code> +
-%{idp.home}/bin/plugin.sh -i https://identity.fu-berlin.de/downloads/shibboleth/idp/plugins/authn/fudiscr/1.1.1/fudis-shibboleth-idp-plugin-authn-fudiscr-1.1.1.tar.gz +
-</code>+
  
 +<alert type="warning">
 The fudiscr plugin offers some options which permit multiple selection of tokens. If multiple tokens are selected during login it is assumed that the parameters  The fudiscr plugin offers some options which permit multiple selection of tokens. If multiple tokens are selected during login it is assumed that the parameters 
 //rpId// (relying party Id), //challenge//, //userVerification// and //timeout// are identical. //rpId// (relying party Id), //challenge//, //userVerification// and //timeout// are identical.
 +
 +If a user owns multiple active WebAuthn tokens and you set ''fudiscr.user_token_selection=none'', ''fudiscr.user_token_selection=multipleToken'' or ''fudiscr.user_token_selection=multipleTokenTypeGroup'' in ''%{idp.home}/conf/authn/fudiscr.properties'',
 +you have to set ''fudiscr.privacyidea.single_trigger_challenges=false'' as well.
 +</alert>
  
 In general it applies that the domain of the Identity Provider has to either be identical to the //rpId// from WebAuthn or a subdomain of it. In general it applies that the domain of the Identity Provider has to either be identical to the //rpId// from WebAuthn or a subdomain of it.
 There is no preliminary filtering done in order to check if the domain of the Identity Provider is compatible to the //rpId// of the WebAuthn token. There is no preliminary filtering done in order to check if the domain of the Identity Provider is compatible to the //rpId// of the WebAuthn token.
- 
-There are changes to previous version in the veocity templates ''main.vm'' and ''insert-response.vm'' in ''%{idp.home}/views/fudiscr/''. 
-In ''main.vm'' the form only got the additional attribute 'id="fudiscr-form"''. In ''insert-response.vm'' there are extensive changes. 
  
  
 ===== Further resources ==== ===== Further resources ====
-  * Documents from the [[de:aai:events:ws2022|Shibboleth Workshops February 2022]]  +  * Documents from the [[de:aai:events:ws2022|Shibboleth Workshops February 2022]] (in German)
  
 {{tag>2FA MFA two-factor-authentication multi-factor-authentication}} {{tag>2FA MFA two-factor-authentication multi-factor-authentication}}
  • Last modified: 24 months ago