Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
en:shibidp:plugin-fudiscr [2022/05/31 09:05] – [WebAuthn (experimental)] abalke@fu-berlin.deen:shibidp:plugin-fudiscr [2023/09/14 19:57] (current) – [Release Notes] hofmann@fu-berlin.de
Line 29: Line 29:
   * mOTP Token   * mOTP Token
   * Paper Token (PPR)   * Paper Token (PPR)
-  * Questionnaire Token _Limitation: If only one answer is requested per directive._+  * Questionnaire Token (Limitation//If only one answer is requested per directive.//)
   * SMS Token   * SMS Token
   * TAN Token   * TAN Token
   * TOTP   * TOTP
-  * WebAuthn (from version 1.1.1)+  * WebAuthn (from version 1.2.0)
  
 Support of //Push Token// is currently in development. Support of //Push Token// is currently in development.
Line 417: Line 417:
 </file> </file>
  
-Which means the result of the MFA authentication can not be reused. But inside of a multi factor authentication the existing successful result of the username/password authentication (//password//) can be reused, but the result of //fudiscr// can not.+This means the result of the MFA authentication can not be reused. Inside of a multi factor authentication the existing successful result of the username/password authentication (//password//) can be reused, but the result of //fudiscr// can not.
  
 <alert type="warning">It is recommended to set ''idp.authn.MFA.reuseCondition=shibboleth.Conditions.FALSE'' in case on every authentication request the logic in ''./conf/authn/mfa-authn-config.xml'' is gone through. In the reuse case for instance during a valid SSO session, it is not checked whether a user has a certain affiliation.</alert> <alert type="warning">It is recommended to set ''idp.authn.MFA.reuseCondition=shibboleth.Conditions.FALSE'' in case on every authentication request the logic in ''./conf/authn/mfa-authn-config.xml'' is gone through. In the reuse case for instance during a valid SSO session, it is not checked whether a user has a certain affiliation.</alert>
Line 426: Line 426:
 This document might be of help [[https://identity.fu-berlin.de/downloads/shibboleth/idp/plugins/authn/fudiscr/doc/ChallengeResponseFlow.pdf|ChallengeResponseFlow.pdf]]. This document might be of help [[https://identity.fu-berlin.de/downloads/shibboleth/idp/plugins/authn/fudiscr/doc/ChallengeResponseFlow.pdf|ChallengeResponseFlow.pdf]].
  
-===== WebAuthn (experimental) ===== +===== WebAuthn ===== 
-Starting from version 1.1.WebAuthn token can be used. +Starting from version 1.2.WebAuthn token can be used.
- +
-Version 1.1.1 is considered 'experimental' for now and is not installed during regular updates. +
- +
-If you want to update the plugin to this version, please run: +
- +
-<code> +
-%{idp.home}/bin/plugin.sh -u de.zedat.fudis.shibboleth.idp.plugin.authn.fudiscr -fu 1.1.1 +
-</code> +
- +
-A fresh installation of this version can be done by: +
-<code> +
-%{idp.home}/bin/plugin.sh -i https://identity.fu-berlin.de/downloads/shibboleth/idp/plugins/authn/fudiscr/1.1.1/fudis-shibboleth-idp-plugin-authn-fudiscr-1.1.1.tar.gz +
-</code>+
  
 <alert type="warning"> <alert type="warning">
Line 446: Line 433:
 //rpId// (relying party Id), //challenge//, //userVerification// and //timeout// are identical. //rpId// (relying party Id), //challenge//, //userVerification// and //timeout// are identical.
  
-If a user owns multiple active WebAuthn tokens and you set ''fudiscr.user_token_selection=multipleToken'' or ''fudiscr.user_token_selection=multipleTokenTypeGroup'' in ''%{idp.home}/conf/authn/fudiscr.properties'',+If a user owns multiple active WebAuthn tokens and you set ''fudiscr.user_token_selection=none'', ''fudiscr.user_token_selection=multipleToken'' or ''fudiscr.user_token_selection=multipleTokenTypeGroup'' in ''%{idp.home}/conf/authn/fudiscr.properties'',
 you have to set ''fudiscr.privacyidea.single_trigger_challenges=false'' as well. you have to set ''fudiscr.privacyidea.single_trigger_challenges=false'' as well.
 </alert> </alert>
Line 452: Line 439:
 In general it applies that the domain of the Identity Provider has to either be identical to the //rpId// from WebAuthn or a subdomain of it. In general it applies that the domain of the Identity Provider has to either be identical to the //rpId// from WebAuthn or a subdomain of it.
 There is no preliminary filtering done in order to check if the domain of the Identity Provider is compatible to the //rpId// of the WebAuthn token. There is no preliminary filtering done in order to check if the domain of the Identity Provider is compatible to the //rpId// of the WebAuthn token.
- 
-There are changes to previous version in the velocity templates ''main.vm'' and ''insert-response.vm'' in ''%{idp.home}/views/fudiscr/''. 
-In ''main.vm'' the form only got the additional attribute ''id="fudiscr-form"''. In ''insert-response.vm'' there are extensive changes. 
  
  
  • Last modified: 24 months ago