Share on:

How to Setup WebAuthn Authentication in OpenAM

Original article

Table of Contents

Introduction

WebAuthn is W3C and FIDO standart that describes Web public key authentication. For authentication client can use Hardware USB, Bluetooth or NFC tokens, or mobile biometric authentication, such as fingerprint or FaceID. WebAuthn is much harder to compromise comparing, for example, password authentication, because 3d party software will never gain access to the private key.

WebAuthn browser support:

More info about WebAutn browser support: https://caniuse.com/#search=webauthn

The latest W3C WebAuthn Standart: https://w3c.github.io/webauthn/

Notes

WebAuthn works only for localhost hostname or for SSL connection

For local development and testing you can use U2F emulators:

Setting up Authentication modules

For example there is a /clients realm in OpenAM that need to be protected with WebAuthn authentication.

Setup WebAuthn Registration Module

In OpenAM console, navigate to /clients realm and create new WebAuthn Registration Authentication module: OpenAM Create WebAuthn Registration Authentication Module

Setup required settings:

OpenAM  WebAuthn Registration Authentication Module Settings

Setting Description
Attestation Type Attestation Conveyance Preference. Indicates, wether attestation required by server or not. Possible values are:
  • direct - attestation, generated by authenticator required by server
  • idirect - allows client to decide wether attestation is required
  • none - server does not care about attestation
Authenticator Type Authenticator Attachment Enumeration - specifies authenticator type. Wether it could be platform specific, such as TouchID, or removable, such as USB Token. Possible values are:
  • cross-platform - removable authenticator
  • platform - platform specific authenticator
  • unspecified - any authenticator type
Auth Level Modlue Authentication Level
Timeout WebAuthn registratation timeout in milliseconds
User attribute to store Public Keys User indetity attribiute to store authentication data

Setup WebAutn Registration Authentication Chain

Create new authentication chain webauthn-regustration OpenAM  WebAuthn Registration Authentication Chain

Testing WebAutn Registration Authentication Chain

Try to login using registration authentication chain and register public key for the user account. Open in browser url https://[host]:[port]/openam/UI/Login?org=/clients&service=webauthn-registration (change host and port to yours).

OpenAM  WebAuthn Registration User Name

Enter User Name and then click Log In button

OpenAM  WebAuthn Registration USB Key

Insert USB Token if you have not done it before. Registration successful.

Setup WebAuth Authentication Module

In OpenAM console, navigate to /clients realm and create new WebAuthn Authentication module:

OpenAM Create WebAuthn Registration Authentication Module

Setup required settings:

OpenAM  WebAuthn Authentication Module Settings

Setting Description
Auth Level Modlue Authentication Level
Timeout WebAuthn authentication timeout in milliseconds
User attribute to retrieve Public Keys User indetity attribiute to retrieve authentication data

Setup WebAutn Authentication Chain

Create new authentication chain webauthn-authentication OpenAM  WebAuthn Authentication Chain

Testing WebAutn Authentication Chain

Try to login using authentication chain and login using registered public key for the user account. Open in browser url https://[host]:[port]/openam/UI/Login?org=/clients&service=webauthn-authentication, (change host and port to yours).

OpenAM  WebAuthn Authentication User Name

Enter User Name and then click Log In button

OpenAM  WebAuthn Authentication USB Key

Insert USB Token if you have not done it before. Authentication successful.