How to Setup WebAuthn Authentication in OpenAM

How to Setup WebAuthn Authentication in OpenAM

Introduction

WebAuthn is W3C and FIDO standard that describes Web public key authentication. For authentication client can use Hardware USB, Bluetooth or NFC tokens, or mobile biometric authentication, such as fingerprint or FaceID. WebAuthn is much harder to compromise compared with, for example, password authentication, because 3d party software will never gain access to the private key.

WebAuthn browser support:

• Google Chrome.
• Mozilla Firefox.
• Microsoft Edge.
• Apple Safari.
• Opera.

More info about WebAuthn browser support: https://caniuse.com/#search=webauthn

The latest W3C WebAuthn Standart: https://w3c.github.io/webauthn/

Notes

WebAuthn works only for localhost hostname or for SSL connection

For local development and testing, you can use U2F emulators:

• For Linux: U2F emulator written in Rust https://github.com/danstiner/rust-u2f
• For Mac: U2F Emulator by GitHub https://github.com/github/SoftU2F

Setting up Authentication modules

In this example, an OpenAM realm /users is configured to be protected with WebAuthn authentication.

Set up WebAuthn Registration Module

In OpenAM console, navigate to /users realm and create new WebAuthn Registration Authentication module:

Set up required settings:

Setting	Description
Attestation Type	Attestation Conveyance Preference. Indicates whether attestation is required by server or not. Possible values are: direct - attestation, generated by authenticator required by server indirect - allows client to decide whether attestation is required none - server does not care about attestation
Authenticator Type	Authenticator Attachment Enumeration - specifies authenticator type. Whether it could be platform specific, such as TouchID, or removable, such as USB Token. Possible values are: cross-platform - removable authenticator platform - platform specific authenticator unspecified - any authenticator type
Auth Level	Module Authentication Level
Timeout	WebAuthn registration timeout in milliseconds
User attribute to store Public Keys	User identity attribute to store authentication data

Set up WebAuthn Registration Authentication Chain

Create new authentication chain webauthn-registration

Testing WebAuthn Registration Authentication Chain

Try to login using registration authentication chain and register public key for the user account. Open in browser url https://openam.example.com:8443/openam/UI/Login?org=/users&service=webauthn-registration, (change host and port to yours).

Enter User Name and then click Log In button

Insert USB Token if you have not done it before. Registration successful.

Set up WebAuth Authentication Module

In OpenAM console, navigate to /users realm and create new WebAuthn Authentication module:

Set up required settings:

Setting	Description
Auth Level	Module Authentication Level
Timeout	WebAuthn authentication timeout in milliseconds
User attribute to retrieve Public Keys	User identity attribute to retrieve authentication data

Set up WebAuthn Authentication Chain

Create new authentication chain webauthn-authentication

Testing WebAuthn Authentication Chain

Try to login using authentication chain and login using registered public key for the user account. Open in browser url https://openam.example.com:8443/openam/UI/Login?org=/users&service=webauthn-authentication, (change host and port to yours)

Enter User Name and then click Log In button

Insert USB Token if you have not done it before. Authentication successful.