How to Setup WebAuthn Authentication in OpenAM
layout: home landing-title: "How to Setup WebAuthn Authentication in OpenAM" landing-title2: "How to Setup WebAuthn Authentication and Registration in OpenAM" description: "How to Setup WebAuthn Authentication in OpenAM" keywords: 'WebAuthn, Authentication, Registration, Login, OpenAM, Access Management, Authentication, Authorization, Single Sign On, Open Identity Platform'
Original article: https://github.com/OpenIdentityPlatform/OpenAM/wiki/How-to-Use-Apache-Cassandra-as-User-DataStore-in-OpenAM
WebAuthn is W3C and FIDO standart that describes Web public key authentication. For authentication client can use Hardware USB, Bluetooth or NFC tokens, or mobile biometric authentication, such as fingerprint or FaceID. WebAuthn is much harder to compromise comparing, for example, password authentication, because 3d party software will never gain access to the private key.
WebAuthn browser support:
- Google Chrome.
- Mozilla Firefox.
- Microsoft Edge.
- Apple Safari.
- Opera.
More info about WebAutn browser support: https://caniuse.com/#search=webauthn
The latest W3C WebAuthn Standart: https://w3c.github.io/webauthn/
WebAuthn works only for localhost hostname or for SSL connection
For local development and testing you can use U2F emulators:
- For Linux: U2F emulator written in Rust https://github.com/danstiner/rust-u2f
- For Mac: U2F Emulator by GitHub https://github.com/github/SoftU2F
For example there is a /users realm in OpenAM that need to be protected with WebAuthn authentication.
In OpenAM console, navigate to /users realm and create new WebAuthn Registration Authentication module:
Setup required settings:
| Setting | Description |
|---|---|
| Attestation Type |
Attestation Conveyance Preference. Indicates, wether attestation required by server or not. Possible values are:
|
| Authenticator Type |
Authenticator Attachment Enumeration - specifies authenticator type. Wether it could be platform specific, such as TouchID, or removable, such as USB Token. Possible values are:
|
| Auth Level | Modlue Authentication Level |
| Timeout | WebAuthn registratation timeout in milliseconds |
| User attribute to store Public Keys | User indetity attribiute to store authentication data |
Create new authentication chain webauthn-regustration
{:class="col-md-6 d-block"}
Try to login using registration authentication chain and register public key for the user account. Open in browser url https://openam.example.com:8443/openam/UI/Login?org=/users&service=webauthn-registration, (change host and port to yours).
Enter User Name and then click Log In button
Insert USB Token if you have not done it before. Registration successful.
In OpenAM console, navigate to /users realm and create new WebAuthn Authentication module:
Setup required settings:
| Setting | Description |
|---|---|
| Auth Level | Modlue Authentication Level |
| Timeout | WebAuthn authentication timeout in milliseconds |
| User attribute to retrieve Public Keys | User indetity attribiute to retrieve authentication data |
Create new authentication chain webauthn-authentication
Try to login using authentication chain and login using registered public key for the user account. Open in browser url https://openam.example.com:8443/openam/UI/Login?org=/users&service=webauthn-authentication, (change host and port to yours)
Enter User Name and then click Log In button
Insert USB Token if you have not done it before. Authentication successful.
