This article describes how FIDO features are configured in Airlock IAM.
For details about configuration please refer to the plugin and property descriptions in the Config Editor.
The FIDO Settings configuration plugin
The configuration of all FIDO use-cases supported by Airlock IAM is based on the FIDO Settings configuration plugin.
- It configures all general FIDO settings:
- Basic Settings: e.g. IAM database, relying party ID.
- Registration Settings: e.g. allowed FIDO Authenticator types, user-, and attestation verification.
- Authentication Settings: e.g. user verification type, timeouts.
- Advanced Settings: e.g. allowed signature algorithms.
The FIDO Settings configuration plugin is referenced by most of the other FIDO configuration plugins.
It is configured here (in the Config Editor):
MAIN SETTINGS >> Authentication Settings >> FIDO Settings
It is recommended to first configure the FIDO Settings plugin and afterward configure authentication, registration, and so on.
Windows 10 only supports RS256 as the algorithm for Windows Hello authentication, which is disabled in Airlock IAM by default. Thus, the RS256 algorithm needs to be enabled and configured accordingly if Windows Hello has to be used as FIDO Authenticator.
Note that this specific algorithm is disabled by default because RFC 8812 lists RS256/SHA-256 as not recommended.
- FIDO is only supported by the Loginapp REST UI and the Loginapp REST API (not by the Loginapp (JSP)).
Further information and links
- Authentication configuration
- as 2nd factor: FIDO 2nd factor authentication - REST flow example
- passwordless: FIDO passwordless authentication - REST flow example
- Registration configuration
- in token migration: FIDO token migration - REST flow example
- in token management: FIDO registration - REST flow example
- Token management: FIDO token management configuration
- Supported FIDO use-cases: FIDO in Airlock IAM