FIDO token management self-service configuration

This article explains how to configure FIDO token management self-services for end-users.

  • The protected self-services provide the following functionality:
  • List all FIDO tokens
  • Add new FIDO tokens
  • Delete registered FIDO token
  • Set or change the display name of a registered token
  • Enable and disable registered tokens

Prerequisites

Configuration hint:

The following configuration steps depend on the general FIDO Settings configuration used for authentication and other flows.

Make sure that:

  • The FIDO Settings (basic settings) are configured. Especially, the configured relying party ID matches the browser domain when accessing the Loginapp.

To test the configured features, consider the following prerequisites. Makes sure that:

  • The end-user has been authenticated using a REST authentication flow.
  • The end-user is authorized to register FIDO authenticators (i.e. the FIDO registration flow's configured authorization condition is fulfilled).

FIDO token list

To configure the protected self-service, proceed as follows:

  1. Go to:
    Loginapp >> Protected Self-Services
  2. In property FIDO Credential List, add a plugin of type FIDO Credential List. Open the plugin.
  3. In property FIDO Settings, connect the FIDO settings configuration used in authentication and other flows.
  4. in the MAIN SETTINGS (in MAIN SETTINGS >> Authentication Settings >> FIDO Settings).
  5. Configure the FIDO AAGUID Mappings property: it defines how AAGUIDs (an ID provided by the FIDO tokens) are translated to human-readable information about the make and model of the token. Using FIDO Default AAGUID Mappings works for many standard tokens but you may add the FIDO Custom AAGUID Mappings plugin to add your own mappings.
  6. Choose Access Conditions and Authorization Conditions such that the flow is only available to entitled users.

Add a new FIDO token

To allow the user to register additional FIDO tokens, a protected self-service flow must be configured:

  1. Go to:
    Loginapp >> Protected Self-Services >> Protected Self-Service Flows
  2. In property Flows, add a new element of type Custom Protected Self Service Flow to the list and configure it as follows.
  3. Create a new Flow ID. This ID is used to select the flow in a REST client and is needed in the Loginapp REST UI configuration (e.g. fido-registration).
  4. In the property Steps, add an element of type FIDO Registration Step and configure it by connecting the FIDO Settings. Optionally, add other steps as required.
  5. Choose Access Conditions and Authorization Conditions such that the flow is only available to entitled users.

Delete a registered FIDO token

To allow the user to delete registered FIDO tokens, a protected self-service flow must be configured:

  1. Go to:
    Loginapp >> Protected Self-Services >> Protected Self-Service Flows
  2. In property Flows, add a new element of type Default FIDO Credential Removal Flow to the list and configure it as follows.
  3. Create a new Flow ID. This ID is used to select the flow in a REST client and is needed in the Loginapp REST UI configuration (e.g. fido-removal).
  4. Choose whether Allow Deleting Last Credential is disabled or not.
  5. Choose Access Conditions and Authorization Conditions such that the flow is only available to entitled users.

Change the display name of a registered FIDO token

To allow the user to change the display name of a registered FIDO token, a protected self-service flow must be configured:

  1. Go to:
    Loginapp >> Protected Self-Services >> Protected Self-Service Flows
  2. In property Flows, add a new element of type Default FIDO Credential Display Name Change Flow to the list and configure it as follows.
  3. Create a new Flow ID. This ID is used to select the flow in a REST client and is needed in the Loginapp REST UI configuration (e.g. fido-display-name-change).
  4. Choose Access Conditions and Authorization Conditions such that the flow is only available to entitled users.

Enable and disable a FIDO token

To allow the user to enable and/or disable a FIDO token, proceed as follows:

  1. Go to:
    Loginapp >> Protected Self-Services >> Protected Self-Service Flows
  2. In property Flows, add a new element of type Default Enable FIDO Credential Flow and/or Default Disable FIDO Credential Flow to the list and configure it as follows.
  3. Create a new Flow ID. This ID is used to select the flow in a REST client and is needed in the Loginapp REST UI configuration (e.g. fido-enabling, fido-disabling).
  4. Choose Access Conditions and Authorization Conditions such that the flows are only available to entitled users.

UI Configuration

To enable the self-services in the Loginapp UI, configure the FIDO Credential Management UI as follows:

  1. Go to:
    Loginapp >> UI Settings >> Protected Self-Service UIs
  2. In the section Token Management in the property FIDO add a plugin of type FIDO Credential Management UI. Open the plugin.
  3. For each property of the FIDO Credential Management UI connect the corresponding Flow ID object (e.g. for Flow To Register Credential connect the Flow ID object fido-registration).

To enable the UI for every flow that has been configured above, a corresponding Flow UI must be configured:

  1. Go to:
    Loginapp >> UI Settings >> Protected Self-Service UIs
  2. In the property Flow UIs ad a new element of type Protected Self-Service UI. Open the plugin.
  3. In the property Flow ID, connect the object Flow ID from the corresponding flow (e.g. fido-registration).
  4. Configure the sections On Flow Completion, On Flow Cancellation, and On Flow Failure to achieve the desired behavior.