FIDO passkey management self-service configuration

This article explains how to configure FIDO passkey management self-services for end-users.

The protected self-services provide the following functionality:

  • List all FIDO passkeys
  • Add a new FIDO passkey
  • Delete registered FIDO passkey
  • Set or change the display name of a registered passkeys
  • Enable and disable registered passkeys

Prerequisites

 
Info

Configuration hint:

The following configuration steps depend on the general FIDO Settings configuration used for authentication and other flows.

Make sure that:

  • The FIDO Settings (basic settings) are configured. Especially, the configured relying party ID matches the browser domain when accessing the Loginapp.

To test the configured features, consider the following prerequisites. Makes sure that:

  • The end-user has been authenticated using a REST authentication flow.
  • The end-user is authorized to register FIDO passkeys (i.e., the FIDO registration flow's configured authorization condition is fulfilled).

FIDO token list

To configure the protected self-service, proceed as follows:

  1. Go to:
    Loginapp >> Protected Self-Services
  2. In property FIDO Credential List, add a plugin of type FIDO Credential List. Open the plugin.
  3. In property FIDO Settings, connect the FIDO settings configuration used in authentication and other flows.
  4. in the MAIN SETTINGS (in MAIN SETTINGS >> Authentication Settings >> FIDO Settings).
  5. Configure the FIDO AAGUID Mappings property: it defines how AAGUIDs (an ID provided by the FIDO tokens) are translated to human-readable information about the make and model of the token. Using FIDO Default AAGUID Mappings works for many standard tokens, but you may add the FIDO Custom AAGUID Mappings plugin to add your own mappings.
  6. Choose Access Conditions and Authorization Conditions such that the flow is only available to entitled users.

Add a new FIDO passkey

To allow the user to register additional FIDO passkeys, a protected self-service flow must be configured:

  1. Go to:
    Loginapp >> Protected Self-Services >> Protected Self-Service Flows
  2. In property Flows, add a new element of type Custom Protected Self Service Flow to the list and configure it as follows.
  3. Create a new Flow ID. This ID is used to select the flow in a REST client and is needed in the Loginapp REST UI configuration (e.g. fido-registration).
  4. In the property Steps, add an element of type FIDO Registration Step and configure it by connecting the FIDO Settings. Optionally, add other steps as required. This step asks the end-user to enter a display name for the registered passkey. Alternatively, the display name can be generated based on the model and make of the passkey (derived from the passkey's AAGUID). To do so, uncheck FIDO Settings >> Auto Generate Display Name and insert an Auto Generate Display Name after the FIDO Registration Step.
  5. Choose Access Conditions and Authorization Conditions such that the flow is only available to entitled users.

Delete a registered FIDO passkey

To allow the user to delete registered FIDO passkeys, a protected self-service flow must be configured:

  1. Go to:
    Loginapp >> Protected Self-Services >> Protected Self-Service Flows
  2. In property Flows, add a new element of type Default FIDO Credential Removal Flow to the list and configure it as follows.
  3. Create a new Flow ID. This ID is used to select the flow in a REST client and is needed in the Loginapp REST UI configuration (e.g. fido-removal).
  4. Choose whether Allow Deleting Last Credential is disabled or not.
  5. Choose Access Conditions and Authorization Conditions such that the flow is only available to entitled users.

Change the display name of a registered FIDO passkey

To allow the user to change the display name of a registered FIDO passkey, a protected self-service flow must be configured:

  1. Go to:
    Loginapp >> Protected Self-Services >> Protected Self-Service Flows
  2. In property Flows, add a new element of type Default FIDO Credential Display Name Change Flow to the list and configure it as follows.
  3. Create a new Flow ID. This ID is used to select the flow in a REST client and is needed in the Loginapp REST UI configuration (e.g. fido-display-name-change).
  4. Choose Access Conditions and Authorization Conditions such that the flow is only available to entitled users.

Enable and disable a FIDO passkey

To allow the user to enable and/or disable a FIDO passkey, proceed as follows:

  1. Go to:
    Loginapp >> Protected Self-Services >> Protected Self-Service Flows
  2. In property Flows, add a new element of type Default Enable FIDO Credential Flow and/or Default Disable FIDO Credential Flow to the list and configure it as follows.
  3. Create a new Flow ID. This ID is used to select the flow in a REST client and is needed in the Loginapp REST UI configuration (e.g. fido-enabling, fido-disabling).
  4. Choose Access Conditions and Authorization Conditions such that the flows are only available to entitled users.

UI Configuration

To enable the self-services in the Loginapp UI, configure the FIDO Credential Management UI as follows:

  1. Go to:
    Loginapp >> UI Settings >> Protected Self-Service UIs
  2. In the section Token Management in the property FIDO add a plugin of type FIDO Credential Management UI. Open the plugin.
  3. For each property of the FIDO Credential Management UI, connect the corresponding Flow ID object (e.g. for Flow To Register Credential connect the Flow ID object fido-registration).

To enable the UI for every flow that has been configured above, a corresponding Flow UI must be configured:

  1. Go to:
    Loginapp >> UI Settings >> Protected Self-Service UIs
  2. In the property Flow UIs add a new element of type Protected Self-Service UI. Open the plugin.
  3. In the property Flow ID, connect the object Flow ID from the corresponding flow (e.g. fido-registration).
  4. Configure the sections On Flow Completion, On Flow Cancellation, and On Flow Failure to achieve the desired behavior.