WebAuthn / FIDO 2 Demo

From NIEF Wiki
Revision as of 22:14, 21 February 2022 by Jeff.Krug (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


GTRI has deployed a very simplistic demo of the Duke University WebAuthn plugin for Shibboleth 4.1 in the NIEF Testbed environment. This page provides a short explanation of how to verify that demo works for your device.

Device Registration

From a web browser on the device you must go to the registration URL. With production usage this URL would require some sort of pre-existing authentication or only be available during some sort of in-person registration process. For this demo, it is simply open to the world:


This page will have a UI that looks like this:

Screen shot of the registration page
  1. Put in testuser01 for the Username.
  2. Put in any menaingful description for the the Device ID, such 'Tom Jane's iPhone'.
  3. Click Register device with WebAuthn

Device Authentication

Upon clicking the button, your device should present you it's user interface for enabling authentication. This will vary by device, and while it may work on desktops, it's less often supported then it is on mobile devices. The initial screenshot on a typical 2020 android device looks like this:

Cell phone screen shot of using the devices security key.

In the above screenshot, the user would click "Get Started". Your device should hopefully have an equally intuitive option.

Next you will be prompted to choose a method for using the key, essentially how the device will authenticate you and unlock the key on future use. This will also vary greatly from device to device in terms of the options available. And in some cases there will be no available mechanisms to use and an error may be generated. On a typical 2020 android device this next screen looks like this:

Cell phone screen shot of configuring the devices security key.

For the demo day, likely using the screenlock mechanism will be used unless additional devices are provided such as NFC based webauthn tokens or perhaps PIV-I card readers that work with mobile devices.

IDP Confirmation

If your device supports a way to protect and authenticate to the IDP in future logins, you should get a registration successful message:

Screen shot of successful registration.

If your device doesn't support webauthn in a way that is compatible with the server you will get an error message like the following:

Screen shot of failed registration.

Test SSO

The final step is to actually authenticate to the IDP using the WebAuthn credential. Test this with the following link Login to NIEF Test SP

The first time you do this, you will need to type in 'testuser01' again. And then when you click continue, your device will take over to unlock your webauthn / FIDO2 key. After you authenticate to your device, your device will authenticate to the IDP and you should be redirected to the NIEF Test SP where you will see a page that looks like the following:

Screen shot of the NIEF Test SP - SSO landing page and attribute review page.