WebAuthn / FIDO 2 Demo
Intro
GTRI has deployed a very simplistic demo of the Duke University WebAuthn plugin for Shibboleth 4.1 in the NIEF Testbed environment. This page provides a short explanation of how to verify that demo works for your device.
Device Registration
From a web browser on the device you must go to the registration URL. With production usage this URL would require some sort of pre-existing authentication or only be available during some sort of in-person registration process. For this demo, it is simply open to the world:
https://assure.ref.gfipm.net/idp/webauthn/registration
This page will have a UI that looks like this:
- Put in testuser01 for the Username.
- Put in any menaingful description for the the Device ID, such 'Tom Jane's iPhone'.
- Click Register device with WebAuthn
Device Authentication
Upon clicking the button, your device should present you it's user interface for enabling authentication. This will vary by device, and while it may work on desktops, it's less often supported then it is on mobile devices. The initial screenshot on a typical 2020 android device looks like this:
In the above screenshot, the user would click "Get Started". Your device should hopefully have an equally intuitive option.
Next you will be prompted to choose a method for using the key, essentially how the device will authenticate you and unlock the key on future use. This will also vary greatly from device to device in terms of the options available. And in some cases there will be no available mechanisms to use and an error may be generated. On a typical 2020 android device this next screen looks like this:
For the demo day, likely using the screenlock mechanism will be used unless additional devices are provided such as NFC based webauthn tokens or perhaps PIV-I card readers that work with mobile devices.
IDP Confirmation
If your device supports a way to protect and authenticate to the IDP in future logins, you should get a registration successful message:
If your device doesn't support webauthn in a way that is compatible with the server you will get an error message like the following:
Test SSO
The final step is to actually authenticate to the IDP using the WebAuthn credential. Test this with the following link Login to NIEF Test SP
The first time you do this, you will need to type in 'testuser01' again. And then when you click continue, your device will take over to unlock your webauthn / FIDO2 key. After you authenticate to your device, your device will authenticate to the IDP and you should be redirected to the NIEF Test SP where you will see a page that looks like the following: