AuthnMethodFido

Description of the configuration object

A numeric weight to be assigned to this authentication method. You can create authorization conditions based on these assurance level weights.

The holder for common URL configurations of an authentication method.

Whether or not the authentication service correlates user accounts in the 'User Repository' upon successful validation of provided credentials. SAML assertion based authentication at SPs should consider unchecking depending on the underlying scenario.

Whether or not the authentication service considers validity metadata for example, account lifetime or locking state.

Whether or not the authentication service invokes the server-global subject attribute finder plug-in for this authentication method. This plug-in allows you to look up supplementary information about an authenticated user that is not part of the user account against which authentication was performed and is used when information about a single user is distributed across various repositories.

A value to be imprinted as SAML authentication context class reference when issuing SAML assertions for subjects that have been authenticated with this method. If the value is undefined, a default mapping to SAML-defined values is used.

Whether or not to generate the authentication-method-specific domain name in the format: authentication_id@authentication_method_id.

The domain identifier used for the names retrieved by this authentication method during the domain name resolution.

The domain name format used for the names retrieved by this authentication method during domain name resolution. The format may contain placeholders: #1 (replaced by the authentication identifier), and #2 (replaced by the domain identifier).

Whether or not the authentication identifier is hashed before it is included into the domain name.

To what extent is the user correlation with an existing user record in user repository for this authentication method forced. This element has priority over the Do correlate user accounts element.

Reference to authentication method of the same type to share the credentials and credential-specific configuration with. If null, this method works with its own configuration and set of credentials for each user. For every authentication method the domain name configuration is being resolved which is then used during unique name resolution. Specifics for some methods are:

Indicates whether Just-in-Time (JIT) provisioning of user records to the application repository is enabled. If enabled, a user record is automatically created in the application repository after successful authentication if it does not already exist. If disabled, authentication will not trigger the creation of a new user record if one does not exist.

The type of specification supported by this authentication method. DirX Access supports "Web Authentication", "Windows Hello", "FIDO UAF" and "FIDO U2F" versions of FIDO-based specifications.

The type of attestation conveyance preferred by the DirX Access server. The property is relevant only for the Web Authentication specification.

The identifier of the DirX Access server used in the authentication protocol. This element has different semantics for each supported protocol version.

The number of random bytes used for the challenge generated by the server. This value should reflect the security considerations valid for given DirX Access deployment.

The number of seconds the server waits for the client’s response. This number must include the time period in which the user interacts with the device to authenticate itself.

The assurance level that must be retrieved by the user before the registration of new FIDO credentials.

Whether or not (unchecked) this authentication method can be used for registration of new FIDO credentials.

Whether or not (unchecked) this authentication method can be used for deregistration of registered FIDO credentials.

Whether or not (unchecked) this authentication method can be used for authentication with registered FIDO credentials.

The field declares what authenticator types are allowed to be used via the defined authentication method. If empty, any trusted authenticator type can be used. Otherwise, the evaluation algorithm is applied. The policies are evaluated during both registration and authentication operations. Setting up the 'Policy' attribute can be used to differentiate between different assurances levels for different authenticator types (for example, scanning an iris or using a fingerprint). This field is not applicable to the Windows Hello specification.

Whether the Application ID is used as is or enriched with the Facets suffix. The Application ID with imprinted trusted facets is {appId}/facets?authnMethodId={authentication method identifier} When imprint is disabled, you can configure multiple FIDO authentication methods to use the same Application ID. This field is not meaningful for Web Authentication specifications.

The parameter in the client’s response that identifies the authentication-requesting application (partially determined by the 'Application ID' attribute). The value of the received parameter is compared to the values configured in the 'Allowed origins' field. If a match is not found, it may be the result of a man-in-the-middle attack and the response is discarded. This list is published in the TrustedFacets structure via Authentication Application at {location}/facets?authnMethodId={authentication method identifier}

The identifier of the truststore used by an additional mechanism for establishing a trust to the used authenticator types. This mechanism can be used when an authenticator type has no metadata propagated via the public FIDO metadata service. The authenticator type is trusted (can be used for registration and authentication operations) if its attestation certificate is present in the referenced truststore. This field is not applicable to the Windows Hello specification.

The password of the truststore. This field is not applicable to the Windows Hello specification.

Sets the requireResidentKey in AuthenticatorSelectionCriteria. Whether or not the FIDO service requires to create and store credentials on your authenticator. This lets you sign in without having to type your username. A record of your visit to the FIDO service will be kept on your authenticator. This is depreciated in L2 specification and residentKey should be used instead.

Sets the residentKey flag in AuthenticatorSelectionCriteria. Specifies the extent to which the Relying Party desires to create a client-side discoverable credential. This attribute is relevant only for the Web Authentication specification. This parameter has priority over requireResidentKey, if configured the requireResidentKey flag will be derived from it.

Whether (preferred or required value) or not (discouraged value) the FIDO service requires user verification on an authenticator for the registration of new FIDO credentials. This attribute is relevant only for the Web Authentication specification.

Whether (preferred or required value) or not (discouraged value) the FIDO service requires user verification on an authenticator for the authentication with registered FIDO credentials. This attribute is relevant only for the Web Authentication specification.

The Authenticator attachment parameter is used during registration phase to influence the client-side behavior. This element has only effect in WebAuthn Registration method.