Step 2: Configuring the RSTS
To configure WebAuthn on the RSTS
- 
Perform one of the following tasks: 
- 
If you are installing the RSTS: When you install the RSTS, select the previously created OAuth signing certificate so that the corresponding entry in the identity provider in One Identity Manager is set. 
- 
If RSTS already exists: Quit the relevant service, replace the file RSTS.exe with the current version and restart the RSTS. You will find the current version of the RSTS.exe file on the installation medium in the Modules\QBM\dvd\AddOn\Redistributable STS directory. 
 
- 
In your web browser, call the URL of the RSTS administration interface: https://<Webanwendung>/RSTS/admin. 
- 
On the start page, click Applications. 
- 
On the Applications page, click Add Application. 
- 
On the Edit page, complete the data on the various tabs. 
NOTE: The forwarding URLs (Redirect Url) on the General tab us the following formats: 
 
- 
Switch to the Two Factor Authentication tab. 
- 
On the Two Factor Authentication tab, in the list in Required by pane, click: 
- 
All Users: All users must log in with two-factor authentication. 
- 
Specific Users/Groups: Specific users must log in using two-factor authentication. You can add these by clicking Add. 
- 
Note Required: The application server decided which users must log in using two-factor authentication. 
 
- 
In the navigation, click Home. 
- 
On the home page, click Authentication providers. 
- 
On the Authentication Providers page, edit the entry in the list. 
- 
On the Edit page, switch to the Two Factor Authentication tab. 
- 
In the Two Factor Authentication Settings pane, click FIDO2/WebAuthn. 
- 
Edit the following input fields: 
- 
Relying Party Name: Enter any name. 
- 
Domain Suffix: Enter the suffix of your Active Directory domain that hosts the RSTS. 
- 
API URL Format: Enter the application server's URL. The given URL must contain a place-holder in {0} format that supplies a unique identifier for the user. The API URL Format is used by RSTS to call the list of WebAuthn security keys of a specified user. Enter the URL in the following format: https://<server name>/<application server path>/appServer/WebAuthn/<identity provider>/Users/{0}  
- 
Server name – fully qualified host name of the web server hosting the application server 
- 
<Application server path> – path to the web application of the application server (default: AppServer) 
- 
<Identity provider> – name of the identity provider 
TIP: You can find the name of the identity provider in the : Base data | Security settings | OAuth 2.0/OpenId Connect configuration 
 
 
 Example:
 https://www.example.com/AppServer/appServer/webauthn/OneIdentity/Users/{0}
 
 
- 
Click Finish. 
 
Related topics
 
    Step 3: Configuring the application server
The RSTS call the WebAuthn security key for Active Directory users over an interface. This information is sensitive and must not be called by unauthorized persons, therefore, access must secured through by client certificate login.
In order for this to work, certificates must be valid and client certificate login on IIS must be enabled.
The application server checks the certifcate's thumbprint the client used to login. Only if the thumbprint matches the stored thumbprint, is the information returned.
If the application server is also used as the backend for web applications, grant access rights to the application pool users for the OAuth signing certificate's private key.
To enable client certificate login on IIS
- 
Start the Internet Information Services Manager. 
- 
Open the SSL Setting menu for the relevant application server. 
- 
In the Client certificates option, change the value to Accept. 
Related topics
 
    Step 4: Configuring the web application
NOTE: The web application to be used by WebAuthn, must apply the HTTPS secure communications protocol (see Using HTTPS).
 
To configure WebAuthn in web applications
- 
Start the Web Designer. 
- 
Click View | Start page on the menu bar. 
- 
In the toolbar, click Select web application and select the web application you want to use. 
- 
Click  Edit web application settings. Edit web application settings.
 
- In the Edit web application settings dialog, in the Authentication module menu, click OAuth 2.0/OpenID Connect. 
- In the OAuth pane, in the OAuth 2.0/OpenID Connect configuration menu, click the appropriate identity provider. 
- Click OK. 
- 
Click Edit | Configure project | Web project on the menu bar. 
- 
Configure the following configuration keys: 
- 
VI_Common_RequiresAccessControl: Set this parameter to enable two-factor authentication. 
- 
VI_Common_AccessControl_WebAuthn_2FA: Specify whether you want to enable WebAuthn two-factor authentication for the web application. You can configure WebAuthn two-factor authentication and security key management separately. If, for example, you want to only enable management of security keys but not of two-factor authentication with the help of security keys in the web application, do not set this configuration key and set the VI_Common_AccessControl_WebAuthn_2FA_VisibleControls configuration key described below. 
- 
VI_Common_AccessControl_WebAuthn_2FA_VisibleControls: Specify whether users can manage security keys in the web application. 
- 
VI_Employee_QERWebAuthnKey_Filter: Specify, which employees can manage security keys in the web application. If you do not enter anything here, all web application users manage the security keys (assuming the VI_Common_AccessControl_WebAuthn_2FA_VisibleControls configuration key is set). 
- 
VI_Common_AccessControl_WebAuthn_2FAID: Enter a unique identifier for the secondary authentication provider for WebAuthn two-factor authentication. You will find this identifier in your RSTS configuration. 
- 
In your Internet browser, call the URL of the RSTS administration interface: https://<Webanwendung>/RSTS/admin. 
- 
On the main page, click Authentication Providers. 
- 
On the Authentication Providers page, click the appropriate entry. 
- 
On the Edit page, switch to the Two Factor Authentication tab. 
- 
Take the ID from the Provider ID field. 
 
 
Related topics
 
    Starling Two-Factor Authentication
Multi-factor authentication guarantees better security for logging into web applications. One Identity Manager tools user Starling Two-Factor Authentication for multi-factor authentication.
The following prerequisites must be fulfilled to use Starling Two-Factor Authentication:
- Users must have a registered Starling 2FA token. 
- Use of an employee-related authentication module, for example "Person (role-based)" 
Starling Two-Factor Authentication takes place after initial database login and is independent of it. At web application level, every access attempt is prevented until Starling Two-Factor Authentication has been executed.