To configure WebAuthn for a web application, carry out these four steps:
Configure the OAuth certificate to enable secure communication between RSTS and One Identity Manager.
Configure the RSTS.
Configure the application server.
Configure the web application.
Communication between the RSTS (redistributable security token service) and One Identity Manager uses tokens that are signed with the private key of a certificate. This certificate must be valid and trusted because the RSTS also uses this certificate for client certificate registration on the application server. One Identity recommends that either you use a public key infrastructure (PKI) that already exists or a new certificate chain from the root certificate and the associated OAuth signing certificate.
To configure the OAuth signing certificate
Create a new, valid, and trusted, OAuth signing certificate.
Ensure the following:
The RSTS must have access to the OAuth signing certificate with a private key.
The application server from which, the RSTS requests the WebAuthn security keys, must trust the certificate chain of the OAuth signing certificate.
The web application that allows login by RSTS, must have access to the OAuth signing certificate with a private key.
The web application used to manage the WebAuthn security keys, must have access to the OAuth signing certificate with a private key.
NOTE: Before you can configure the RSTS, you must configure the OAuth signing certificate. For more information, see Step 1: Configuring an OAuth certificate.
To configure WebAuthn on the RSTS
Perform one of the following tasks:
If you are installing the RSTS: When you install the RSTS, select the previously created OAuth signing certificate so that the corresponding entry in the identity provider in One Identity Manager is set.
If RSTS already exists: Quit the relevant service, replace the file RSTS.exe with the current version and restart the RSTS.
You will find the current version of the RSTS.exe file on the installation medium in the Modules\QBM\dvd\AddOn\Redistributable STS directory.
In your web browser, call the URL of the RSTS administration interface: https://<Webanwendung>/RSTS/admin.
On the start page, click Applications.
On the Applications page, click Add Application.
On the Edit page, complete the data on the various tabs.
NOTE: The forwarding URLs (Redirect Url) on the General tab us the following formats:
For the API Server:
https://<server name>/<application server path>/html/<web application>/?Module=OAuthRoleBased
For the Web Portal:
https://<server name>/<web application>/
Switch to the Two Factor Authentication tab.
On the Two Factor Authentication tab, in the list in Required by pane, click:
All Users: All users must log in with two-factor authentication.
Specific Users/Groups: Specific users must log in using two-factor authentication. You can add these by clicking Add.
Note Required: The application server decided which users must log in using two-factor authentication.
In the navigation, click Home.
On the home page, click Authentication providers.
On the Authentication Providers page, edit the entry in the list.
On the Edit page, switch to the Two Factor Authentication tab.
In the Two Factor Authentication Settings pane, click FIDO2/WebAuthn.
Edit the following input fields:
Relying Party Name: Enter any name.
Domain Suffix: Enter the suffix of your Active Directory domain that hosts the RSTS.
API URL Format: Enter the application server's URL. The given URL must contain a place-holder in {0} format that supplies a unique identifier for the user.
The API URL Format is used by RSTS to call the list of WebAuthn security keys of a specified user. Enter the URL in the following format:
https://<server name>/<application server path>/appServer/WebAuthn/<identity provider>/Users/{0}
Server name – fully qualified host name of the web server hosting the application server
<Application server path> – path to the web application of the application server (default: AppServer)
<Identity provider> – name of the identity provider
TIP: You can find the name of the identity provider in the :
Basic data > Security settings > OAuth 2.0/OpenId Connect configuration
Example:
https://www.example.com/AppServer/appServer/webauthn/OneIdentity/Users/{0}
Click Finish.
The RSTS call the WebAuthn security key for Active Directory users over an interface. This information is sensitive and must not be called by unauthorized persons, therefore, access must secured through by client certificate login.
In order for this to work, certificates must be valid and client certificate login on IIS must be enabled.
The application server checks the certifcate's thumbprint the client used to login. Only if the thumbprint matches the stored thumbprint, is the information returned.
If the application server is also used as the backend for web applications, grant access rights to the application pool users for the OAuth signing certificate's private key.
To enable client certificate login on IIS
Start the Internet Information Services Manager.
Open the SSL Setting menu for the relevant application server.
In the Client certificates option, change the value to Accept.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback 利用規約 プライバシー Cookie Preference Center
