I got a problem with my configuration WebAuthn i guess.
I use a Fido2 Key, enroll it, and successfully log with it, but i still got a problem.
Im using it on 2 services, OWA Exchange SE and Session Login Win11.
In first, the privacy alaways ask the user a OTP token that i didn’t set, so i just press enter when the field is empty, and go on ! But i really want to disable this for user experience and just keep the WebAuthn logon option.
From what I understand what you want there are probably two possible scenarios:
a) tell the ADFS Plugin to start with Webauthn/Passkeys.
b) run a challenge response, so that there is an initial communication with the privacyIDEA server i the background, it will realize, what token type a user has an respond accordingly.
NOTE, this is no step by step fool proof tested guide but rather some hints!
Note, this also only works after an initial communication with the privacyIDEA server (like in challenge/response)
b) Use challenge response anyways
The plugin has to send a password (ad password or empty password) to the privacyIDEA server.
See GitHub - privacyidea/adfs-provider: Authentication provider for Microsoft AD FS to use with privacyIDEA. · GitHub
You could achieve this by setting send_empty_pass in which case the empyt password actually has to start an authentication (note the otppin policy!) or by trigger_challenge.
The tokens of the users also have to be suitable or configured for challenge response.
You might want to need to understand more about challenge/response
outcome
Finakky The outcome will be that the user enters his username and password and is then asked to press the button on his fido key.
I partially fixed the issue with two_step_send_empty_password to 1 , when i enter the wrong pin on my fido key, it show me the OTP field, even with two_step_send_empty_password to 1
BUT ! I would like to know if a offline_two_step_send_empty_password could be possible ? Because when i try offline, i got the OTP field.
I don’t know if my issues could be fixed with juste config, or if i need to modify the provider, for this i might ask @nilsbehlen
At the beginning, initially, when I logged in I had this empty field (see the screenshot) asking me for a one-time code, my OTP that I suppose I can define when I enroll the key. By leaving the field empty but pressing Enter, I could proceed and log in, but I would like to remove the need to press Enter to move to the next step.
While reading the documentation, I found the setting two_step_send_empty_password, which I set to 1, and that partially solved my problem.
Now this field asking for a one-time code appears in two cases:
Once I have entered an incorrect PIN for the FIDO key. After the error message, I end up on this field. I can work around it by clicking below on “use a security key”, but I would really like this field to disappear completely.
And when I try to log in in offline mode, the CP asks me for the code. That’s why I was wondering if there is a registry key like offline_two_step_send_empty_password.
hi, first of all, we just released version 3.8.0 which improves a lot of things regarding fido, so i advise you to use that if you can.
Then, if you want to use fido offline, you need the credential on the CP, by setting the token in the webui to offline and doing an authentication with it. only then you can use it offline and will get prompted to use it when you are offline. you can also set **webauthn_offline_preferred. However, there is no option to disable the OTP input completely and have the CP only accept fido.
Hello!! Thank you for your reply.
For the offline connection, I actually managed to set it up, but yes, the problem is indeed this OTP field that is required.
) : Owa Login | Session Login
