WebAuthn + SimpleSAMLphp + PricacyIDEA

Hi!
Continuing the work… Now looking to make WebAuthn work with the above combination. It seems like SSP and the privacyidea module does not realize that the user has a WebAuthn token but still expects Password + OTP to be typed in the box.
SSP PrivacyIDEA config (in saml20-sp-remote.php):
‘authproc’ => [
05 => array(
‘class’ => ‘privacyidea:serverconfig’,
‘privacyideaserver’ => ‘https://2f.skola.engelholm.se’,
‘realm’ => ‘angport’,
‘uidKey’ => ‘cn’,
‘sslverifyhost’ => false,
‘sslverifypeer’ => false,
‘doTriggerChallenge’ => true,
‘enabledPath’ => ‘’,
‘enabledKey’ => ‘’,
‘tryFirstAuthentication’ => true,
‘tryFirstAuthPass’ => ‘simpleSAMLphp’,
),
06 => array(
‘class’ => ‘privacyidea:privacyidea’,
),
]

In the SSP log there is a lot of these:
Sep 23 16:16:39 simplesamlphp ERROR [959029610c] SimpleSAML\Error\Exception: Error 2 - count(): Parameter must be an array or an object that implements Countable at /var/simplesamlphp/modules/privacyidea/www/otpform.php:83
Sep 23 16:16:39 simplesamlphp ERROR [959029610c] Backtrace:
Sep 23 16:16:39 simplesamlphp ERROR [959029610c] 3 /var/simplesamlphp/www/_include.php:44 (SimpleSAML_error_handler)
Sep 23 16:16:39 simplesamlphp ERROR [959029610c] 2 /var/simplesamlphp/modules/privacyidea/www/otpform.php:83 (require)
Sep 23 16:16:39 simplesamlphp ERROR [959029610c] 1 /var/simplesamlphp/lib/SimpleSAML/Module.php:266 (SimpleSAML\Module::process)
Sep 23 16:16:39 simplesamlphp ERROR [959029610c] 0 /var/simplesamlphp/www/module.php:10 (N/A)

And some variations like:
Sep 23 16:16:00 simplesamlphp ERROR [959029610c] SimpleSAML\Error\Exception: Error 2 - count(): Parameter must be an array or an object that implements Countable at /var/simplesamlphp/modules/privacyidea/lib/Auth/utils.php:119
Sep 23 16:16:00 simplesamlphp ERROR [959029610c] Backtrace:
Sep 23 16:16:00 simplesamlphp ERROR [959029610c] 7 /var/simplesamlphp/www/_include.php:44 (SimpleSAML_error_handler)
Sep 23 16:16:00 simplesamlphp ERROR [959029610c] 6 /var/simplesamlphp/modules/privacyidea/lib/Auth/utils.php:119 (sspmod_privacyidea_Auth_utils::checkTokenType)
Sep 23 16:16:00 simplesamlphp ERROR [959029610c] 5 /var/simplesamlphp/modules/privacyidea/lib/Auth/Process/privacyidea.php:126 (sspmod_privacyidea_Auth_Process_privacyidea::process)
Sep 23 16:16:00 simplesamlphp ERROR [959029610c] 4 /var/simplesamlphp/lib/SimpleSAML/Auth/ProcessingChain.php:210 (SimpleSAML\Auth\ProcessingChain::processState)
Sep 23 16:16:00 simplesamlphp ERROR [959029610c] 3 /var/simplesamlphp/lib/SimpleSAML/IdP.php:335 (SimpleSAML\IdP::postAuth)
Sep 23 16:16:00 simplesamlphp ERROR [959029610c] 2 /var/simplesamlphp/lib/SimpleSAML/IdP.php:420 (SimpleSAML\IdP::handleAuthenticationRequest)
Sep 23 16:16:00 simplesamlphp ERROR [959029610c] 1 /var/simplesamlphp/modules/saml/lib/IdP/SAML2.php:492 (SimpleSAML\Module\saml\IdP\SAML2::receiveAuthnRequest)
Sep 23 16:16:00 simplesamlphp ERROR [959029610c] 0 /var/simplesamlphp/www/saml2/idp/SSOService.php:21 (N/A)

I do not completely understand what is needed to configure in the PrivacyIDEA server to make WebAuthn tokens work. I try mostly with Yubikey but also with the fingerprint sensor in my Mac. Tokens are enrolled but I can’t really figure out how to test them.
Very thankful if someone could point me to the right direction!

Hi,
if you are trying to use WebAuthn token with the simpleSAMLphp plugin, it won’t work, because the functionality for WebAuthn is not implemented in the plugin yet.

Ahhh, that explains it… I thought that it was a beautiful solution separating the IdP and the MFA administration service and thus let the users choose whatever token type and authenticator they prefer. But that really requires the setup to handle WebAuthn as well. How about U2F, will that work with the SSP plugin? Is WebAuthn support for the plugin planned?

Kind regards
Bengt

u2f should work - at least it worked before

Webauthn will most probably added one day to SSP, but there is not timeline, yet.

Thanks! I’ll look into that!

Kind regards
Bengt