3.4 FIDO U2F Method Support Configuration

  1. Create a new authentication class with the following parameters:

    1. Display name: U2F Class

    2. Java class: Other

    3. Java class path: com.authasas.aucore.nam.method.fidou2f.FidoU2FClass

  2. Create a new authentication method for the class:

    1. Display Name: U2F Method

    2. Class: U2F Class

    3. Keep the Overwrite Temporary User and Overwrite Real User check boxes cleared.

    4. Add the used user store to User Stores.

  3. Add applicable Optional Properties (KEY/Value).

  4. Create a new authentication contract for the method in the Configuration tab:

    1. Display name: U2F Contract

    2. URI: u2fandldap/uri

    3. Configure Methods. Select one of the following options:

      • Add only U2F Method from the Available Methods list. In this case the Identifies User check box must be selected. U2F Method will provide a request of LDAP Password. After user enters it, he/she will be asked to insert token and press its button.

      • Add any standard method from the Available Methods list as the first one and U2F Method as the second one. In this case the Identifies User check box should be obligatory cleared for U2F Method.

    4. Keep the Satisfiable by External Provider check box cleared.

  5. Specify applicable values for the new authentication card in the Authentication Card tab:

    1. ID: U2F_ID

    2. Text: NetIQ FIDO U2F Authentication

    3. Image : <Select Local Image>, then select NAM_U2F.png from the icons folder of the NAM plug-in distribution kit.

  6. Update both the IDP and the MAG.

  7. Update NAM Server configuration.

IMPORTANT:FIDO U2F is available starting from NAM AA plug-in v2.0.76.

If U2F contract is configured to use only U2F method, it will be required to configure both Password & U2F (two-factor) and U2F (one-factor) chains in the Chains section (the two-factor chain must be higher than an appropriate one-factor chain) and enable them in the NAM event of the Advanced Authentication Administrative Portal. If U2F contract is configured to use combination of a standard method and U2F method, it will be required to configure and enable only U2F (one-factor) chain.

The following standard methods are supported by NAM plug-in:

  • Name/Password - Form

  • Name/Password - Basic

  • Secure Name/Password - Form

  • Secure Name/Password - Basic

By default FIDO U2F works only in Google Chrome. To use it in other browsers, it is required to install FIDO U2F Service.

FIDO U2F requires web service for placing Advanced Authentication Access Manager and enroll site in one domain. For more information, see Configuring a Web Server in order to use the FIDO U2F authentication in Advanced Authentication Access Manager in the Server Administrator Guide.