9.28 FIDO U2F

With the FIDO U2F authentication method, users can authenticate with the touch of a finger on the U2F device.

Advanced Authentication supports the Microsoft policy Interactive logon: Smart card removal behavior that allows you to specify an action on the U2F. You can configure the policy to perform a force log off or lock a session when a user removes the U2F device from a computer. This policy is supported for Windows only. When the user removes the U2F device from the computer, the Windows Client runs an action that is specified in the Interactive logon: Smart card removal behavior policy.

IMPORTANT:To use the FIDO U2F authentication for Access Manager in the OAuth 2.0 event, you must configure an external web service to perform enrollment and authentication for one domain name. For more information, see Configuring a Web Server to Use the FIDO U2F Authentication.

The YubiKey tokens may flash with a delay when the token is initialized in a combination mode. For example, when authentication uses OTP and U2F methods. This may cause the users to wait for the token to flash before enrollment or authentication. Therefore, it is recommended to flash the tokens only in the U2F mode if the other modes are not needed.

NOTE:Ensure to set a valid domain name for your Advanced Authentication server rather than an IP address and host the domain name appropriately before users authenticate to any event or device using the U2F method.

You can configure the following settings for this method:

9.28.1 Configuring the Certificate Settings

You can configure certificate settings for the FIDO U2F authentication method. By default, Advanced Authentication does not require the attestation certificate for authentication by the FIDO U2F compliant token. Ensure that you have a valid attestation certificate added for your FIDO U2F compliant token, when you configure this method. The Yubico and Feitian attestation certificates are pre-configured in the Advanced Authentication appliance.

To validate the attestation certificate for the FIDO U2F authentication, perform the following steps:

  1. Set Require attestation certificate to ON to enable validation of attestation certificate.

  2. Select the attestation certificate:

    1. To use a default certificate, click Add Default.

    2. To use a custom certificate instead of predefined device manufacturer certificate, perform the following steps:

      1. Click next to the default attestation certificate to remove the certificate.

      2. Click Add to add a custom certificate.

      3. Click Browse then select the custom certificate and click Upload.

        The certificate must be in the PEM format.

    To restore the deleted attestation certificate, click Add Default.

9.28.2 Configuring Facets

You can add a list of facets for the FIDO U2F tokens to work on multiple sub-domains of a single domain.

Previously, the U2F RFC standards allowed authentication only on the domain name on which the enrollment was done. But with the FIDO U2F standards update , the FIDO alliance introduces facets that allows users to authenticate even on domains on which the enrollment is not done.

For example, if a user enrolls a token on https://some.domain and wants to get authenticated on https://app.some.domain, you as an administrator can do this by adding https://app.some.domain as a facet of the primary domain https://some.domain.

WARNING:Even if you are not using the facets, ensure to configure the Facets primary server URL suffix to enable the users to authenticate with the FIDO U2F method. If the Facets primary server URL suffix is not configured then while authenticating with FIDO U2F, the user is prompted with a message The visited URL doesn't match the application ID or it is not in use.

To add facets, perform the following steps:

  1. Expand Facets settings.

  2. Specify the suffix of the primary facet in Facets primary server URL suffix. For example, you can specify some.domain.

    NOTE:In Facets primary server URL suffix, if you specify any value with https:// then user cannot enroll the U2F method.

  3. Click Add to add prefixes for the facets.

  4. Specify the prefix of the facet in Facets prefixes. For example, app.

    From the above example, if a user logs in to https://app.some.domain with the U2F token enrolled on https://some.domain. the browser sends a plain GET request to the https://URL/<tenant-ID/app-id.json URL and waits for the list of allowed facets (sub-domains). If the list is returned, browser allows the user to use token on the URLs specified in the Facets prefixes list.

  5. Click Save.

NOTE:The facets are supported only on the Google Chrome. The support for sub-domains is not stabilized in Chrome, so you might get an error message The visited URL doesn't match the application ID or it is not in use during enrollment and authentication.

9.28.3 Configuring Yubikey for Advanced Authentication Server

  1. Download and install the Yubikey Personalization Tool from Yubico.

    To download the Yubikey Personalization Tool, see the Yubico website.

  2. Insert the Yubikey token.

    Ensure that the token is recognized. The recognition is indicated by a message Yubikey is inserted at the top-right corner of the Personalization tool.

  3. Select Yubico OTP mode.

  4. Select Configuration Slot 1, generate the Public Identity, Private Identity, and Secret Key.

  5. Click Write Configuration and specify the configurations.

  6. Open the Advanced Authentication Self-Service portal and select U2F method.

  7. Click Save to complete the enrollment.

9.28.4 Configuring a Web Server to Use the FIDO U2F Authentication

This section is applicable for Debian 8 Jessie. The procedure may differ for other distributives.

This sections explains how to configure web server to use the FIDO U2F authentication in NetIQ Access Manager for the OAuth 2.0 event.

According to the FIDO U2F specification, both enrollment and authentication must be performed for one domain name. As NetIQ Access Manager and Advanced Authentication appliance are located on different servers, you must configure web server to enable performing the following actions:

  • Port forwarding to Advanced Authentication appliance for the FIDO U2F method enrollment

  • Port forwarding to NetIQ Access Manager for further authentication using FIDO U2F tokens

Perform the following actions to configure a web server to use the FIDO U2F authentication.

Installing Nginx Web Server

You must install the Nginx web server for URL forwarding.To install Nginx, add the following two lines to the /etc/apt/sources.list file:

deb http://packages.dotdeb.org jessie all
deb-src http://packages.dotdeb.org jessie all

Preparing SSL Certificate

Run the following commands:

mkdir –p /etc/nginx/ssl
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/proxy.key -out /etc/nginx/ssl/proxy.crt

Preparing Nginx Proxy Configuration

Add the following to the /etc/nginx/sites-available/proxy file:

server {
listen 443 ssl;
error_log /var/log/nginx/proxy.error.log info;
server_name nam.company.local;
ssl_certificate /etc/nginx/ssl/proxy.crt;
ssl_certificate_key /etc/nginx/ssl/proxy.key;
location ~ ^/account {

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass https://<appliance_IP>$uri?$args;
}
location ~ ^/static {

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass https://<appliance_IP>$uri?$args;
}
location ~ ^/admin {

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass https://<appliance_IP>$uri?$args;
}
location / {

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_read_timeout 300;
proxy_pass https://<NAM_IP>;
}
}

Create a link and restart the nginx service running the following commands:

ln -s /etc/nginx/sites-available/proxy /etc/nginx/sites-enabled/proxy
service nginx reload

Adding DNS Entries

Ensure that the NetIQ Access Manager name server corresponds to the IP address of web server.

Enrolling U2F FIDO

To enroll U2F, open the link https://<NAM_FQDN>/account. The Self-Service portal of Advanced Authentication server appliance is displayed.

Enroll the U2F method in the Self-Service portal. For information about enrolling, see Enrolling the Authentication Methods.