You can add a list of facets for the FIDO U2F tokens to work on multiple sub-domains of a single domain.
Previously, the U2F RFC standards allowed authentication only on the domain name where the enrollment was performed. However, with the FIDO U2F standards update , the FIDO alliance introduces facets that allows users to authenticate even on sub-domains on which the enrollment is not done.
For example, if a user enrolls a token on the primary domain https://yourdomain.com and wants to get authenticated on sub-domain https://app.yourdomain.com, you as an administrator can do this by adding https://app.yourdomain as a facet of the primary domain https://yourdomain.com.
WARNING:Even if you are not using the facets, ensure to configure the Facets primary server URL suffix to enable the users to authenticate with the FIDO U2F method. If the Facets primary server URL suffix is not configured then while authenticating with FIDO U2F, the user is prompted with an error, The visited URL doesn't match the application ID or it is not in use.
To add facets, perform the following steps:
Expand Facets settings.
Click Add and specify the facet in Facets.
For example, you can specify https://app.yourdomain.com.
You can add more than one facets.
Specify the main URL in App ID. This ID is used to identify applications.
For example, https://yourdomain.com.
A single facet can be configured using App ID. In case of multiple facets, those facets will be associated by the AppID. If the AppID is empty then the first listed facet will be used as default AppID.
From the above example, if a user attempts to log in to https://app.yourdomain.com with the U2F token enrolled on https://yourdomain.com, the browser sends a plain GET request to the https://URL/<tenant-ID/app-id.json URL and waits for the list of allowed facets (sub-domains). If the list is returned, browser allows the user to use token on the URLs specified in the Facets list.
To support legacy usages in Chrome or AA native clients, the AppID is required to be listed in Facets when there are multiple facets in use.
Click Save.
NOTE:The facets are supported only on the Google Chrome. The support for sub-domains is not stabilized in Chrome, so you might get an error message The visited URL doesn't match the application ID or it is not in use during enrollment and authentication.