9.29.2 Configuring Facets

You can add a list of facets for the FIDO U2F tokens to work on multiple sub-domains of a single domain.

Previously, the U2F RFC standards allowed authentication only on the domain name on which the enrollment was done. But with the FIDO U2F standards update , the FIDO alliance introduces facets that allows users to authenticate even on domains on which the enrollment is not done.

For example, if a user enrolls a token on https://some.domain and wants to get authenticated on https://app.some.domain, you as an administrator can do this by adding https://app.some.domain as a facet of the primary domain https://some.domain.

WARNING:Even if you are not using the facets, ensure to configure the Facets primary server URL suffix to enable the users to authenticate with the FIDO U2F method. If the Facets primary server URL suffix is not configured then while authenticating with FIDO U2F, the user is prompted with a message The visited URL doesn't match the application ID or it is not in use.

To add facets, perform the following steps:

  1. Expand Facets settings.

  2. Specify the suffix of the primary facet in Facets primary server URL suffix. For example, you can specify some.domain.

    NOTE:In Facets primary server URL suffix, if you specify any value with https:// then user cannot enroll the U2F method.

  3. Click Add to add prefixes for the facets.

  4. Specify the prefix of the facet in Facets prefixes. For example, app.

    From the above example, if a user logs in to https://app.some.domain with the U2F token enrolled on https://some.domain. the browser sends a plain GET request to the https://URL/<tenant-ID/app-id.json URL and waits for the list of allowed facets (sub-domains). If the list is returned, browser allows the user to use token on the URLs specified in the Facets prefixes list.

  5. Click Save.

NOTE:The facets are supported only on the Google Chrome. The support for sub-domains is not stabilized in Chrome, so you might get an error message The visited URL doesn't match the application ID or it is not in use during enrollment and authentication.