Help Center/ OneAccess/ Best Practices/ Authentication Provider Integration/ Built-in Authentication Providers
Updated on 2024-12-30 GMT+08:00
View PDF
Share

Built-in Authentication Providers

Introduction

This section describes how to use the FIDO2 authentication providers (such as facial or fingerprint authentication) to log in to the applications integrated into OneAccess. You can configure the FIDO2 authentication providers on OneAccess and enable the FIDO2 login mode for each application. In this way, SSO is implemented, providing users with more convenient, secure, and reliable login.

Configuration Process

The procedure for accessing the user portal on a PC is used for illustration. Select and configure an application that meets your service requirements.

Prerequisites

  • You have permissions to access the administrator portal.
  • The user PC uses security keys (USB or Bluetooth) or biometric authenticators (such as Windows Hello and Touch ID).

Enabling FIDO2 Authentication on the PC

Enable the options of security keys (USB or Bluetooth) or biometric authenticators (such as Windows Hello and Touch ID) on the user PC. The following uses Windows Hello as an example.

Configuring a FIDO2 Authentication Provider in OneAccess

Add a FIDO2 authentication provider and configure the application information in OneAccess.

  1. Log in to the administrator portal.
  2. On the top navigation bar, choose Authentication > Authentication Providers. On the displayed page, choose Built-in Authentication Providers > FIDO2.
  3. Configure authentication provider parameters.

    Figure 1 Configuring the FIDO2 Authentication provider
    Table 1 Configuring parameters

    Parameter

    Description

    Icon

    Upload a custom icon.

    Display Name

    Enter a display name of the authentication provider.

    Open no username process

    If this function is enabled, users do not need to enter the username or email address for login. Instead, they can select a relying party ID or bound authenticator to find the authenticator private key.

    Require Resident Key

    Whether to allow the authenticator to produce Public Key Credential as Client-side-resident Public Key Credential Source. Default option: No. If you enable login without username, this option will be changed to Yes.

    User Verification Requirement

    Whether to allow the authenticator to confirm the actual authentication user for registration and authentication. Default option: PREFERRED. If you enable login without username, this option will be changed to REQUIRED.

    Attestation Conveyance Preference

    Select the preference of the WebAuthn API for generating an attestation. This parameter is used for registration. Default option: DIRECT.

    Authenticator Attachment

    Select an authenticator attachment mode that can be accepted by the WebAuthn client. This parameter is used for registration. Default option: NONE.

    Avoid Same Authenticator Registration

    Whether to allow re-registration of authenticators of the same type. Default option: Yes.

    Timeout

    Timeout interval for connecting to the identity authenticator during binding and authentication. Default value: 180, in seconds.

    Acceptable AAGUIDs

    (Optional) Add the Authenticator Attestation GUID (AAGUID) of the trusted authenticator. This parameter is used for binding authenticators. If this parameter is left blank, any authenticator can be registered.

Enabling FIDO2 Authentication

  1. Log in to the administrator portal.
  2. On the top navigation bar, choose Resources > Applications.
  3. Click User Portal on the page.
  4. On the application information page, click the application icon.
  5. Choose Login Settings > Web Applications. In the Operation column of the row of FIDO2(WebAuthn), click to enable FIDO2 authentication.

    Figure 2 Enabling FIDO2 authentication

Activating the Binding on the OneAccess User Portal

  1. Log in to the OneAccess user portal, hover the cursor on the username in the upper right corner, and click Account Settings.
  2. Choose Account Security and click the bind button next to the added security key or biometric authenticator.

    • If no security key or biometric authenticator is added, the bind button is grayed out
    • You can bind multiple authenticators, or remove the added validator and add one again.

Logging In to the User Portal Through FIDO2 Authentication

Go to the user portal page, and select the FIDO2 authentication mode for login. The security key or biometric authenticator is displayed. Complete the authentication.

Figure 3 Selecting the FIDO2 authentication mode

In the traceless browser mode, biometric authenticators cannot be bound, which means FIDO2 authentication cannot be used in this mode.