Skip to main content
Skip table of contents

TrustBuilder FIDO2

FIDO2 is a modern authentication standard that enables secure login experiences. This feature integrates with the TrustBuilder platform.

Prerequisites

TrustBuilder platform version: 2024.9.0 and higher.
Starting from 2024.9.0 release, the tenants will include:

  • a system TrustBuilder FIDO2 IDP linked to the TrustBuilder FIDO2 server (OIDC-based).

  • new OAuth scopes to manage FIDO2-related operations:

Component

OAuth scope(s)

Description

TrustBuilder Admin Portal

fido_keys:read

Allows read operations on FIDO2 keys

fido_keys:write

Allows read and write operations on FIDO2 keys

fido_policies:read

Allows read operations on FIDO2 policies

fido_policies:write

Allows read and write operations on FIDO2 policies

TrustBuilder Self-Service Portal

fido:registration

Allows registration of FIDO2 key

fido_keys:self

Allows management of owned FIDO2 keys

Enable FIDO2 authentication method

To enable FIDO2 authentication method for users, you should create a new access flow or configure an existing one.

Create a new access flow

  1. In TrustBuilder Admin portal, navigate to Access Management > Access Flows.

  2. Click on + Add Access Flow.

  3. Click on Add Authentication Scheme:

    1. Name: define a name (e.g. FIDO Authentication Scheme).

    2. Scheme Type: Select Authentication level.

    3. Click Save.

  4. Click on Add Authentication Method:

    1. Display Name: define a name (e.g. FIDO Method).

    2. OpenID Context: specify the ACR you want (e.g. phr).

    3. Link Identity Providers: select TrustBuilder FIDO2 IDP.

    4. Click Save.

  5. Once the access flow appears, click on Link Service Providers:

    1. Select a Service Provider (application) to be linked to this access flow.

    2. Click Next.

    3. Configure the following for this service provider:

      • Default Method Comparison: set to MINIMUM.

      • Default method: Select the authentication method.

    4. Click Save.

  6. Repeat step 5 for each application (service provider) to be added.

The new access flow is successfully created.

Edit an existing access flow

  1. In TrustBuilder Admin portal, navigate to Access Management > Access Flows.

  2. Click on Link Identity Provider.

  3. Select TrustBuilder FIDO2.

  4. Click on Save.

The existing access flow is successfully updated.

To ensure access to the Admin portal, manipulate the default schema and methods with care. If you edit an existing access flow, we recommend adding a TrustBuilder IDP to an existing configuration without making any other changes.

Testing FIDO2 authentication method

As an admin, you can test FIDO2 authentication methods with a test user.

To know more about key management by users, see TrustBuilder Self-Service Portal documentation.

Prerequisites

  • Compatible browsers:
    (tick) Chrome, Edge, Firefox (latest versions recommended).
    (error) Temporary limitation on Safari: security key registration and authentication are not working.

Step 1 - Configuration in the Admin Portal:

  1. Create a test user

  2. Configure an access flow with:

    • TrustBuilder FIDO2 as an IDP,

    • TrustBuilder Self Service Portal as a Service Provider.

Step 2 - Register a Security key

  1. Open a new window in a different web browser.

  2. Access the Self-Service Portal https://portal.[TENANT_ID].trustbuilder.io/

  3. If requested, select TrustBuilder Repository.
    Enter the test user’s username and password.

  4. Go to Security > Security keys > + Add a security key

  5. On the registration screen, follow the steps:

    1. Click on Register a key.

      image-20241121-101526.png

    2. Enter a name for the new security key.
      It should be unique within the same keyring (reusable by other users with separate keyrings), cannot contain only spaces. It is limited to 32 characters and supports any characters, including emojis or non-Latin characters.

      image-20241121-103726.png

    3. Follow the instructions in the pop-up window.
      The manipulation differs depending on the type of security key used and the operating system.

    4. Once redirected to the Self-Service portal, check that the security key now appears in the security keys list.

      Fido.png

      The security key is successfully registered. It can be used to securely sign-in to protected applications.

    5. Log out from the Self-Service Portal for the next step.

Step 3 - Sign-in with the registered Security key

  1. Access the Self-Service Portal https://portal.[TENANT_ID].trustbuilder.io/.

  2. If requested, select TrustBuilder FIDO2.

  3. Click on Sign-in.

  4. Follow the instructions in the pop-up window.
    The manipulation differs depending on the type of security key used and the operating system.

Once successfully authenticated with the security key, you should be redirected to the Self-Service Portal home page.

To know more about key management by users, see TrustBuilder Self-Service Portal documentation.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close