nevisFIDO Configuration
For all use-cases, nevisFIDO needs to be prepared to support FIDO2.
FIDO2 configuration block
nevisFIDO FIDO2 configuration
/var/opt/nevisfido/<instance>/conf/nevisfido.yml
fido2:
enabled: true
rp-name: <relying-party-name>
rp-id: <relying-party-id>
origins:
- "<origin>"
authorization:
registration:
type: sectoken
authentication:
type: none
Substitute data into this configuration block:
relying-party-name: The name of your organization, for exampleSiven Chocolate Factory Inc..relying-party-id: The ID of the relying party, to which domain the public key credentials will be scoped to. For example:siven.net.origin: The origin that is associated with the server. Origins are commonly referred to as endpoints and they must contain therp-id, but they can be for example a subdomain of it:https://chocolate.siven.net:9443.
Prepare the credential repository
nevisFIDO credential repository configuration
/var/opt/nevisfido/<instance>/conf/nevisfido.yml
credential-repository:
type: nevisidm
rest-url: https://<nevisidm-host>:<nevisidm-port>/nevisidm
keystore: /var/opt/keybox/default/node_keystore.jks
keystore-passphrase: password
keystore-type: jks
truststore: /var/opt/keybox/default/truststore.jks
truststore-passphrase: password
truststore-type: jks
client-id: 100
user-attribute: loginId
- Replace
nevisidm-hostandnevisidm-portaccording to your environment. - Note
user-attribute: this signals for nevisFIDO theusernamethe server receives is what identifier attribute of the user, so the FIDO2 Registration Client Javascript and the FIDO2 Authentication Client Javascript must send itsusernameproperty accordingly.
For more detailed configuration, please visit nevisFIDO Configuration.
note
Everything done right, upon startup, the nevisFIDO server should print this into the log (if UAF is enabled on the same server, it is also listed):
INFO c.n.a.fido.application.Application The following 1 profile is active: "fido2"