5.10.6. U2F Token Config¶
5.10.6.1. AppId¶
You need to configure the AppId of the eduMFA server. The AppId is defined in the FIDO specification [1].
The AppId is the URL of your eduMFA and used to find or create the right key pair on the U2F device. The AppId must correspond to the URL that is used to call the eduMFA server.
Note
if you register a U2F device with an AppId
https://eduMFA.example.com
and
try to authenticate at i.e. https://10.0.0.1
, the U2F authentication will fail.
Note
The AppId must not contain any trailing slashes!
5.10.6.2. Facets¶
If specifying the AppId as the FQDN you will only be able to authenticate at the eduMFA server itself or at any application in a sub directory on the eduMFA server. This is OK if you are running a SAML IdP on the same server.
But if you also want to use the U2F token with other applications, you need to specify the AppId like this:
https://eduMFA.example.com/edumfa-url/ttype/u2f
edumfa-url is the path, if you are running the eduMFA instance in a sub folder.
/ttype/u2f is the endpoint that returns a trusted facets list. Trusted facets are other hosts in the domain example.com. You need to define a policy that contains a list of the other hosts (u2f_facets).
For more information on AppId and trusted facets see [2].
For further details and information on how to add U2F to your application you can see the code documentation at U2F Token.
5.10.6.3. Workflow¶
You can use a U2F token on eduMFA and other hosts in the same Domain. To do so you need to do the following steps:
Configure the AppId to reflect your eduMFA server:
https://edumfa.your-network.com/ttype/u2f
Adding the path /ttype/u2f is crucial. Otherwise eduMFA will not return the trusted facets.
Define a policy with the list of trusted facets. (see u2f_facets). Add the FQDNs of the hosts to the policy:
saml.your-network.com otherapp.your-network.com vpn.your-network.com
Note
The eduMFA plugin for simpleSAMLphp supports U2F with eduMFA.
Now register a U2F token on
https://edumfa.your-network.com
. Due to the trusted facets you will also be able to use this U2F token on the other hosts.Now got to
https://saml.your-network.com
and you will be able to authenticate with the very U2F token without any further registering.
Footnotes