I'm sorry if SACL documentation did not make it clear, Struan; we will strive to improve it so others do not have to struggle with it as you did if FIDO security policies do not need such high levels of assurance. On 10/15/24 5:38 PM, Struan Henderson wrote: Yes, thank you for clarifying. I didn't fully appreciate that. We expected to be able to enforce attestation on all Android Devices, but seeing a significant number of devices seemingly unable to provide attestation due to the issue I included...
Struan, If the device does not support AndroidKeystore attestation, the implication is that the device cannot be trusted to the extent SACL enables - the first line in the image of the message says it all. The whole point of using SACL is to leverage hardware-based protection with an attestation from the manufacturer of the device, so the business application can mitigate risks. If your business requirement is OK without any attestation for a registration, why use SACL at all? You could simply use...
Hi Struan, Need to look into this. Will need to figure out if we have those specific devices with those versions of the OS. Give us until next week please. Thanks.
Support for FIDO2 Security Keys
Depends on what kind of code Keycloak supports for the "custom authenticator". If it supports redirects, then what you've desribed should be possible. Given that SKFS always responds with messages indicating success (or failure), your demo app should be able to tell Keycloak what happened (and provide proof of that with the JWT or SAML token signed by SKFS, if necessary). However, in the long run, my recommendation is to derisk your FIDO deployment environment and consider using the built-in IDP...
This is more than likely Keycloak's policy for its own FIDO2 service implementation. Since the StrongKey FIDO Server (SKFS) requires a web-application (or an IAM system like Keycloak) to call explicit webservices on SKFS, it is highly unlikely that they have implemented something for SKFS. (There is another discussion on this topic at https://github.com/keycloak/keycloak/discussions/23101). You might want to ask the current developers from Keycloak if they know of any implementations that connect...
If you are using strongkey.com FQDNs inside your network, then make sure that all the computers that need to communicate with the hosts that have strongkey.com FQDN have the IP address as well as the FQDN defined in their etc/hosts file. If you do not have that, then they will attempt to reach the internet through DNS to talk to the real strongkey.com hosts (if the FQDN exists).
Hi, I have deployed the test application on a ubuntu which have the fqdn "fido2tutorial.strongkey.com" and i have deployed the SKFS on centos which have the fqdn "technometrics.ddns.net" adn the RPID is "strongkey.com" i am accessing the website from a different computer which is on the network and it is a windows pc. and the PEM key im using is the one that comes with the prefido test application im pasting the key.pem file below Paste your CERTIFICATE here, Ashfaqur - not your PRIVATE KEY