(BETA)FIDO2 Configuration in Access (MacOS)
This lab is designed to help you understand how to setup and authenticate using FIDO2 (Fast Identity Online). You will discover the requirements and implement the solution into your existing Workspace ONE Access environment.
Part 1: Setup FIDO2
Part 2: Register Authenticator
Part 3: Administer FIDO2 Keys
- Log into your WorkspaceONE Access tenant as the system administrator.
- Navigate to Identity & Access Management > Authentication Methods click the pencil icon next to FIDO2.
- Click Enable FIDO2 Adapter
- Set the User Verification Preference to required
- Set the Attestation Conveyance Preference to none
- click Save at the bottom of the page.
- Navigate to Identity Provider and click Built-in
- After the Authentication Methods loads on the Built-in IDP screen click to enable the FIDO2 authentication method.
- Click Save at the bottom of the screen
- Navigate to Policies then click Edit Default Policy
- Click Configuration and click + ADD POLICY RULE
- Set the Policy to All Device Types
- Change the switch for registering FIDO2 authenticator to YES
- Set the authentication method to Password (cloud deployment)
- Set the fallback method to Password (Local Directory)
- Move the policy you just built from the bottom to the top.
- Now click ALL RANGES next to Web Browser. This should be your second policy from the top.
- Change the first authentication method to FIDO2
- Click Save at the bottom of the page
- Click NEXT and SAVE
- Close our Chrome and re-open it and browse to your WorkspaceONE Access URL.
Do NOT do this in the lab environment. As we will require a physical device with supported authentication Type (See below)
- You should now see Sign in with FIDO2 Authenticator.
- Click Register your FIDO2 Authenticator
- Note the authentication form factors on the various different browsers and operating systems. Make sure you are using one of these and not in a virtual lab environment.
- Select the euc-livefire.com domain and authenticate using the Mark VMware1! account. Click Sign in
- At this point the registration for FIDO2 kicks in and you will be asked in by the browser to select how to verify your identity.
- click This device
- Click Continue on the next prompt
- Then use you Password & Windows Hello or Touch ID
- Give your authenticator method a name and click Save
- Now click Sign in with FIDO2 Authenticator and use the Windows Hello or TouchID to authenticate.
- Select the user associated with that authenticator Mark
- You should be authenticated with the user Mark to Intelligent Hub.
- Close the Chrome and re-open.
- Experience seemless FIDO2 authentication to Intelligent Hub.
The WorkspaceONE Access admin console offers the ability to manage FIDO2 keys within the user attributes.
- Log into the WorkspaceONE Access admin console. This may require you to close the browser and re-open it or use a different browser.
- Once logged in click on Users & Groups
Select the user that you have been doing the tests with. (My case this is Mark Debio)
- Click Two-Factor Authentication on the user record
- We are interested in the FIDO2 section on this pace where you will find the current security authenticators that have been configured for this user.
- Select a authenticator and note the options you have to delete, rename and block this authenticator.
This concludes the lab on configuring FIDO2 authentication on WorkspaceONE Access.
Author: Simeon Frank