Details
-
Feature
-
Status: Released (View Workflow)
-
Medium
-
Resolution: Fixed
-
2.5.3
-
None
Description
Feature
- FIDO authentication is added to JOC Cockpit Identity Service types. Users can add any number of FIDO based Identity Services using FIDO2 and Passkey protocols.
- Support for Roaming Authenticators; for example for security keys from USB Sticks, Smartphones.
- Support for Platform Authenticators, for example offering cloud based synchronization of credentials.
- The following processes are supported:
- Registration
- Creating a private/public key pair from the browser client and adding the user's account name, e-mail address and public key to JOC Cockpit. The information is stored in a table for user registration requests.
- Verifying the user's e-mail address.
- The user is sent an e-mail with a link to confirm the e-mail address. E-mail is sent in HTML format and is available from HTML templates that are managed with JOC Cockpit.
- Clicking the confirmation link in an e-mail navigates the user to a JOC Cockpit page that stores this information and that confirms to the user that the e-mail address has been verified.
- The JOC Cockpit GUI displays the information about a confirmed registration request from the flag for notifications.
- For administrative users with permissions to manage JOC Cockpit Identity Services a sub-view is available that displays pending registration requests including the information if the e-mail address has been confirmed. Administrative users can
- assign the given account any roles and allow the account to log in.
- remove any pending registration requests.
- Authentication
- A user account that is assigned a role can perform authentication with JOC Cockpit. The JOC Cockpit GUI presents the user's public key and implements FIDO authentication.
- FIDO Identity Services can act
- as a single factor,
- as a second factor in multi-factor authentication (MFA).
- Any existing JOC Cockpit Identity Services, for example JOC, LDAP etc., can make use of FIDO as a second factor for authentication.
- Authorization
- Authorization is performed by JOC Cockpit by assigning roles to the given user account.
- Registration
- The following configuration items are managed per FIDO Identity Services
- The information if the given FIDO Identity Service is used as a single factory, as second factor or both.
- The information which devices are allowed to store the user's private key.
- E-mail templates for mails used to confirm a user's e-mail address. Such templates can make use of a number of built-in variables holding the user account's name and e-mail address, the current date and time.
- Then name of the Job Resource that holds the email configuration like mail host and port.