From b80821b4a9b4d3a7694ac50ece423fced11cb610 Mon Sep 17 00:00:00 2001 From: Joaquim Fellmann <48237552+vanrar68@users.noreply.github.com> Date: Mon, 21 Mar 2022 11:41:37 +0100 Subject: [PATCH] KEYCLOAK-16134 Add webauthn loginless documentation (#1306) Closes #10832 (in codebase) --- .../images/webauthn-loginless-flow.png | Bin 0 -> 25536 bytes .../topics/authentication/webauthn.adoc | 56 +++++++++++++++++- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 server_admin/images/webauthn-loginless-flow.png diff --git a/server_admin/images/webauthn-loginless-flow.png b/server_admin/images/webauthn-loginless-flow.png new file mode 100644 index 0000000000000000000000000000000000000000..85311e5a5665373640954afc2ac3e8d006d5a9e7 GIT binary patch literal 25536 zcmdSAXIzuZ+CHia1(!4x6$nj5L8XKikQxD{NN*w?q}R|pL`A_u@4Xm$ReFzz)X+Nw zh;&1h0D+Kp;@W%d<$m8U=Y08}bLRI;@=TKFnVEa;HrF-tPFqu%{vzPwnKNhTRaGA8 zo;gDeqFm2jpr*V#Ojh?(KF)gSDl43+9AZaPD(CFwHRR8n`5Z$_usTnv|LLw`edK(DoPMi5GVP= zT3rsNWSDRpFlYPa_>X^j@ntplP$^1uP{dU;;}Ey#VXw;qimxuIR070ApO7wE{dmEj zBVssLc@p~1Juf`+zbQpsMw=ROzxyWUD7Qj3@I1{A@nL{Hu44g3gH-iW$kJi&M4b+I z9OAK|D5mqji&*_e0mzANH?HfQl4GcKo ztY!BIJJGQ(+(ulV=+lS7(}T8b_fIuh8+Ud9h@G=&7bBj7FlUV><#p0D4?2?L2UjeX z8g)Tvf;(u6KlwDs2Pe?Bs9$0-a(8FrtK-OmF7Q}=zmp^0S$*VST_}+5PC+LorS27q}|ZDE1rvs;;f1LVX`+COBF$ zMuac2x+`4Lb#9- z^zJ)$E;`^`@#R@K3{TM1gc|X{bu7eIMd_8$(Xk4?YAfH)s^zeYJ{gJ>aOO&N zigr%P4uz)o^}aaVHWl>I1LPA+j|~AJxe1l=Az#NvzjiS$&HgXi?(?yS9A8IAM>Ycer`7jxs-(NZn?Ay^noMXNHc8?v!0l*H(%aHwsf%_PmiqEi%TNwYC04 z!z{rYx z;Y8kZ<`Uizv(0B``b|Z1Pw&R*bmAYL%)3VaX`QbJD6%12`Wr<7^qlhLkd`Mq`L%=Z z@E49_*-vb-@`rL9FNTH2{JSF_m3MS1MoG^`^UW3SyGE#vKj2pV>@VslGUluQOXbZC zdB>mn*`*m+)mN1yq%%v2j7=uLd=&Mk^7ZkQC?FRP%|B)mGsXhiruoW@$d*U#jn{;x ztDB%!@Lv-ri!U=>XC|r~*Gk-4lA7ip_vElonNH^!+z5tuiOSi0fISAgWIyAfQ7F@n z8Y+%EwR^Y6MN75!t$=(t5@3Xpd%eIr{=f?HLbQdKiRd1nki0Y89?AMo!}F4f--`3X zcHUWVUJwYe8NE|d9W2yZt`s%v8h_a4@y*PHp5wEJ$`bvjh|U#OE`YRW8tXFMd6=-% z?E=?&++OM)2Vc4->%PEZv2ZQaXqWKm2R}=K@80X z|9YZgzCE$_>zMQdxrnomh7B&l!s$3-Z6#xbXJ)0m3U=P_9e4a5s=9;%VM;@cua)=h zSYOMrRMyB)yk$>AJ6HiVM2)YAjy$_lwj%|R{>J)d=Qu;cDca04@@}{e+b<*7gCuAFVK4rpJo+b1r*eLfM%IK(^;4;Ms>NeYx0qgSsIJu1 za7u}fMm6?Ldg@tB`%p@_rtVBOz^_ky_#=|4Uc@f1LY7&J~X$k$lWR^GEGsvcC;6H<>A)Vva{lwpnYHsUrFS=e z??OMVQq&dsz~BCp$Q%i{^XmV3hxE&JRzCP?^)uFEPuu(LgChZ*p8G_YCoTvjegD*U zIzA2Kl(NU6*`F6}&br^Gt@$Jl>XDgjSOiQkBeplpYuoYgnhkoQ;@dn2kCQWdagboo zhnfthoGkW@jH?CnM>m<70(RI_jf(!m$iq7{n!W9nnECvO%Iw%MX>mlj9XuK`!!M2HNLZC1F=!j# zT8kqwQ)HliooAxh!)D6^*YUo1sQ+@!&XA~+KjWig4XrY4M~^LtM z0CVtO@mm@HET`l-WnD#`$tZj zzyhDpn#{wHWa<0?o2kA)9D1BDe=R}v^meM(rNVQLm!-(L+s4MgVK}%Q^l5dTGx@__ zMM8ns<~SNNAT{fElLIJyDf3A~aclE6x13Ge_0|oW!Jt`W(evYB8<7Q?*2ePf#x=Zb zt2b0N`Ze_eq%Y1ubPc_5{@IHUfW!%3&qDqXh?uLQI-5!K*-=s(#=CTYWiXvrO9pj6 zi;9H(;{qF~-y6II=8+aJjAGSs4aTP)lE+bgUyEOeNR;9OzC1{hlr7R*7s1yiyi>_A zjy@ddoY|vYYF~|#MdV}OFg}^rB54Y?Hb~aHnSdb4MCSH`;|jV;pZfk9dawK`)#;?Y zpy8tQb+?6RIpHc)ISVN)Yn<1m}1HIQyazW*?qbgA|(2Q0vCDxPO z%vL5AG4b74?i6a2WtaJK-HCHuJ~7B<`Qo^g~i3$9J0cAm0~9 za|Lx!Wp~TfNpeh-(HaiCI+emsOH?-2qmCTJlLU#VfT-bKOI?NroDaOoAUaW)?v1F+ z*hJ!VK$*?7mcL9?ph87azkgiOe8{%|I=RKAUx&a$tHjPjl@zr`1aE>w) zER3Z+#lrKz42i5n^5l=fA19-Qw4U8uqNgO-I40~!Rn-Sc4lsCHDJ2N@mQL<*QQOkKO$|9nDdM*ej{5OK(T^`)Y82{0!X5n&#WTbG|} zm!J3<&yJBsCL`ObA(IMw^e`h@+qGS$YU_Y{8X$e=m06D^J;#7T~9@o+2pi?4!dZo#{yvJqT$;9zKi~>cUR;)-CZ~0f1Vk1*Y!Q` zXuEuP7|!I`8DPmGH+f%+2HjfwSPIAnoGD1(TwiJ^!Ky!t&WtK6_%&c+$8T^ z#ikGUX@S@S7bUk=-_9PRae*8OF$Y{)8y<&CcfHGV#CO?j-XxB{=a<;`sXnkR;$PTI zQmlG_#?Gi!BSO@`*X(P|w#Ev_L(KrmH71!WoThh&;r4UVAzr{la9H)8QO$5E3|;V2 z3|N%W+KLXSlcN?r--`LpVCj%1%GlXisEN1bd8?%q5DI^6*Ng*vd{KKhpFMww%S#SU zI=>dWKHjqWEoite1i=k?KUdwV?Hl==zbY{@_%L1-l29)!5wpawa9#BKr3z`e^L1Jb zZ??g~R*+`R*?LrnwM0Bga;p}_IZv3V74;H{e3pU|ceP8aS*tPWOu79do+K!0)q+gMWx1RmUs65sugg8~SL38uq97-nDUxS4>mSc8R^W<< z>n(;kFVgf+WwB6=yz!Gbp~^a81UQ%^H&9oSAT*}xN82@aF20ejBm5;Rws zX9-w2rtTrdI8Ws6Nhdc$jJjArb`yv(Ft6=Q%+OlHprT4CQy{|o(?+k>be0MPh0B~s zk0?E%0Rrjj4yO9@z5^sQdS*F#n{h8?oTYFbFG^2cd*)A%OUoI2l=r;5+FN-sA5nI&SuhpgFzA0qUjdzg`|`kR z=}N%Y)fi_PN&I@NcQzU$Zjvks5qIKjT4GNg@`=fip=T6)JQ~3S`96w(O%I>21s|r@ zsrmKUl3Bg;p(BWf#)uN_Ou|p`kQ>v42lGE%l5^x5HD5iCg=ao>YI;|a(4l)P=#`Y@ zUFPAVAjnVFa1`{O8BgGm)nvY+wxJt+zb(Atb6B97dLRvs6jEhc!=Dh?(0b^Q@M4b7dm> za;~3G3Y);eHV!s(l7mc`Yw76HsdlKm{R5~oe1##h(GtAV(}+$e!xf>gt_i!MBJ^iQ zo0%?6%h|U7na#6D3M-r+Fy^Uv`En<@#CqKvb2#)pRpqp20^NvxNYApA7Pi0B*Jw?X zIPUsgrAN&i|8Z?zSa4Qc%J#;<__}kt`f+^_+{M*p zNPIj75!qu)i68-o=07o+hnB91ja%o?c1TXJ>?`NZa#$8mdtuhaP45#ALBRtjl!np#hJKi91`z8lMcT|3H}T z;scucGyN7biJf=je7mj)V;0E zz4QJ>4I~iKS%g%JQg)B}+8=BOu9#`BgF*+U{%wJ2t8Kum6Ba5dX!np|UyHZ*!o=m! zQkR7M#bnhKQ_|+}$6lV_a8R}F2DHX#v%}R<09M`Im8CB-`C#UJk`FsnQt$X-<)M_Rx}$hQhwtjBY^uf8O2@51nq}P zjeC2cn)SW20?1&zC5!O0nFxDcfsc$YlC=Z7WQ2wwNgv!uvmGP7>GM?SMI>m)ix)wW z48iuRH6Pk{azdR2i9&1ET&C6RIj%ps-|B6DUbOVvbnOdXt9_2pSnbfFky(WHG0fX) zI7^uOPQ4M;Ub3Y5VhU4w?>>hPt=j@$GMl>1@?fm`2Yn%)iZkvs9bj4`C*UP2I;AO? zPf_uN>u-`ND$czzE+6Z_x-Z#OxoDK#A-(aV-AwxlpBQ1WG4E(ixd6?dh*KUOLUSI_^5A`!<8Zn=()LA`2nu&x|$t{<@ zT*)sd6Y3X8KbCGDSXA*tWbS3`{29JBV4*c@TW;stc0>7ez9@23FF6fBGA;*$vIZMz zqJL1qx^@WNvW-er2{0JjrOjHJF!7F>)lX>kVdJF0@0{(Q)Urdgi{z>j%*@adGrZ}M zG*P%R1;n{oZ}*0x)dGvdj;<@JbBS86(e%4=;aR;$lwO81=k-=k$AJzz>G| zUCB&2jjnDi)$DBVO-xg{dkpNF_BR#pGujQr;Z8l2B(fmKY8%PdFyCbKv^Hb~8HdNw zc=^`wwPhrq%{u>qHoo6n68Gl#jB}IhU1f7&#`v1+{WT_XD)15~6}V$5W9(vBRbkOF zb^Y;6<*MlJ>1p@5?vyBney>y+M;&j;-bseXpHO@=YxJi^ROUAB4hlcNT0DU%-FGe8 z(!IYF6Q$hO0CgdS_bWsn4#%f(E_JYk&`NE&BzY(y(j|moVIR;U5Sp3V-IYFJuQ-U5N)YGM?7$QyRYOOHFV%0V1UNq3TgU0~|f-WGeCz!eYN=n(KeHUnU85As(7628P8-xRBdWvq1Ysj+?DD-GH5=(sqn1-L+VT3gW{WZ-Cuty8YV{| zU(9GiS5s#qP+C)x_*H*Px?YTX{4Md!IM2)SG>K!3&5i}j30vtN$ax_fNpXBTYPQcGkE372Wx%PE#q6D|2xt8)_V4^!m>wHnslpdQB$>>nq(REe>h%(s^Uycax>`|RU*=<4*IqCn-2-(y9A)sv&z zGhc~swCBCLJ2K8cw?FS-_7-OzeZ@Gme|nvxFf>D|-P-Gf{N5<^ezl8!qC+xy zVV?&I?U)4Hpu1!RTUpcVo+%mq+rNe3Yo8HX94TuZHQ}L#o!d3|pN=>%1iv2h9j-V8 z)u9&bo4>X`-|knNI9O~2E`30;=IyHiArFTz-;?gpEiqKJziYmY6)0D4ZFnlWEOz#h z^o~TW*KT=+3yqm)>r4G!PgxH}c%W(EUrx&x5I`_-yUua@onXqPjA1!!a2i#Nuce6p z&jFv{`ObI~yN{5M#;s>xPnc}u`W>m0bpKM7xYObvR3Y{Lvkm*zF5?}e`T!h+*sNxE zj?Cdn9{0?$m3&886oX={zdF3-8(xfm78m>^j#uElAWhssSCTW0S+>=BhVsq}hdZ^r z?<*9IlFb1mo2-H0+jb_VWd)az8#x9p9E>XGYfBapawB~G0 zb?e_=No`1cIu|LrY3ZN*@Fd+0xjcPTZmWwtl*F7WH~R)10vyM^KETe=hK-E%q^+Le-BYsnS(hgeDS zHH-C-=g4065a$et&#;gBn?09#7 z$nW0sw}k;NoHH?j__fMhDfXKdNZD?Zp(%8v;0oS?;$+U8H8{%qiI(Q(x(G$L9_P6u z=x1B8`RZiFQzYP);(DVX&MJW{8%5`a_>T6%z$Q0r%2AR6A9Ok`LhlpfdVf+WlOnVs zBVEMQr8>oChR|f1s#l!GkiI_p0|f~4WO~GLSTDG{w_#<%Uc5tl`_{6wnv)E8;=es^3{$^mCrA9yn!sD0X zUK{B)zU6ASP2^U?Rj;zK9E`7^1>$0OBwVyY@Vvo;?nn{OCt&p!1>f^r7vZ40)6}nC zA5kaO4XhG=?)q)4WJzsvqI$0B*!azfB~7I;v(7tf*A*91;BRbBOaEDYeal znaBB82FQY0WPZO5e7%yr*G{p^G{*I3N_`{H+cGBHQ^lk6_mw>#SrdfN6(P-U20ed_ z!B@2%I2hs@cCh`^#dwQA5-aW6ksw&tnDI1Ay}b9Y zH1LIT5(|iqdwQ)xgLkJv=n%;Uc9H}3a1#TGmEDZDM5VR^o}S~PlgI=E#|;bMOZ#wh zDQ?Jl#wF`q$}(m8ndNkaMV+Bw;j&S=PNz_2qFLGXCl%R{DVYH5PCmQQUaM@(!Rj3T{w2&Tg4t| zn>HZESSWvzvyj3-{tLsS*%}l#>uGu{h4PxRtEWTE3JlMJ^4g9fP1d$cb};TvIbS0I zQn4PGifbaM>>flzLHat$j`hLKD&QnU!r#hte7|Jdc=H?goA$O;*Am7-H9f&sC9CTl zWnPMxe7*jH;K<^bwJg3?vC*?K99Hj>rRl4fAZ9D4Dmr0zl8oJ!x55xV)1JcBQ{BPX z`0Zv(%(^_-oVgys!#V2?-5=pv zb^W?zDJM(Q@g>g0u41bTNgLD&_V()8j}GoVCe_}pWdD{q3@K|pEwY;1rQ7s}aIBkL zd_FJi(SEYntbZC5khT)U;^ET~>nC(yK^}k18Jk3JF71&M+Ok%mHSVe+MikxjuBRA? zeaLG$b5qutKqd*MFH>2mKi8cO28BgYGB=t1;HwQ?M|pUUp_mq9SRUA4icnH3v(f;W zONQX|HAy%RUh+i;>!jYcwnHWQFx8k4O^!@5!B=wY>YAw%{bOXJzL}7RSpt9`G$YX_ zimamZb`6>Sba}M9Ax0JIFtz(lB-FO@Ek3}g-;_kMqHgMkdA3+EoG0pyqe241-rtt=>&#yV8yY*T+wu^bi?R7T|;evnJf{ku(NM0&Q zL23SAo_Tv<)#23cXO^iy#LH!&-f58^57ZCu8~b?dug9f`6Wx=XT^nwGSJ-sgM*PDu z=Zg&R*_O*?pP7Q(`XCo#)e>#cIPrW4Hkc0$(YasyS9)ogstxP5Ssqeh+_`|~vh@C} zS9ajt$jgo6oH?5-Hq*eu_XAJw_dt^7@a(cX_(4XD36FLbV$!_Tojy2pW!doBKOrV@@+Trkfk0`k)JH5dnmw@ zWt?SvYm4Cz816&!}Il<#O4jZ6>Ve{or>icKY!vhk6Kl z@qdyX{J%q2ia5c#qu3+}7P$_A!AFyZ7jC}3r0}1&{=CmZPQP!gIP=B-)&FPryZyho z)$V^ZZ8@P7mB6cY>vvfyT)0;7S%?SLU18Gjn}~l2`{LMZHjt8%lDo(MEMCo}P{In= zwXNnQ0UPoYk228wo5oV7d*GEd&2>VhQVQWhi(BBTXW8?@Ze^~J+k5SJK?U2myKr49&)l2@p~m<^!KNIRz3z5OM;IQB;8=w9CeLufxmi=bLUWq*u0ng zj{qfX5^gv2uRG%2^ZETp7t;OF$QD${v03*)3xkWndyCFOD*_3>$0t`_2{-OEdkYom zajgv<%daM^D$j7`D+_sXr<8UV@1w{>6lNGoV#OcFx+`YEK*9y2yNxF z;6(3tv$EUP-F<{1zEnDGS=`u9WWx{COzHmQ392<<91t*(Max8Hf*Q*b3j|U z#a?j$%!T|z6eo^l`A<_(22y&~{{9a@--}3362mp%$Py~gj$`Q+Y?+vWb0h7jO*GQs zak_qTZ_Fn#(%h7DMir?sNa02#z+GAItq$y%SmDUsou`RA9D9tzD?^hi+T*OZ@NJ)a z{$u_QE@LkRIKG!2o(0n*4J|@!X?Q0qRzEeDQU>y|kG)~^J!KqmTvm>hVN~6RDT(D) zT5!Mqmz;WyNvDe`6~1=e)U%VsIwIu9)=fwdCfB99J6as~!x)SCzy%H^ob0dk#Qgh$ zE6W02v;+W6SiBqigwD-xw`Hf(?A|eSy!ds8p_FnFHP%Q+N2lK381*zk5?-dWs{9N9 zoi2{sB7IS(Z-n(p=&d*jsVN?99IyUp$tG9X``}TwDR9@VI8vnb<-c8;m^k{zQ!Aw? zt<^QO=vsRO`7RgAokR{!;m>T>_YK}97*adVyywVlJzcU3Sl^Gxf7&U#ax)E&pvQPX z3GHjT9!n%sUw#p*$)8eIi+)x&>`*LGdgkZu3%Z5kJn9@$g0I)?*+YODkS*|y;X(f= zq~M!gaP`My!~KbdH3Hs4BBhOD`$vQKj3kh+k2WeWj`P^W))RqX{6VU#k}^5i*CN|x zn$#BQNGLDym1qBGqlVPT(Vzq>pPFz;RlWa&@yReU_$HBT5B*GqMuNSL1=_@1r1&1% zI~8Y0m!qDb+EFSyhk-`b`%JjQxfIOW8!a1rbWA?b4&_jiz&`BqHLbNIWIZjGaY7P>?sFKUi$5r+cE>7WoQ8t2%MI>5_QJ@>SMrCAu1TdIF%AAv_rc-n zMj#)zrH>Id-KV=JA?4k%T)Y{!-G{syZCFI{f?x2Qj_X$4;B-BBH~UiYtw?~AnFrOi zBj?u_L6n_;TX*&ke9;F)MSP0tt+?24K*ru!GU|&oeS9O_h<#j{pR)67Q^ctiJLl|q zv}u4!Q6l3J7NlkT*f&plC#u-?65b(k-O(k?} za3a=gP(R&C?zi5pv9UNlHrvpTI#Sz>t;ZG`XS?55vx3xFwiLo6o`^eL?KsB< zn#j$gF30b|!8S7^sDt&v8sx|Ds9;f0xMnMdh0Y751*_%CC`NyUM zA4dV2`Bht^`_#snRksTAIeN=nW%#F$$ob&d>_coz=q9jwc{Fg8m7}gErN5L)^?;nq z?jlA?i3!+fb{qm(7joFN+YIkyc`fD)2O+KVtv)d1_UzbC))=g7LRHLn-p>{`&+_h( zJxT^fgw(52Sk=52OB1Uht~9uCasKwSA-qW!f>Me;Yz4nSs)|frWpfUhV5j6 zCZRGXZpyxGZBmS35b7d^uSkG(G;wsLoIfBdQ#K}stD@8vLsRP0yaQ)46%XVL(;Cwf z!<;jvYTa8hr&hSpGA=_9nymz*ezRziAQT*YkIy%Ae=hC&JkTu#E+&W0+CV{hhFzqA z60e-QihmGBM1DSR8(6TxoUE$`7}yW9Ye9gILrtO3EGUD8@uDtz)q=M^m;n(*Ri?pa zGlWiwg8{eX&?_zg*>7msPvh+*p9P8O}f9g+t-fV`4k>4u1dVR$HM03@y|OW4 zsvEg}wSMhNj!5KPubrd9CkxOzH4!_^BSFee<~P2MnWB>|y9-_gloJ-O^dd9&D`k(| zpe^PrII49StFRA+eS~CL&Gdn!LRhG=(n^+qt8#ob?+Gf#IfD8Dl6?M`lW-mx`AHK_ zZ(unxLjJfa>J&`gxfTGQ6t>)!b0sqhs7=n@G=%*Yvp@fgq7xeWTYv}u1_9g537!(??skIWwKt`gx-MR4OKMro~ zN)<_v)SXgN#aP5h86loOj~P{WK18TJu-s0{nRr;)4`4i91r860O)uW>N#Fs;bM>n+ zX1I2I@wXX~wjPnW4Kz=ie#<^R$$vBs<>ABTNZ_DmLpv6(1SW0GsO=j^trh08HDN!F z96Pm87K3$Lwo8Qx=0?HLtUv9gP|@W5n?>vt?Y|@Sg~NKH*XVjBVl+hqXJLa`OtjaC zxDnda|EQ7S&YE|O-|n^&{ZUUML;{LeKOJ&kcHS~?D}S(>A*>yQhDvv4@8V=qxffyJ)%6TLQZ$n!f7Bu zgI~qbXo=~~z1Tv079?!u;7-1qZNwpc`VRA4IoLMUqt|JIMdk*ga6(1VIfgFPi!M`m zLnsttRN`hNedi{EF^DHRt`m{9)+7=INau02r&dp=Q|Z}sM2FC-BlE)63F*LeUv9;* zl%Ggl3<#K>Jx(Kv?T6rqIO!ON7qx+0Qe^{wM1! zwi&yl8Xg|5OBE_LbFE5qxOhL0)P9qzVp4w4PBPS^NCre?#ylM(kn;#p#>YUEGWqN0HgPj{&{blOc_Trph$JD?#T$8dVJaXn(CB$XB zYcfN}A;TOR$8*eN9t*T@Mnu`#3oe={)D&-6@P~UnT&*tH<9^jsfRZHQ)#&tkt2lX! zmY+#@8k-ac#?Hx;0(#!``zfXQtOO}Ch^0H9`T)66w`{pJyVjJor*C;=FGZB-FVOy4)q z84Bs$?kpCzt-u++6LxAHi4zx}IS>!Phc9PwyV6MKqt9wIP&>}e3WRj@RTC|4S6V41 z4d&)GDn(^dwwN^spDtOfRe;+ZqW};RT3{B+e{VYCfIZ^Fe-&vbLz;T;Ph}5a;W}j0 zcKMqkbMq8y?J)zP+$Ib2tQ~rQ#pqfl;24oTc}o0{Al#FGjjkL0-DdGqsOwj!ui`+v z5s>ds;m+cvH^WFy&S%6zL)28LZoRJ~;Ya{;Xc?UO{-WP}?w&-OFHaaptr%(Gtd_DQ z&0Dj_RZIyy=T%ldQgxkP4#l9EP)Jd{B?Qqhbe16r#pn*2(74?I!TWxhQtWc@YCy&ry86xrocL~Iq<0DWbHoF zY=iA;Oq*{k)a``0(**#{doepq+-)TV__%6%*-L>dNgC#Kn*k*lZnumC%_fAs6bH7o zP)Q+6e7^_fi}f&?BbrdP6){**d6iEH52q5 z?p3JFC@kq>SU}YU6+>=l=^Ev9AJ(#a^wqp?P3p-XZVS1ria6XoKREFp++gJOT`4_9 zXwQ~4R9lLO>S}=AtP|ZV@I3|EAnzQYl8DtV-RdP4O%_9;xFkB$79M->cKnA9k`&AF z>a745>=x!7$*;sLJAFTYAmcc;TsBz_k}2jgDp9$DrOlr%%_527e71T#>-W-4TfB|s z2;VbJMUg}Ga`z~a@Ci0klzg0(Aj{{2D`{9Q=Pa`l*{}5w>M@h~-1XX{kbgF$3w&&d zS?mu?6NS7qLy{ED_B-KrneS5k%BpMgsECy<9eSK z!{g1h2AZ~DhPAx=y5h_F`mA+mSIo(y6EdTZ(iClkO)kZEVWI#fuI)OV-FLKbhs&=0 z8wv8yKxSLEiz~D?-OZJUpy&Df)Ai<1!$b9`#xq^2-1><+ouP(`s4+i#3Cf{2tXSH5 zs8*+-fdTisW+il^$SrPep0icnltYuTZZtpj)CAt7F3pD!RV6f@&cDhshbW#zFUc$goHBY`8DQFaL(@3@W>yPp|-F zc-gpe&~(NOeRaFOxSf^79#0?1jMIXh?9UH<>^=+#lZX8USo{yDCDkD8+GYv63qXV( zsmFIOV?TDlD5RH-z}0#yVw(75lgLOKdWLCcCk=pyxP*fD>kJlqf(JdcDx`0vEd1mM zGP84#!O-0(eNWqv!zsQKNg~=~W~xk9-EBs&7@8_Xe8kv(`Y|R>9TvX7(f{GY-s!$5 z8K@VgaaZGT<(pQ&T7(*8LZwUN8lASq3=pmnayK~1C8$QYOvn01e9d0fVjQC6pse)} z;XEPaIsVBP3$)pxc{$qeVA@~eH#8u!$~w4ZSC_Bc)kWxyqtTrbFTmQDB@Nx2^qYC88Hb<4k_PMP3bp9z=*wSau_ zD^I&^CWJOTuWj3duae#}r~HWc8o>Ze3CgqxkP?s%zqx#HnExt!HvJb8sglrt1$Q~Q+X5L#toR=xzKa!<%i@hLk&=czS81K) z2=V;>#?fk}>vk8&>8dg3|G=qxdL~~Agg8qGIRz7srt{=KJ=v!T^N@OAH1$bJDJpWu z!aNBWsD((rbEJze^INO=V@SenDf5zSQ+;O%aop!VM5XSxRL%lncBmVz1L;1O?lmf#${DQl0Y1~))g+!7| zg`6C|zdAz=Um*Z)Mgp`c98|c;A|^@szfevJh(kU(f#cTMq-U-E!Z} zRa%V;ZI0a|5{cJ1p8BvfhbRUV27`nIq&IQ1uZy5$Vu%%YHeF+Y8y;DurJxZSoJ zja-eS_h}`U&j}7yUH)2pcI^wu$%YU5JFNN(H6p#+FVpGFDv5J_=<;#FQm8Vvqwk4l zn0pK4J+r4Ns1d--A(S0S(Ff_YgBE}phI`wIu#g6zg!*d~a53j!u=Kaz;;**tulP$t z_WsGIT|mLPM~%)FNcl+;Cjq+(gkO}xQ36lW8ZY>3=)YikXC#-O)&&YSyz3z3bmMQ> zFsbZI@#TSu3)Eje{t^J^Um4ZJ873bpgRj_M&^(gYYhI}(ORS`PXI0t1g`%dX6e*uO zJFpf?Av45vFC-}%w_m&$(fHqGWs8BHzQE2Y_-6;rzZs8k9h%kqvgMV(rcGsKx&1u& z7uc`yi$M7c!3GIHqHFg`3_Rsx(#JAwC?bq~#C5)&3+t%&dKmsz_S- z1;=M%>Hu+$$nl1#$%=3P8y0Uu=lxQumuI4E#`BWJH0UjN`+B-Si_}^U7ifNLd{I%A> z^05MAeW?rLI&PO3I3nq&m;WfSAW!c!Tio1W12+6(YRbmk%W7L4n*K}{Dyzkan!8;> z^`)XFf5dZHNeIf;4z0HU)rH03d6*xeSVShqW6>0dWXe>KiSnN_|9F17}asH(d#t0r`u8k5t+ zTiOTz!swF(PpkiuRWaZ(___wQ1|{#TxDU8s`gfUk@(hdUP&n@C`nyz|O9|!QwQ=XA z2>R^5vc%%KM;6!rvRMPzkDiZx6z1b!6L9U`|9bq&`e4RWKvy1Nj@NQS}He&13TZV5tXune->f z$>HJqu_!H@osd6OWkzllE!Q*WF&d^HloNz}O^j7%o4;(QywzF!7h5r6WAHg-)@JLE zA|Or?*VnpMUAKjp2~jK3t0wV+stJ}&RbhXLx%4p%knp(ptG=01R5VI;kc!r(BLtjW z*JDk2JY^q;#2TVq4&CBXYu^-bhREnBxr?vr+Kc(?ULLrT?Sy~+W4Y1L)h;cYtz|B? z<@P#EU(^Xvjr-psyUQO5a1e3$8U^^ppuODn!66Som=(jAK3?d_XTr&v^?6SFc|?nC zpIHYK3ZN{$dYasnVYjc)+HAe~Nl`GW<&%`8Wqi3|8TbHkN|KP8;5mIKK=h`sbX0!0IRLv@&ykqlR^{=F-I z;>?u4AE!i(rLovI^g{_K%Tjn8S;*1eiQj~8E9XR_gaX$Qe#qk%I^@VFERu}bQ+vQS zN8by*Ni2|`Q5!R>L0aH7>qKhihGwGNBgUS3k9%>o&0j=a1%>_+?n ziH5!`_dES$wBqhj#;?MklH8Dj2&=asQB(m~-+yo1epmWLI?c9f2l0;fFT=Ut_MVfX z27iF^l<4b9ua<7%lhu}AMvYaFs-pY&jwe;Dl|K>Rils;7){^7xCr%bF4@2yY#QHC{ z3?^iicufB>d$NBAO(eu`o8+mTX}#5x8KU56=X8#IR4em?eVh+T&IxD?BE_0YkiHX4 zS^@`gK{gbezQf>{*uRaeGY|cUY_38c9PT8O*eD*#2dJmG5^D<`+ZsIuBX7 z{;%$?GpwntS;vEdiV^i#FjPfQR5}P2h$uw?sR}4aM>+xNC5cB6ECfV)Zz4q?fYbzt zpcFwui$n+{RH-49Kp>>tpvUjtul%{sbAR3Z-D|DPo;|bHJF{orO>Y!LO+k9TDKj>Y zZFx_etqe7YnKRkYp=BL654+JzsfJ>+d(u$)y%ZoV){m6RQD7FGPTP$ZIh%q_c1N z^V;y%i*eHdOmnNP?~EEgHx}eWcP6|whuSn#(+S^f*A{VA)x;ux`qFvRJbBk^l}6D} z;)V89k@(Mx9OcWPcM~e9KyuAktME6oNcjWDINe@H*bp?8zWt8=HD>{|#U0@cAEFCQ zhBYQqdXDiRv##l0@{dHKv)7H=f*Q!b_Cm{+!oMWKBt{D5R8*2l%uw_-N8#{6`1cED zYG^x>F}f0IytOuLYC*?l|TSm>H ziDqK22*~f`q#CvPb>IgfTF3FZ+f0!q8aH&fmsJEqVkkVsEqOX7EYsU|P++uZ@}V*c zv;KainMUy1W~DO;YZeabg(BpKw7ybK40qXJR^=bt`x|uYhP}7yxFCp5!!{t9SkRFI zDpnAfZvK2RW&JwcLm@$x{jhn}GBq>T)i(7Wyxl|@r8dUHz@t8mNH);jvHWHt`T*{Jn-DDZ2KW=Ttat8IuDJXG#1PY3@ zLL#GoTF!4%+yM%v35?Z84>`Lkwu6nI9)qwnkGx`?Hj84rZ~Mp-V1dilQ`REzJ2i^k zI*s=)1vZ*kg)pqAt-szJ#V|UqQB&AYBdc&*=_#N&H|y{O)46zpZ#Zx_;pfXW!|CGXrjoN) z1=O85`vB0l^FsB$BIvh;$ww3ct0XK~?L6C+6T2W+XGN@Iop6RLf59^|F&#eO_2}&+ z5!LfZ4=bq;#?WD^9&l7SkNqB0cZSCrrsL`Xe$XRlVTuV5_lGY8OdLX(463A)PRB&h z`>fbjPOj$cEnh*HGkv2-@fRi#H>+Tpho3jPXM-#BeV7ErT;h9zx$K;jx}OyTb=LUl zB5^nV#3um-&i~Ztq4Qe&O1%z;v=DN$bSJZ^{t$$5T491&^s`#qUwNd|298Jl99wMk z_fVs*kZe5$X=v4Qdnk&`uk`b(1oCgln&Wy@3#fQfF-MD2F6H?P#oqPHm3j5|B2@c6 zhu&~b0Yh=_Umt%Xlh#rRQ{o8smRd$ttw+m~Ni?2~4ik9--^ z|0i&_vr8B9Bc92f{6&LSe3)Jdn2rqQ2JH9Pb=@ULzuCd2WSak18Q6$-Z_=J~V4MQL z(3uyY!|S(Sg3Dg2ebNr60%tXhV(#{@)yHo$cFMqI>wDEi0P!d0PXf+W?E&OJyRs+l zuZqM;Z#mc5rdrR@^C`J_Y1-CKi=WM7bvR!(!>|W%Jx2;~P6{WPd?2b?&>r`^&-~A0 zJBytcpojb?p|qmfQVVwm7!LK4xc*%*ekD7_L5-c>mnWT%s+f(VPMWUDFBvh`Dbdt{ z%=a*+2%sgZCNo1d#Pq>~2U8q)pP>2b_6VY-G2yE_-8eThUh1u+WFtb z6xXPjchaP|XE!!t%Oq}}Nj(#~ar(u+wb|Lkci}JI=QWHY?~W)+-ltDF**JxrX$vfU z+PT9g7gda*eW=x7(R5<*;N$gIrkDj~^mX{?L4b>vNe?l2K`Lma^~CgK3^+086f(Dn zBdT>R*L6R23xMGREhWz(KT}xwM2X-^BjC^O!gdl=*7dV9^+hq)c3JEx{@EB-66ugp z@_3$l>RtPjpQVe8KD|iFRQ_2Af=Nw2l-Ks8N?CD;A*h>*h%vgkhSFI(4gh>C_|D1% zU3}!esv6NaqcI4bs^5hY`ow)b)ovl>ps^>hVTjh6M>zR)ccJvoNH@X?tc}2A8-PJYBAKYKo`1AvG<1*VZTFuGK zH2*7RGDF$WcNJQby<=AIA9xMCb(o8b6cs_IzSQ}!q?F=f6}%%TQqmTr(Iv`}Z?~Zy z+#o5DgY`OxV6kinqLzABbbW#Sa;e?;EuQT#GL)8cm}oM&co&nQR#7}fF8<8 z$u+#?Dk|`EY;+o=q>>HF#n;-dw+JP@+qjnV_|GrMi{rI(l^jN-hUL%sj%Sc!)90Vt zyJxm1sEfaW<%E87<0ib48{_!VRCY2e6Q*!8DcLxe8;CE@nT4U?@m^Ur#W*SF_zhmM z=D}s=U}rs^DEwy0qsw8bQHfZCUU2xuatBfVzU^7qV^dBW^@5-Eqg2z@sOzpvrFO-0Q?)AXFIdcXLDz0H&Q92v5C&XbV5a)x0gjeVImDXX-x~{UDNs6skR&E)ob% zwYweM%yRwQTu1F(!RiS>HJgbb8RGvgbFt3>4;@N7SEVv=P?BF8?Z7ZME0e3-28kvOk z4p&e`PG|fzM;)sU@X-aEM=&>%T$*NH(u8H)4q9 z12fTTq6C4*iyte6PYBKGXSIt9Ss}EkIXC2H9+#aw^s=DsCW24hoEpr60DTlypUM)J zwOfuM;?{Za0jttfi`!eTUTI5=SMg3;Q&Tq{sBbDD(-bh35hPMiH^wmNRof>Zk`>+K zbV3z=jw0Wg?c=e)hb@|k!EtuVCr5Ui49s0d!g6xj69+(l`J$H!wzVs0!&$Yrd&XWL z*r5!RDY!ksdNfzTbu`$(po1|ee6pWx+MNC6c|8Vy+pg2{eu#=B*CPvSv$Tsy-CNx< ze9vn;10RWeJc23+#@`}^HHNrP+ERj{+G!4DD>B4|47sCL)?(haWCNXcRK2l6zSX76 zy576aaqNr<@GAF&sriCO!NQo5G&P@=BC+G-Nfc8*>#&cSMJAteDtRrRoK9hz)vMaz1MCm_FP~3R=6hfXob+!o7*roYS*yee?@M+g49e1h2mwVVTU6qi=5Tg2J8djjPj9GO+ zi?*&*qw!53&OaWJhVq^R8j73?^Js=!omD>LWTQ6H=NDbgR~S2)p61Y25q$Fi_p@$F z)UN3c;2;*e%u}R*&EIZ6C>x?Y<(u5XHM*fr7!nR|CXNZgub0Eys+r}%wm3yA~SVV*e-SArd8{mxQ+@>!E5XVAlH0^2z?^+d=eitIRmuDu9f&AA^(n#Aj2dt>M8uy`u)(4b z2NbpsA8$-L>ncxD0S{apI5O~dNcjwB>zajml(#=ZM-c5tVPUnZbx5ahWlc+S?YEQ9 zK(`q)!rT_38glFIeYu(}WJ?E%op327jYGNkCd9$J^W&KP!o%n$$3iP^jfIytsi8I4 zJ=?*4`9=3WDReVV;Kq~JruTmkw*+(DSjSnRt%l$D$JyRG$dEs!6ttjted{EpMzpLU z##d1XVS*WfE>c2Tw3-iHo_B7mzCpfThBDJ20_8?L8?yB944oepL3Rn1;=FmH5xuaxeG^o9Lh)tE0J+KUz?b^cB(9 zAjLr?O018yCh*Y8ORKA-EeJH^3mB4>?rNPikevf^%N^cz|KT4UbH4M4uhNt_REkTx z;;^lLoScdWB#?NgJM%)7RA^b0{dxp{cq`+eYWO@*`Ei&~qmdYES2OXmn9E_PbM1Dr zKrj`){X{rewzoXR?Q#YmWYiIX+X;|PRd zM44OB0t$uSp1rOUQGJ~fJ7@21E#`~4Xh~nL)_fKuDf2*{-O?3MfHOOuFOt@*})&0tJw^y~%n}eherlpGHa_BA-;`X0qiUnL3;gCR@%Jd;wiD z?YaPTi`*?wILO$qi3owY*!D&mF8#I1hl#x>iTO%IK!lVa47Bb!dO_w9?6 zp3`*=@@wjC^P5^!KG{Y91fzp<7k@62dcveYR35$Mt$^kPC zC;33$e1oxTT2}y$hRoV8Y=wYjhlV?qGbt zQp46U0al$?a{1L2{b$Xr6JHjbgFfJU5@*IeirA+)UU=%U)Xq6?qz8x4?#Hql`?sNk zBVldp;L^~Tv7YMHkd2at&52h{GRml|rL5-54-=(E3#jo{1mc3vk8=h7=HfEED)04xPaOI4ntd6TP*yjcfUI^j3@eN|y5J9^0Bs)H-o6NYykc zTvtXl-{ChZj6&t?R#0M~PM~9KXZ6su(c*-R%p9|wBMRsK@_DRSvdegv(#t7%*FrgQzl;uV zuNk?)71~R>VPMWnEA+_B4)NoYFPat1#;ithdHXnu+^n$)9SHQ};^3nb+RlddZ!J=n zkg<;2T)LVKIUntKB-h|3d60GnPGDGaQ4Ltxo_UE_co;NN#H(hR>2^p$x`g;x@T7=i z#MMl@g&_+_qj;J!WCOY~>pvq`V>-GATXEjo4vD<1RL$aRxb|Q8AD3BcI zEZO0fzV4`yx)T}tN<>J@<&&_6xO*5@7N^ikgGZ?Zylz^n3^qWuo3Csu=)nFhTU)$Oh3)Uw~KD{rYcU zFL|+_qd-7HxAS%gsw$ono^hbHu0hdzR-Jf(XN^HnmEn3Rs7{!vI$&!7U?S;0z;%^(Ky&21N{QfDj zz`li1KY2EW!=CMYi2tK~)w*6%T%X_SI@iZn$E7OE==MqJ`)6I{9pM#=FJM!67~ne` zJ#_Hsm1(nS(Eh~@4n6a1a<(*qIa*s3IrUM7%iivt(M?3WkWAqE_rZc2E$)&dh2tkx zKIs}r4*di@_?nN0q$wu(p3U+@Q=v0Aycc?U`>N+cO6uY7nu?6B3w0M-1oR|05`vA} zBI{5y)x2B7iDT>?hTPWvs#@&`S&gTBlZmn?`Q0wJ6&}v3kT}1is=Jr&5lHCKvt&B= z9G6=@0s2WW`;YPZ{eYu8;rxw^r(ZsrcggK!7nF>4vPapKMe{6T?P&koE(0m|BsJo2 z`2L8Q^Z%To`k#rQ2$t~mt(?qVPj2iaQwmM~T>vT#(8;%c;Gh0+rH)?-n+1l@WD=;M z($i|-9a;6Ht9p0<)6f1TTNY^fH(PMRZs`3dt2b4-0MBXw*;R%GHuAEAkE4F|P%f#= zcKs1A@-GQ8j@#|5?A5Mref&S=#C9$|xq9$_pQQUmk3SY2)^zbd-Tsa$0Re(k$6fz+ z>vF$XgX<=4#b;x z$#rMW?_bo}|4H2s`2X_>hJWb`{lEPB!!glSHkZCckx&Axaqo^IZ)@snl-;m-`d@n( Bg&zO_ literal 0 HcmV?d00001 diff --git a/server_admin/topics/authentication/webauthn.adoc b/server_admin/topics/authentication/webauthn.adoc index 6117efb5cc..4b5c8e41fa 100644 --- a/server_admin/topics/authentication/webauthn.adoc +++ b/server_admin/topics/authentication/webauthn.adoc @@ -206,6 +206,7 @@ An administrator typically requires that Security Keys registered by users for t Because of this, {project_name} permits administrators to configure a separate `WebAuthn Passwordless Policy`. There is a required `Webauthn Register Passwordless` action of type and separate authenticator of type `WebAuthn Passwordless Authenticator`. +.Procedure ===== Setup Set up WebAuthn passwordless support as follows: @@ -226,6 +227,59 @@ Set up WebAuthn passwordless support as follows: The final configuration of the flow looks similar to this: -image:images/webauthn-passwordless-flow.png[] +.PasswordLess flow +image:images/webauthn-passwordless-flow.png[PasswordLess flow] You can now add *WebAuthn Register Passwordless* as the required action to a user, already known to {project_name}, to test this. During the first authentication, the user must use the password and second-factor WebAuthn credential. The user does not need to provide the password and second-factor WebAuthn credential if they use the WebAuthn Passwordless credential. + +[[_webauthn_loginless]] +==== LoginLess WebAuthn + +{project_name} uses WebAuthn for two-factor authentication, but you can use WebAuthn as the first-factor authentication. In this case, users with `passwordless` WebAuthn credentials can authenticate to {project_name} without submitting a login or a password. {project_name} can use WebAuthn as both the loginless/passwordless and two-factor authentication mechanism in the context of a realm. + +An administrator typically requires that Security Keys registered by users for the WebAuthn loginless authentication meet different requirements. Loginless authentication requires users to authenticate to the security key (for example by using a PIN code or a fingerprint) and that the cryptographic keys associated with the loginless credential are stored physically on the security key. Not all security keys meet that kind of requirements. Check with your security key vendor if your device supports 'user verification' and 'resident key'. See <<_webauthn-supported-keys, Supported Security Keys>>. + +{project_name} permits administrators to configure the `WebAuthn Passwordless Policy` in a way that allows loginless authentication. Note that loginless authentication can only be configured with `WebAuthn Passwordless Policy` and with `WebAuthn Passwordless` credentials. WebAuthn loginless authentication and WebAuthn passwordless authentication can be configured on the same realm but will share the same policy `WebAuthn Passwordless Policy`. + +.Procedure +===== Setup + +Set up WebAuthn Loginless support as follows: + +. Register a new required action for WebAuthn passwordless support. Use the steps described in <<_webauthn-register, Enable WebAuthn Authenticator Registration>>. Register the `Webauthn Register Passwordless` action. + +. Configure the `WebAuthn Passwordless Policy`. Perform the configuration in the Admin Console, `Authentication` section, in the tab `WebAuthn Passwordless Policy`. You have to set *User Verification Requirement* to *required* and *Require Resident Key* to *Yes* when you configure the policy for loginless scenario. Note that since there isn't a dedicated Loginless policy it won't be possible to mix authentication scenarios with user verification=no/resident key=no and loginless scenarios (user verification=yes/resident key=yes). Storage capacity is usually very limited on security keys meaning that you won't be able to store many resident keys on your security key. + +. Configure the authentication flow. Create a new authentication flow, add the "WebAuthn Passwordless" execution and set the Requirement setting of the execution to *Required* + +The final configuration of the flow looks similar to this: + +.LoginLess flow +image:images/webauthn-loginless-flow.png[LoginLess flow] + +You can now add the required action `WebAuthn Register Passwordless` to a user, already known to {project_name}, to test this. The user with the required action configured will have to authenticate (with a username/password for example) and will then be prompted to register a security key to be used for loginless authentication. + +===== Vendor specific remarks + +====== Compatibility check list + +Loginless authentication with {project_name} requires the security key to meet the following features + +** FIDO2 compliance: not to be confused with FIDO/U2F +** User verification: the ability for the security key to authenticate the user (prevents someone finding your security key to be able to authenticate loginless and passwordless) +** Resident key: the ability for the security key to store the login and the cryptographic keys associated with the client application + +====== Windows Hello + +To use Windows Hello based credentials to authenticate against {project_name}, configure the *Signature Algorithms* setting of the `WebAuthn Passwordless Policy` to include the *RS256* value. Note that some browsers don't allow access to platform security key (like Windows Hello) inside private windows. + +[[_webauthn-supported-keys]] +====== Supported security keys + +The following security keys have been successfuly tested for loginless authentication with {project_name}: + +* Windows Hello (Windows 10 21H1/21H2) +* Yubico Yubikey 5 NFC +* Feitian ePass FIDO-NFC + +