mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

book: explain how to use fido-mds-tool (#3231)

Browse source 
explain how to use fido-mds-tool  to configure Webauthn attestation
This commit is contained in:
Be 2024-12-19 21:18:52 -06:00 committed by GitHub
parent 2174b9b251
commit c6432cad83
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 35 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
book/src/accounts/account_policy.md
View file

@ -31,6 +31,8 @@ weakest to strongest:
- `passkey` - `passkey`
- `attested_passkey` - `attested_passkey`
`attested_passkey` requires [configuring an allowlist of trusted authenticators](#setting-webauthn-attestation-ca-lists).
### Password Minimum Length ### Password Minimum Length
The minimum length for passwords (if they are allowed). The minimum length for passwords (if they are allowed).
@ -45,7 +47,7 @@ read/write session.
The list of certificate authorities and device aaguids that must be used by members of this policy. The list of certificate authorities and device aaguids that must be used by members of this policy.
This allows limiting devices to specific models. This allows limiting devices to specific models.
To generate this list you should use `fido-mds-tool`. To generate this list you should [use `fido-mds-tool`](#setting-webauthn-attestation-ca-lists).
## Policy Resolution ## Policy Resolution
@ -149,15 +151,42 @@ kanidm group account-policy privilege-expiry my_admin_group 86400 # NB: will be
### Setting Webauthn Attestation CA Lists ### Setting Webauthn Attestation CA Lists
The list should be generated with `fido-mds-tool`. This will emit JSON that can be directly used To verify Webauthn authenticators with attestation, Kanidm needs an allowlist of
with Kanidm. authenticators to trust. Generate this list with the `fido-mds-tool` from
the [webauthn-rs project](https://github.com/kanidm/webauthn-rs). If you have a
Rust toolchain installed, it can built and installed from source with
```bash ```bash
kanidm group account-policy webauthn-attestation-ca-list <group name> <attestation ca list json> cargo install fido-mds-tool
kanidm group account-policy webauthn-attestation-ca-list idm_all_persons '{"cas":{"D6E4b4Drh .... }'
``` ```
> NOTE: `fido-mds-tool` is available in the `kanidm:tools` container. Alternatively, `fido-mds-tool` is available in the
[tools container](../installing_client_tools.md#tools-container).
First, fetch the MDS data provided by the FIDO Alliance:
```bash
fido-mds-tool fetch
```
Then, query the MDS data to generate your allowlist of authenticators.
For example, to trust all authenticators made by Yubico, run
```bash
fido-mds-tool query --output-cert-roots "desc cnt yubikey" > trusted-authenticators
```
For details of how to query the MDS data, run
```bash
fido-mds-tool query --help
```
Once you have generated the authenticator allowlist, use it to configure Kanidm's
account policy for a group. For example, to set the allowlist for all persons, run
```bash
kanidm group account-policy webauthn-attestation-ca-list idm_all_persons trusted-authenticators
```
## Global Settings ## Global Settings