This module implements a simpleSAMLphp authproc that can be used to enforce second factor authentication using Webauthn compatible security devices.
Thanks to David Earl for his excelent headstart on PHP based Webauthn implementation!
This module uses a php-sqlite3 database to store user/key combinations.
composer require mrvanes/simplesamlphp-module-authwebauthn:dev-master
The authproc can be configured as registration or validation proc. Enable the proc on any authsource. E.g. one for registration purposes and one for validation purposes:
'sp-register' => [
'saml:SP',
'entityID' => null,
'idp' => 'idp-register',
'discoURL' => null,
'authproc' => [
// Add Webauthn second factor registration
100 => ['class' => 'authwebauthn:WebAuthn',
'id' => 'uid',
'database' => '/var/tmp/keys.sq3',
'purpose' => 'register'
],
],
],
'sp-login' => [
'saml:SP',
'entityID' => null,
'idp' => 'idp-login',
'discoURL' => null,
'authproc' => [
// Add Webauthn second factor validation
100 => ['class' => 'authwebauthn:WebAuthn',
'id' => 'uid',
'database' => '/var/tmp/keys.sq3',
'purpose' => 'validate'
],
],
],
Or on hosted IdP using fallback scenario (register if unable to validate, i.e. Trust On First Use)
$metadata['__DYNAMIC:1__'] = [
'host' => '__DEFAULT__',
'privatekey' => 'server.pem',
'certificate' => 'server.crt',
'auth' => 'example-userpass',
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => [
// Add Webauthn second factor validation
100 => ['class' => 'authwebauthn:WebAuthn',
'id' => 'uid',
'database' => '/var/tmp/keys.sq3',
'purpose' => 'fallback'
],
],
],
];