RapidIdentity Administrators' and Users' Guide

FIDO Configuration

Note

FIDO U2F has been deprecated from Google Chrome as of February 2022. This has been replaced with Web AuthnWebAuthn.

FIDO U2F devices can function in multiple domains, which enables a FIDO U2F devices to work in use cases in which RapidIdentity Federation and Portal are not on the same server.  

FIDO_Configuration_via_Auth.jpg

The FIDO App ID Host is the fully qualified domain name (FQDN) of RapidIdentity Federation. For use cases in which RapidIdentity Federation and Portal are enabled in the same server, the FQDN is that of RapidIdentity. Use cases in which RapidIdentity Federation and Portal are enabled in different servers require the FIDO App ID Host to be the Federation Server (i.e., auth.organization.com). Once the FQDN is entered the FIDO App ID displays automatically.  

Note

The https:// prefix is added to anything entered in FIDO App ID Host for the FIDO App ID field. Do not type https:// in the FIDO App ID Host field, as it may affect functionality.

IP Addresses will not work in this field; it must be populated with an FQDN.

FIDO_App_ID_Host_Example.jpg

The FIDO App ID Port is the optional Federation port (i.e. 8443). This can be left blank if there is not a special port needed to access the appliance.

FIDO Facets are the allowed FQDNs in which FIDO U2F devices are permissible. Use cases in which Federation and Portal are not on the same server require each FQDN to be entered as a Facet; otherwise, only one facet is required. 

Note

This field follows the same rules as FIDO App ID Host, in that it must be a fully qualified domain name without https:// and not an IP address.

Facet Example

In this example, authentication is managed by the server at auth.example.com, but FIDO is being managed on a server at portal.example.com. Adding the server managing FIDO as a facet allows that server to communicate with the FIDO device.

Note

App IDs and Facets must have a public suffix in order to function correctly.

For some examples, domain.com, domain.org, and domain.net are acceptable suffixes, while domain.local, domain.test, and domain.beta will not perform as expected.

FIDO_Facet_Example.jpg

Note

This is only required if multiple servers are being used.

In this section: