FIDO2 Card Configuration

Card Reader Support

The Elatec smartcard reader is supported. This reader must contain Chip Card Interface Device (CCID) firmware. This reader can communicate with FIDO2 security keys and FIDO2 smart cards.

Requirements

  • Only Microsoft EntraID is tested and supported.
  • Users must register the FIDO2 hardware security token in their profile before they can use it with SLNX.
  • A corresponding Open ID Connect profile must be correctly figured as the authentication profile in SLNX. Refer to Open ID Connect Authentication.

Proximity Cards

  • Mifare Classic 1K and 4K are supported. Users are identified by the standard card UID.

  • Other proximity cards are not supported.

Configuration in SLNX Admin Tool

1. Add the Card Reader to the Authentication Profile

  1. Click [Configuration] ® [Streamline NX Embedded Settings]® [Embedded Authentication].

  2. Add or edit the profile that will be used to authenticate with FIDO2 at the embedded devices.
  3. Set the [Card Reader] field to [Smartcard Reader].
  4. Click [Card Reader Settings] select a [Log level] only. Set this level to ERROR unless otherwise necessary. No other settings are required. Click OK to close the screen.
  5. Complete other settings in the Authentication and Accounting tab as needed. Refer to Configure the Embedded Authentication Properties for additional information.
  6. [Save] the settings.

2. Advanced System Settings in SLNX

To complete this task, you must login to SLNX with the customer engineer role. Only this role can view the Advanced System Settings Editor in the Streamline NX Admin Tool.

  1. In the Advanced System Settings Editor tab, click [View] and choose [Delegation Server] settings.

  2. Click the Filter icon, and type "FIDO2" to search for any existing related keys before you proceed to add keys.

  3. Click [Add] and then click [Save] after defining the first GC key listed in the table below.

    Only the first key 'ds.auth.fido2.enable' is required. For all other properties the specified default will be applied even if the property is not set in the Advanced System Settings Editor. Add the GC keys to the editor only if you want to modify the default values listed below.

    4. GC Key

    Description

    Possible values

    ds.auth.fido2.enable

    • Set this key to True, to enable the FIDO2 authentication.

    • The default value is false.

    • true, false

    ds.auth.fido2.cm.timeout

    • Sets the length of time to wait for the Card Manager to respond.

    • The default value is 10 seconds.

    • 1-60 seconds

    ds.auth.fido2.loginHint.use

    • If set to True, allows the UPN/email of the login user as the login hint. The UPN/email is retrieved from the credentials available on the FIDO2 security key.

    • The default value is true.

    • true, false

    ds.auth.fido2.relyingParty.defaultId

    • Defines the default ID of the relying party that should be used.

    • The default value is login.microsoft.com

    • text value

    ds.auth.fido2.log.level

    • Sets the log level for the FIDO2 platform:

      • INFO: logs messages with level INFO and above.

      • TRACE: logs all messages, including DEBUG and VERBOSE

    • The default log level is INFO

    • text value

    ds.auth.fido2.credentials.domainFiltering

    • Defines optional domain filtering for the UPN/email of the login user.

    • Set this key when there are multiple credentials on the FIDO2 security key for the same relying party.

    • If this key is not specified, credential will not be filtered.

    • Enter each value separated by a comma. For example 'domain 1, domain 2, ...'

    • text

    ds.auth.fido2.webView.userAgent

    • Defines the User Agent used in the Web View when the user interacts with the Relying party application.

    The configured User Agent can affect the compatibility with the login application of the relying party, and may be require a specific environment. The default value emulates a client running on a Windows environment so that the login application from Windows works correctly.

    • The default value is: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36

    • Text

    ds.auth.fido2.jwks.connectionTimeout

    • Defines the HTTP communication connection timeout with the JSON Web Key Set endpoint during OIDC token validation.

    • 0 indicates no timeout.

    • The default value is 3000 milliseconds

    • Number

    ds.auth.fido2.jwks.readTimeout

    • Defines the HTTP read timeout for communication with the JSON Web Key Set endpoint during OIDC token validation.

    • 0 indicates no timeout.

    • The default value is 3000 milliseconds

    • Number

    ds.auth.fido2.jwks.sizeLimit

    • Defines the size limit for communication with the JSON Web Key Set endpoint during OIDC token validation.

    • The default value is 51200 bytes

    • Number

3. Distribute the SLNX FIDO2 package

  1. Create an Embedded Settings profile that includes the Embedded Authentication profile created in step 1 above. Refer to Manage the SLNX Embedded Settings for specific instructions.

  2. Create an embedded applications template and add the embedded package "SLNX_Embedded_FIDO_x.xxx.x.x" and the Embedded Settings profile to the template. You can find the package in the Embedded Applications subfolder within the SLNX installer.

  3. Add this template to a task that removes existing embedded applications from target devices, and then installs the new embedded applications from this package. Ensure you reboot the device a second time to ensure the Embedded Authentication enables PCSC.