Class WebAuthnMultifactorAuthenticationCoreProperties
java.lang.Object
org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnMultifactorAuthenticationCoreProperties
- All Implemented Interfaces:
Serializable
@RequiresModule(name="cas-server-support-webauthn")
public class WebAuthnMultifactorAuthenticationCoreProperties
extends Object
implements Serializable
- Since:
- 6.4.0
- See Also:
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionThe allowed origins that returned authenticator responses will be compared against.The extension input to set for theappid
extension when initiating authentication operations.Accepted values are:DIRECT
,INDIRECT
,NONE
.Name of the principal attribute that indicates the principal's display name, primarily used for device registration.long
Expire and forget device registration records after this period.Device registration record expiration time unit.The id that will be set as the rp parameter when initiating registration operations, and which id hash will be compared against.The human-palatable name of the Relaying Party.Trusted device metadata to contain trusted attestation root certificates to pre-seed the metadata service.boolean
Configure the authentication flow to allow web-authn to be used as the first primary factor for authentication.boolean
If false finish registration op will only allow registrations where the attestation signature can be linked to a trusted attestation root.boolean
Whether WebAuthn functionality should be activated and enabled.boolean
When enabled, allows the user/system to accept multiple accounts and device registrations per user, allowing one to switch between or register new devices/accounts automatically.boolean
Indicates whether this provider should support trusted devices.boolean
If true, finish assertion op will fail if the signature counter value in the response is not strictly greater than the stored signature counter value.setAllowedOrigins
(String allowedOrigins) The allowed origins that returned authenticator responses will be compared against.setAllowPrimaryAuthentication
(boolean allowPrimaryAuthentication) Configure the authentication flow to allow web-authn to be used as the first primary factor for authentication.setAllowUntrustedAttestation
(boolean allowUntrustedAttestation) If false finish registration op will only allow registrations where the attestation signature can be linked to a trusted attestation root.setApplicationId
(String applicationId) The extension input to set for theappid
extension when initiating authentication operations.setAttestationConveyancePreference
(String attestationConveyancePreference) Accepted values are:DIRECT
,INDIRECT
,NONE
.setDisplayNameAttribute
(String displayNameAttribute) Name of the principal attribute that indicates the principal's display name, primarily used for device registration.setEnabled
(boolean enabled) Whether WebAuthn functionality should be activated and enabled.setExpireDevices
(long expireDevices) Expire and forget device registration records after this period.setExpireDevicesTimeUnit
(TimeUnit expireDevicesTimeUnit) Device registration record expiration time unit.setMultipleDeviceRegistrationEnabled
(boolean multipleDeviceRegistrationEnabled) When enabled, allows the user/system to accept multiple accounts and device registrations per user, allowing one to switch between or register new devices/accounts automatically.setRelyingPartyId
(String relyingPartyId) The id that will be set as the rp parameter when initiating registration operations, and which id hash will be compared against.setRelyingPartyName
(String relyingPartyName) The human-palatable name of the Relaying Party.setTrustedDeviceEnabled
(boolean trustedDeviceEnabled) Indicates whether this provider should support trusted devices.Trusted device metadata to contain trusted attestation root certificates to pre-seed the metadata service.setValidateSignatureCounter
(boolean validateSignatureCounter) If true, finish assertion op will fail if the signature counter value in the response is not strictly greater than the stored signature counter value.
-
Constructor Details
-
WebAuthnMultifactorAuthenticationCoreProperties
public WebAuthnMultifactorAuthenticationCoreProperties()
-
-
Method Details
-
getDisplayNameAttribute
Name of the principal attribute that indicates the principal's display name, primarily used for device registration. -
isTrustedDeviceEnabled
public boolean isTrustedDeviceEnabled()Indicates whether this provider should support trusted devices. -
getTrustSource
Trusted device metadata to contain trusted attestation root certificates to pre-seed the metadata service. -
getApplicationId
The extension input to set for theappid
extension when initiating authentication operations. If this member is set, starting an assertion op will automatically set theappid
extension input, and finish assertion op will adjust its verification logic to also accept this AppID as an alternative to the RP ID. By default, this is not set. -
getRelyingPartyName
The human-palatable name of the Relaying Party. -
getRelyingPartyId
The id that will be set as the rp parameter when initiating registration operations, and which id hash will be compared against. This is a required parameter. A successful registration or authentication operation requires rp id hash to exactly equal the SHA-256 hash of this id member. Alternatively, it may instead equal the SHA-256 hash of application id if the latter is present. -
isEnabled
public boolean isEnabled()Whether WebAuthn functionality should be activated and enabled. -
getExpireDevices
public long getExpireDevices()Expire and forget device registration records after this period. -
getExpireDevicesTimeUnit
Device registration record expiration time unit. -
getAllowedOrigins
The allowed origins that returned authenticator responses will be compared against. The default is set to the server name. A successful registration or authentication operation requires origins to exactly equal one of these values. -
isAllowUntrustedAttestation
public boolean isAllowUntrustedAttestation()If false finish registration op will only allow registrations where the attestation signature can be linked to a trusted attestation root. This excludes self attestation and none attestation. Regardless of the value of this option, invalid attestation statements of supported formats will always be rejected. For example, a "packed" attestation statement with an invalid signature will be rejected even if this option is set to true. -
isValidateSignatureCounter
public boolean isValidateSignatureCounter()If true, finish assertion op will fail if the signature counter value in the response is not strictly greater than the stored signature counter value. -
getAttestationConveyancePreference
Accepted values are:DIRECT
,INDIRECT
,NONE
. The argument for the attestation parameter in registration operations. Unless your application has a concrete policy for authenticator attestation, it is recommended to leave this parameter undefined. -
isAllowPrimaryAuthentication
public boolean isAllowPrimaryAuthentication()Configure the authentication flow to allow web-authn to be used as the first primary factor for authentication. Registered accounts with a valid webauthn registration record can choose to login using their device as the first step. -
isMultipleDeviceRegistrationEnabled
public boolean isMultipleDeviceRegistrationEnabled()When enabled, allows the user/system to accept multiple accounts and device registrations per user, allowing one to switch between or register new devices/accounts automatically. -
setDisplayNameAttribute
public WebAuthnMultifactorAuthenticationCoreProperties setDisplayNameAttribute(String displayNameAttribute) Name of the principal attribute that indicates the principal's display name, primarily used for device registration.- Returns:
this
.
-
setTrustedDeviceEnabled
public WebAuthnMultifactorAuthenticationCoreProperties setTrustedDeviceEnabled(boolean trustedDeviceEnabled) Indicates whether this provider should support trusted devices.- Returns:
this
.
-
setTrustSource
public WebAuthnMultifactorAuthenticationCoreProperties setTrustSource(WebAuthnMultifactorAttestationTrustSourceProperties trustSource) Trusted device metadata to contain trusted attestation root certificates to pre-seed the metadata service.- Returns:
this
.
-
setApplicationId
The extension input to set for theappid
extension when initiating authentication operations. If this member is set, starting an assertion op will automatically set theappid
extension input, and finish assertion op will adjust its verification logic to also accept this AppID as an alternative to the RP ID. By default, this is not set.- Returns:
this
.
-
setRelyingPartyName
The human-palatable name of the Relaying Party.- Returns:
this
.
-
setRelyingPartyId
The id that will be set as the rp parameter when initiating registration operations, and which id hash will be compared against. This is a required parameter. A successful registration or authentication operation requires rp id hash to exactly equal the SHA-256 hash of this id member. Alternatively, it may instead equal the SHA-256 hash of application id if the latter is present.- Returns:
this
.
-
setEnabled
Whether WebAuthn functionality should be activated and enabled.- Returns:
this
.
-
setExpireDevices
Expire and forget device registration records after this period.- Returns:
this
.
-
setExpireDevicesTimeUnit
public WebAuthnMultifactorAuthenticationCoreProperties setExpireDevicesTimeUnit(TimeUnit expireDevicesTimeUnit) Device registration record expiration time unit.- Returns:
this
.
-
setAllowedOrigins
The allowed origins that returned authenticator responses will be compared against. The default is set to the server name. A successful registration or authentication operation requires origins to exactly equal one of these values.- Returns:
this
.
-
setAllowUntrustedAttestation
public WebAuthnMultifactorAuthenticationCoreProperties setAllowUntrustedAttestation(boolean allowUntrustedAttestation) If false finish registration op will only allow registrations where the attestation signature can be linked to a trusted attestation root. This excludes self attestation and none attestation. Regardless of the value of this option, invalid attestation statements of supported formats will always be rejected. For example, a "packed" attestation statement with an invalid signature will be rejected even if this option is set to true.- Returns:
this
.
-
setValidateSignatureCounter
public WebAuthnMultifactorAuthenticationCoreProperties setValidateSignatureCounter(boolean validateSignatureCounter) If true, finish assertion op will fail if the signature counter value in the response is not strictly greater than the stored signature counter value.- Returns:
this
.
-
setAttestationConveyancePreference
public WebAuthnMultifactorAuthenticationCoreProperties setAttestationConveyancePreference(String attestationConveyancePreference) Accepted values are:DIRECT
,INDIRECT
,NONE
. The argument for the attestation parameter in registration operations. Unless your application has a concrete policy for authenticator attestation, it is recommended to leave this parameter undefined.- Returns:
this
.
-
setAllowPrimaryAuthentication
public WebAuthnMultifactorAuthenticationCoreProperties setAllowPrimaryAuthentication(boolean allowPrimaryAuthentication) Configure the authentication flow to allow web-authn to be used as the first primary factor for authentication. Registered accounts with a valid webauthn registration record can choose to login using their device as the first step.- Returns:
this
.
-
setMultipleDeviceRegistrationEnabled
public WebAuthnMultifactorAuthenticationCoreProperties setMultipleDeviceRegistrationEnabled(boolean multipleDeviceRegistrationEnabled) When enabled, allows the user/system to accept multiple accounts and device registrations per user, allowing one to switch between or register new devices/accounts automatically.- Returns:
this
.
-