Package org.apereo.cas.configuration.model.support.mfa.webauthn

Class WebAuthnMultifactorAuthenticationCoreProperties

java.lang.Object
org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnMultifactorAuthenticationCoreProperties
All Implemented Interfaces:
Serializable
@RequiresModule(name="cas-server-support-webauthn") public class WebAuthnMultifactorAuthenticationCoreProperties extends Object implements Serializable
This is WebAuthnMultifactorAuthenticationCoreProperties.
Since:
6.4.0
See Also:

  • Constructor Details

    • WebAuthnMultifactorAuthenticationCoreProperties

      public WebAuthnMultifactorAuthenticationCoreProperties()

  • Method Details

    • getDisplayNameAttribute

      public String getDisplayNameAttribute()
      Name of the principal attribute that indicates the principal's display name, primarily used for device registration.

    • isTrustedDeviceEnabled

      public boolean isTrustedDeviceEnabled()
      Indicates whether this provider should support trusted devices.

    • getTrustSource

      public WebAuthnMultifactorAttestationTrustSourceProperties getTrustSource()
      Trusted device metadata to contain trusted attestation root certificates to pre-seed the metadata service.

    • getApplicationId

      public String getApplicationId()
      The extension input to set for the appid extension when initiating authentication operations. If this member is set, starting an assertion op will automatically set the appid extension input, and finish assertion op will adjust its verification logic to also accept this AppID as an alternative to the RP ID. By default, this is not set.

    • getRelyingPartyName

      public String getRelyingPartyName()
      The human-palatable name of the Relaying Party.

    • getRelyingPartyId

      public String getRelyingPartyId()
      The id that will be set as the rp parameter when initiating registration operations, and which id hash will be compared against. This is a required parameter. A successful registration or authentication operation requires rp id hash to exactly equal the SHA-256 hash of this id member. Alternatively, it may instead equal the SHA-256 hash of application id if the latter is present.

    • isEnabled

      public boolean isEnabled()
      Whether WebAuthn functionality should be activated and enabled.

    • getExpireDevices

      public long getExpireDevices()
      Expire and forget device registration records after this period.

    • getExpireDevicesTimeUnit

      public TimeUnit getExpireDevicesTimeUnit()
      Device registration record expiration time unit.

    • getAllowedOrigins

      public String getAllowedOrigins()
      The allowed origins that returned authenticator responses will be compared against. The default is set to the server name. A successful registration or authentication operation requires origins to exactly equal one of these values.

    • isAllowUntrustedAttestation

      public boolean isAllowUntrustedAttestation()
      If false finish registration op will only allow registrations where the attestation signature can be linked to a trusted attestation root. This excludes self attestation and none attestation. Regardless of the value of this option, invalid attestation statements of supported formats will always be rejected. For example, a "packed" attestation statement with an invalid signature will be rejected even if this option is set to true.

    • isValidateSignatureCounter

      public boolean isValidateSignatureCounter()
      If true, finish assertion op will fail if the signature counter value in the response is not strictly greater than the stored signature counter value.

    • getAttestationConveyancePreference

      public String getAttestationConveyancePreference()
      Accepted values are: DIRECT, INDIRECT, NONE. The argument for the attestation parameter in registration operations. Unless your application has a concrete policy for authenticator attestation, it is recommended to leave this parameter undefined.

    • isAllowPrimaryAuthentication

      public boolean isAllowPrimaryAuthentication()
      Configure the authentication flow to allow web-authn to be used as the first primary factor for authentication. Registered accounts with a valid webauthn registration record can choose to login using their device as the first step.

    • isMultipleDeviceRegistrationEnabled

      public boolean isMultipleDeviceRegistrationEnabled()
      When enabled, allows the user/system to accept multiple accounts and device registrations per user, allowing one to switch between or register new devices/accounts automatically.

    • setDisplayNameAttribute

      public WebAuthnMultifactorAuthenticationCoreProperties setDisplayNameAttribute(String displayNameAttribute)
      Name of the principal attribute that indicates the principal's display name, primarily used for device registration.
      Returns:
      this.

    • setTrustedDeviceEnabled

      public WebAuthnMultifactorAuthenticationCoreProperties setTrustedDeviceEnabled(boolean trustedDeviceEnabled)
      Indicates whether this provider should support trusted devices.
      Returns:
      this.

    • setTrustSource

      public WebAuthnMultifactorAuthenticationCoreProperties setTrustSource(WebAuthnMultifactorAttestationTrustSourceProperties trustSource)
      Trusted device metadata to contain trusted attestation root certificates to pre-seed the metadata service.
      Returns:
      this.

    • setApplicationId

      public WebAuthnMultifactorAuthenticationCoreProperties setApplicationId(String applicationId)
      The extension input to set for the appid extension when initiating authentication operations. If this member is set, starting an assertion op will automatically set the appid extension input, and finish assertion op will adjust its verification logic to also accept this AppID as an alternative to the RP ID. By default, this is not set.
      Returns:
      this.

    • setRelyingPartyName

      public WebAuthnMultifactorAuthenticationCoreProperties setRelyingPartyName(String relyingPartyName)
      The human-palatable name of the Relaying Party.
      Returns:
      this.

    • setRelyingPartyId

      public WebAuthnMultifactorAuthenticationCoreProperties setRelyingPartyId(String relyingPartyId)
      The id that will be set as the rp parameter when initiating registration operations, and which id hash will be compared against. This is a required parameter. A successful registration or authentication operation requires rp id hash to exactly equal the SHA-256 hash of this id member. Alternatively, it may instead equal the SHA-256 hash of application id if the latter is present.
      Returns:
      this.

    • setEnabled

      public WebAuthnMultifactorAuthenticationCoreProperties setEnabled(boolean enabled)
      Whether WebAuthn functionality should be activated and enabled.
      Returns:
      this.

    • setExpireDevices

      public WebAuthnMultifactorAuthenticationCoreProperties setExpireDevices(long expireDevices)
      Expire and forget device registration records after this period.
      Returns:
      this.

    • setExpireDevicesTimeUnit

      public WebAuthnMultifactorAuthenticationCoreProperties setExpireDevicesTimeUnit(TimeUnit expireDevicesTimeUnit)
      Device registration record expiration time unit.
      Returns:
      this.

    • setAllowedOrigins

      public WebAuthnMultifactorAuthenticationCoreProperties setAllowedOrigins(String allowedOrigins)
      The allowed origins that returned authenticator responses will be compared against. The default is set to the server name. A successful registration or authentication operation requires origins to exactly equal one of these values.
      Returns:
      this.

    • setAllowUntrustedAttestation

      public WebAuthnMultifactorAuthenticationCoreProperties setAllowUntrustedAttestation(boolean allowUntrustedAttestation)
      If false finish registration op will only allow registrations where the attestation signature can be linked to a trusted attestation root. This excludes self attestation and none attestation. Regardless of the value of this option, invalid attestation statements of supported formats will always be rejected. For example, a "packed" attestation statement with an invalid signature will be rejected even if this option is set to true.
      Returns:
      this.

    • setValidateSignatureCounter

      public WebAuthnMultifactorAuthenticationCoreProperties setValidateSignatureCounter(boolean validateSignatureCounter)
      If true, finish assertion op will fail if the signature counter value in the response is not strictly greater than the stored signature counter value.
      Returns:
      this.

    • setAttestationConveyancePreference

      public WebAuthnMultifactorAuthenticationCoreProperties setAttestationConveyancePreference(String attestationConveyancePreference)
      Accepted values are: DIRECT, INDIRECT, NONE. The argument for the attestation parameter in registration operations. Unless your application has a concrete policy for authenticator attestation, it is recommended to leave this parameter undefined.
      Returns:
      this.

    • setAllowPrimaryAuthentication

      public WebAuthnMultifactorAuthenticationCoreProperties setAllowPrimaryAuthentication(boolean allowPrimaryAuthentication)
      Configure the authentication flow to allow web-authn to be used as the first primary factor for authentication. Registered accounts with a valid webauthn registration record can choose to login using their device as the first step.
      Returns:
      this.

    • setMultipleDeviceRegistrationEnabled

      public WebAuthnMultifactorAuthenticationCoreProperties setMultipleDeviceRegistrationEnabled(boolean multipleDeviceRegistrationEnabled)
      When enabled, allows the user/system to accept multiple accounts and device registrations per user, allowing one to switch between or register new devices/accounts automatically.
      Returns:
      this.