Skip to content

Configuration

Configuration Parameters of Janssen's FIDO2 server:#

Field named Example Description
issuer https://my-jans-server.jans.io URL using the https scheme with no query or fragment component. The OP asserts this as its Issuer Identifier
baseEndpoint https://my-jans-server/jans-fido2/restv1 Base URL of the FIDO2 server Endpoints
webAuthnEndpoint https://FQDN/jans-fido2/restv1/webauthn/configuration Base URL of the FIDO2 Web Authn Server Endpoint which return RP Origins
cleanServiceInterval 60 Time interval for the Clean Service in seconds.
cleanServiceBatchChunkSize 10000 Each clean up iteration fetches chunk of expired data per base dn and removes it from storage.
useLocalCache true Boolean value specifying whether to enable local in-memory cache for attributes, scopes, clients and organization configuration
disableJdkLogger true Boolean value specifying whether to enable JDK Loggers
loggingLevel "INFO" or "TRACE" or "DEBUG" Logging level for FIDO2 server
loggingLayout "text" or "json" Contents of logs as plain text or json format
externalLoggerConfiguration Path to external log4j2 logging configuration
metricReporterInterval 300 The interval for metric reporter in seconds.
metricReporterKeepDataDays 15 The number of days to retain metric reported data in the system
metricReporterEnabled true Boolean value specifying whether to enable Metric Reporter
fido2Configuration See JSON contents in the below example FIDO2 Configuration

Fido2Configuration structure#

Field named Example Description
authenticatorCertsFolder /etc/jans/conf/fido2/authenticator_cert Authenticators certificates fodler.
mdsCertsFolder /etc/jans/conf/fido2/mds/cert MDS TOC root certificates folder.
mdsTocsFolder /etc/jans/conf/fido2/mds/toc MDS TOC files folder.
serverMetadataFolder /etc/jans/conf/fido2/server_metadata Authenticators metadata in json format. Example: virtual devices.
metadataUrlsProvider https://mds3.fido.tools String value to provide source of URLs with external metadata.
enabledFidoAlgorithms ["RS256","ES256"]
rp [{"id":"https://my-jans-server.jans.io","origins":["my-jans-server.jans.io"]}] Requested party id.
debugUserAutoEnrollment false Allow to enroll users on enrollment/authentication requests. (Useful while running tests)
unfinishedRequestExpiration 180 Expiration time in seconds for pending enrollment/authentication requests
authenticationHistoryExpiration 1296000 Expiration time in seconds for approved authentication requests.
disableMetadataService false Boolean value indicating whether the MDS download should be omitted
attestationMode "monitor" Enum value indicating whether MDS validation should be omitted during attestation
assertionOptionsGenerateEndpointEnabled false Boolean value indicating whether the assertion custom endpoint (used especially in passkey) is enabled.

Configuring the FIDO2 server:#

1. Read Configuration parameters:#

Use the following command to obtain configuration parameters:

jans cli --operation-id get-properties-fido2

Response:

{
  "issuer": "https://my.jans.server",
  "baseEndpoint": "https://my.jans.server/jans-fido2/restv1",
  "cleanServiceInterval": 60,
  "cleanServiceBatchChunkSize": 10000,
  "useLocalCache": true,
  "disableJdkLogger": true,
  "loggingLevel": "DEBUG",
  "loggingLayout": "text",
  "metricReporterInterval": 300,
  "metricReporterKeepDataDays": 15,
  "metricReporterEnabled": true,
  "personCustomObjectClassList": [
    "jansCustomPerson",
    "jansPerson"
  ],
  "sessionIdPersistInCache": false,
  "fido2Configuration": {
    "authenticatorCertsFolder": "/etc/jans/conf/fido2/authenticator_cert",
    "mdsCertsFolder": "/etc/jans/conf/fido2/mds/cert",
    "mdsTocsFolder": "/etc/jans/conf/fido2/mds/toc",
    "checkU2fAttestations": false,
    "debugUserAutoEnrollment": false,
    "unfinishedRequestExpiration": 180,
    "authenticationHistoryExpiration": 1296000,
    "serverMetadataFolder": "/etc/jans/conf/fido2/server_metadata",
    "metadataUrlsProvider": "",
    "disableMetadataService": false,
    "attestationMode": "monitor",
    "assertionOptionsGenerateEndpointEnabled":true,
    "enabledFidoAlgorithms": [
      "RS256",
      "ES256"
    ],
    "rp": [
      {
        "id": "https://my.jans.server",
        "origins": [
          "my.jans.server"
        ]
      }
    ]
  }
}

2. Update configuration parameters:#

Steps: A. Create a JSON file say /tmp/config_values.json by editing the JSON from Point 1 B. Use the following command jans cli --operation-id post-config-scripts --data /tmp/config_values.json

3. Change log level of FIDO2 server#

Steps: A. Create a JSON file say /tmp/config_values.json by editing the JSON from Point 1. Edit loggingLevel to TRACE or DEBUG or INFO B. Use the following command jans cli --operation-id put-properties-fido --data /tmp/config_values.json

4. Locating FIDO2 configuration in Persistence Layer#

While it is not recommended that an administrator directly edits a configuration at the persistence layer, it may be useful information for a developer.

5. WebAuthn Endpoint#

A. The WebAuthn Endpoints retrieve the list of RP (Relying Party) Origins configured for FIDO2 authentication. B. Endpoints: https://FQDN/restv1/webauthn/configuration && https://FQDN/.well-known/webauthn

MySQL#
erDiagram
    jansAppConf {
        string doc_id PK ""
        string ou  "jans-fido2"
        string jansConfDyn "json configuration for the app"
    }

Last update: 2024-12-13
Created: 2022-07-07