Skip to content

Configuration

Configuration Parameters of Janssen's FIDO2 server:#

Field named Example Description
issuer https://my-jans-server.jans.io URL using the https scheme with no query or fragment component. The OP asserts this as its Issuer Identifier
baseEndpoint https://my-jans-server/jans-fido2/restv1 Base URL of the FIDO2 server Endpoints
webAuthnEndpoint https://FQDN/jans-fido2/restv1/webauthn/configuration Base URL of the FIDO2 Web Authn Server Endpoint which return RP Origins
cleanServiceInterval 60 Time interval for the Clean Service in seconds.
cleanServiceBatchChunkSize 10000 Each clean up iteration fetches chunk of expired data per base dn and removes it from storage.
useLocalCache true Boolean value specifying whether to enable local in-memory cache for attributes, scopes, clients and organization configuration
disableJdkLogger true Boolean value specifying whether to enable JDK Loggers
loggingLevel "INFO" or "TRACE" or "DEBUG" Logging level for FIDO2 server
loggingLayout "text" or "json" Contents of logs as plain text or json format
externalLoggerConfiguration Path to external log4j2 logging configuration
metricReporterInterval 300 The interval for metric reporter in seconds.
metricReporterKeepDataDays 15 The number of days to retain metric reported data in the system
metricReporterEnabled true Boolean value specifying whether to enable Metric Reporter
fido2Configuration See JSON contents in the below example FIDO2 Configuration

Fido2Configuration structure#

Field Type Description Default Value / Example
authenticatorCertsFolder String The folder where authenticator certificates are stored. "%(fido2ConfigFolder)s/authenticator_cert"
mdsCertsFolder String The folder where MDS TOC root certificates are stored. "%(fido2ConfigFolder)s/mds/cert"
mdsTocsFolder String The folder where MDS TOC files are stored. "%(fido2ConfigFolder)s/mds/toc"
userAutoEnrollment Boolean Whether to allow users to enroll on enrollment/authentication requests. false
unfinishedRequestExpiration Integer The expiration time in seconds for pending enrollment/authentication requests. 120 (120 seconds)
metadataRefreshInterval Integer The expiration time in seconds for approved authentication requests. 1296000 (15 days)
serverMetadataFolder String The folder where authenticators' metadata in JSON format is stored. "%(fido2ConfigFolder)s/server_metadata"
enabledFidoAlgorithms Array of Strings The list of requested credential types for FIDO authentication. ["RS256", "ES256"]
requestedParties Array of Objects The list of requested parties (RPs) configuration for FIDO authentication. [ { "id": "https://%(hostname)s", "origins": ["%(hostname)s"] } ]
metadataServers Array of Objects A list of metadata servers providing external metadata URLs for FIDO authentication. [ { "url": "https://mds.fidoalliance.org/" } ]
disableMetadataService Boolean Whether downloading MDS metadata should be skipped. false
hints Array of Strings Hints provided to the RP (e.g., security-key, client-device, hybrid). ["security-key", "client-device", "hybrid"]
enterpriseAttestation Boolean Whether enterprise authenticators are enabled for use in a specific protected environment. false
attestationMode String Whether MDS validation should be omitted during attestation. "monitor"

Configuring the FIDO2 server:#

1. Read Configuration parameters:#

Use the following command to obtain configuration parameters:

jans cli --operation-id get-properties-fido2

Response:

{
  "issuer": "https://my.jans.server",
  "baseEndpoint": "https://my.jans.server/jans-fido2/restv1",
  "cleanServiceInterval": 60,
  "cleanServiceBatchChunkSize": 10000,
  "useLocalCache": true,
  "disableJdkLogger": true,
  "loggingLevel": "DEBUG",
  "loggingLayout": "text",
  "metricReporterInterval": 300,
  "metricReporterKeepDataDays": 15,
  "metricReporterEnabled": true,
  "personCustomObjectClassList": [
    "jansCustomPerson",
    "jansPerson"
  ],
  "sessionIdPersistInCache": false,
  "fido2Configuration": {
    "authenticatorCertsFolder": "/etc/jans/conf/fido2/authenticator_cert",
    "mdsCertsFolder": "/etc/jans/conf/fido2/mds/cert",
    "mdsTocsFolder": "/etc/jans/conf/fido2/mds/toc",
    "checkU2fAttestations": false,
    "debugUserAutoEnrollment": false,
    "unfinishedRequestExpiration": 180,
    "authenticationHistoryExpiration": 1296000,
    "serverMetadataFolder": "/etc/jans/conf/fido2/server_metadata",
    "metadataUrlsProvider": "",
    "disableMetadataService": false,
    "attestationMode": "monitor",
    "assertionOptionsGenerateEndpointEnabled":true,
    "enabledFidoAlgorithms": [
      "RS256",
      "ES256"
    ],
    "rp": [
      {
        "id": "https://my.jans.server",
        "origins": [
          "my.jans.server"
        ]
      }
    ]
  }
}

2. Update configuration parameters:#

Steps: A. Create a JSON file say /tmp/config_values.json by editing the JSON from Point 1 B. Use the following command jans cli --operation-id post-config-scripts --data /tmp/config_values.json

3. Change log level of FIDO2 server#

Steps: A. Create a JSON file say /tmp/config_values.json by editing the JSON from Point 1. Edit loggingLevel to TRACE or DEBUG or INFO B. Use the following command jans cli --operation-id put-properties-fido --data /tmp/config_values.json

4. Locating FIDO2 configuration in Persistence Layer#

While it is not recommended that an administrator directly edits a configuration at the persistence layer, it may be useful information for a developer.

5. WebAuthn Endpoint#

A. The WebAuthn Endpoints retrieve the list of RP (Relying Party) Origins configured for FIDO2 authentication. B. Endpoints: https://FQDN/restv1/webauthn/configuration && https://FQDN/.well-known/webauthn

MySQL#
erDiagram
    jansAppConf {
        string doc_id PK ""
        string ou  "jans-fido2"
        string jansConfDyn "json configuration for the app"
    }

Last update: 2025-02-27
Created: 2022-07-07