seppestas
commented
6 months ago I already did this for Okta in https://github.com/Versent/saml2aws/pull/1221. This works by using the Windows Hello platform Webautn API.
I'm not sure "Windows Hello" and "Windows Hello for Business" are the same here though. Looks like "Windows Hello for Business" is Windows Hello + extra features like passwordless options. I think/hope the Webauthn 2FA API is the same.
@dpreetam what are you looking for "Windows Hello" as 2nd factor through Webauthn, or "Windows Hello for Business" passwordless authentication?
I think it should be fairly straight-forward to support other SAML providers like AAD / EntraID. Is there some test EntraID environment I could use / set up to register and authenticate a Windows Hello Webauthn factor? If so, I would be willing to look into this.
@missingcharacter is there any documentation on the AAD / EntraID API? Specifically, what the mfaReq should look like for a Webauthn / FIDO2 response.
EntraID supports device bound passkeys which are FIDO2 compliant and users webauthn protocol for end user authentication. With move towards phishing resistant authentication methods lack of support for passkeys by saml2aws makes it a weak link where administrators have to exempt it from fido2 requirements.
Users should be able to authenticate to EntraID SSO enabled AWS admin interface using WebAuthn protocol. Users should be able to sign-in with Yubikey/Security key with pin or Windows Hello for Business.