Webauthn token not required after ADFS successful login

[shellandco]

Hello,

I'm currently testing PrivacyIdea and I want to validate the usage of webauthn token with our ADFS. First of all, I have configured the policies on PrivacyIdea to be able to enroll webauthn token. I have then successfully enroll a webauthn token for a specific user. On the adfs side, I have installed the latest package available here and I have configured the registry as shown below :

• debug_log 1
• disable_ssl 1
• realm > my realm name in PI
• url > https://[my PI IP address]

I have tested successfully a ADFS login + TOTP code

To be able to use webauthn token, I have tried :

• disable the TOTP token for the user
• delete the TOTP token for the user but no prompt to activate/insert webauthn token

Could you please help me on this issue ? Thank you in advance for your help

Regards

[nilsbehlen]

Hi, WebAuthn token are challenge-response type token, which means you have to trigger the challenge before you can be prompted for your token. Triggering can be done by sending an empty password with the username to privacyIDEA before the page loads. For this to have effect, the WebAuthn token must have a PIN which is also an empty string. Alternatively, you can use a service ("admin") account of privacyIDEA to trigger all challenges for a user, regardless of any token PINs. https://github.com/privacyidea/adfs-provider#configuration

[shellandco]

Hello,

That was the point I did not understand. It works fine following your advice. Many thanks for your quick answer !

PS : I have added the registry setting send_empty_pass > 1

Have a nice day