Nok Nok Labs Fido Auth Tree Nodes

The Nok Nok S3 Authentication Suite enables FIDO certified multi-factor authentication (FIDO UAF, FIDO U2F, WebAuthn, and FIDO2) for mobile and web applications. Rather than the unpleasant experience of entering usernames and passwords, users can enjoy using the latest biometric authentication technology that already exists on their devices.

Project Readme

Nok Nok FIDO Auth Node

The Nok Nok S3 Authentication Suite enables FIDO certified multi-factor authentication (FIDO UAF, FIDO U2F, WebAuthn, and FIDO2) for mobile and web applications. Rather than the unpleasant experience of entering usernames and passwords, users can enjoy using the latest biometric authentication technology that already exists on their devices.

This authentication node allows you to easily integrate FIDO into your ForgeRock Access Manager implementation.

About Nok Nok Labs

Nok Nok is the trusted leader in next-generation consumer authentication providing passwordless solutions to the world’s largest organizations. Delivering the most innovative authentication solutions in the market today, Nok Nok empowers global organizations to improve the user experience to access digital services, while meeting the most advanced privacy and regulatory requirements. The Nok Nok™ S3 Authentication Suite integrates into existing security environments to deliver a cost-effective, future-proof and standards-based authentication solution. As a founder of the FIDO Alliance and inventor of FIDO specifications, Nok Nok is the expert in deploying standards-based authentication. For more information, visit www.noknok.com.

Installation

The following are the installation steps:

1. Copy the nnl-auth-nodes.jar file and the specified external dependencies (excluding gwtutorial.war) provided into the following directory where AM is deployed.

../$CATALINA_HOME/webapps/openam/WEB-INF/lib

2. Copy the jwt_config.json file (JSON Web Key Set for token validation) provided to the following directory

../$CATALINA_HOME/webapps/openam/WEB-INF/classes/configurations/default/token

3. Extract the gwturorial.war in the following directory.

../$CATALINA_HOME/webapps/gwtutorial/

4. Copy the jwt_config.json file (JSON Web Key Set for token validation) provided to the following directory

../$CATALINA_HOME/webapps/gwtutorial/WEB-INF/classes/configurations/default/SessionPlugin

5. Update the API endpoints for the login page by navigating to the following URI.

http://{{am-server-domain-and-port}}/gwtutorial/configure

Replace {{tenant}} with the supplied tenant name. Replace {{am-server-domain-and-port}} with the domain and port where you installed the Tutorial WebApp. Then paste the following text into the configuration box and click on "save".

{
    "version": "1.2",
    "nnlappsdk_url": "https://cloud.noknok.com/{{tenant}}/webapps/nnlgateway-6.0.2",
    "reg_endpoint": "https://cloud.noknok.com/{{tenant}}/webapps/nnlgateway/nnl/reg",
    "auth_endpoint": "https://cloud.noknok.com/{{tenant}}/webapps/nnlgateway/nnl/auth",
	"login_url": "https://{{am-server-domain-and-port}}/gwtutorial/login",
	"fed_login_url": null,
    "fed_logout_url": null,
    "recovery_setup_endpoint": "https://cloud.noknok.com/{{tenant}}/webapps/nnlgateway/recovery/setup",
    "recovery_verify_endpoint": "https://cloud.noknok.com/{{tenant}}/webapps/nnlgateway/recovery/verify",
    "netverify_endpoint": "https://{{am-server-domain-and-port}}/gwtutorial/nvinit",
    "federation_enabled": false,
    "sso_enabled": true,
}

Note that the configuration is saved in the local browser. If you use a different browser, you will need to save the same configuration there.

6. Restart the web container to pick up the new node. The custom node then appears in the authentication trees menu.

External Dependencies

Distribution Package Description
log4j-slf4j-impl-2.12.0.jar The Apache Log4j SLF4J API binding to Log4j 2 Core
log4j-jcl-2.12.0.jar The Apache Log4j Commons Logging Adapter
log4j-core-2.12.0.jar, log4j-api-2.12.0.jar The Apache Log4j Implementation
log4j-1.2-api-2.12.0.jar The Apache Log4j dependency for 1.x Compatibility API
nnlgateway.jar Session Manager library that manages JWT Token Configurations and performs JWT Token validation
gwtutorial.war Tutorial WebApp client for LoginPage supporting FIDO Authentication

Configuration

To enable sign in using NNL authentication Node:

  • From Authentication → Trees menu, create a new authentication tree e.g NNLFIDOAuthTree

  • The following is an example for the authentication tree using the NNL Validator Node. You can add your own or standard username/password authenticator nodes provided by AMServer for authentication using passwords.

  • Save the Tree after adding all the required nodes.

  • Update the Authentication → Settings for using the NNLFIDOAuthTree tree to be the default for authentication flow.

NNL Token Validator Node

Once you install the jar file the NNL Token Validator Node is available in the tree designer pallet:

NNL Token Validator Node is a Tree Node that serves 2 purposes.

  • It acts as a redirection node to the Nok Nok Authentication client hosted with AM server. This NNL client enables FIDO certified multi-factor authentication (FIDO UAF, FIDO U2F, WebAuthn, and FIDO2) for web applications.
  • It validates the JWT Token received from the Nok Nok Authentication Server after successful user authentication using FIDO and generates user session information.

These are the Node Configuration Properties:

  • Authorization Cookie Name: name of the authentication cookie which contains the JWT received from NNL Auth Server.
  • AM Endpoint: URI to the AM endpoint of the hosted AM server.
  • Login Page Endpoint: URI to the tutorial webapp login page hosted on the server.

Update the hostname in the settings to match your installation:

Registration Flow

Before being able to use FIDO, you need to register a credential. Navigate to http://{{am-server-domain-and-port}}/gwtutorial in a WebAuthn capable browser.

1. Login using any choosen user, e.g., "demo", and hardcoded password "noknok".

2. Click on Setup. This will trigger a WebAuthn registration.

3. You will see the new registration listed.

4. Now click the top left menu and then pick logout.

Authentication Flow

You will need a service provider that has been configured to work with your Access Manager server.

1. Navigate to your service provider, which should redirect to your Access Manager if you are not signed in already.

2. The NNL Token Validator Node redirects to the NNL Authentication Client's Sign-In page hosted on your Access Manager server.

3. User can sign in using FIDO2.

4. After successful authentication User is redirected to the consent page on the AM server.

5. Once User consent, the browser is redirected to the client application with the session information for accessing protected resources.

Support

For more information on this node or to request a demonstration, please contact: Frank Gasparovic - frank.gasparovic@forgerock.com or info@noknok.com

Project Information
Partner
Partner
6.5.2
2020-02-03
openam
authentication
authTreeNode
Frank.Gasparovic
here
here