Learn how FIDO standards compliment federation protocols. These guidelines detail how to integrate the two in order to add support for FIDO-based multi-factor authentication and replace or supplement traditional authentication methods in federation environments.

1. All Rights Reserved | FIDO Alliance | Copyright 20181
INTEGRATING
FIDO AUTHENTICATION
& FEDERATION PROTOCOLS
BEST PRACTICES FOR
ENTERPRISE DEPLOYMENT

2. AGENDA
• Does FIDO complement Federation?
• What are the benefits in pairing FIDO and Federation?
• How to integrate FIDO with modern Federation protocols?
All Rights Reserved | FIDO Alliance | Copyright 20182

3. What is FIDO?
Physical-to-digital identity
User Management
AUTHENTICATION
Federation
Single
Sign-On
Passwords SimpleStrong
FIDO Authentication
FIDO is an authentication protocol
FIDO is not a federation protocol
FIDO is not an authorization protocol
FIDO is not an identity standard
All Rights Reserved | FIDO Alliance | Copyright 20183

4. How does FIDO Work?
RP Application
FIDO Client
USER’S DEVICE
RP Server
FIDO Server
RELYING PARTY
Generic View
Authenticator
Architecture
All Rights Reserved | FIDO Alliance | Copyright 20184

5. How does FIDO Work?
RP Application
FIDO Client
USER’S DEVICE
RP Server
FIDO Server
RELYING PARTYGeneric View
Authenticator
Registration
Private attestation key
Private
authentication
key
Public
Authentication
key
All Rights Reserved | FIDO Alliance | Copyright 20185

6. How does FIDO Work?
RP Application
FIDO Client
USER’S DEVICE
RP Server
FIDO Server
RELYING PARTYGeneric View
Authenticator
(Signed) Response
Challenge
Require user gesture
before private key
can be used
Authentication
Private attestation key
Private
authentication
key
Public
Authentication
key
All Rights Reserved | FIDO Alliance | Copyright 20186

7. FIDO and User Identity
AuthenticatorUser verification FIDO Authentication
Same Authenticator
as registered before?
Same User as enrolled
before?
Identity proofing and binding done
outside FIDO
…
No user attributes
in FIDO server
No user attributes in
the Authenticator
All Rights Reserved | FIDO Alliance | Copyright 20187

8. RP 1
Authenticator
One Authenticator, Many Applications
Origin 1 Origin 2 Origin 1
Unique authn keys per RP
Isolation of authentication transactions
Account 2Account 1 Account 3 Account m
RP 2 RP n
………
Non-linkability
All Rights Reserved | FIDO Alliance | Copyright 20188

9. FIDO Benefits to the User
Reduce the burden of
remembering multiple passwords
Use a simple gesture for
authentication
Use one authenticator with
multiple applications
Biometric data is local
No secrets on the server
No linkability between RPs
All Rights Reserved | FIDO Alliance | Copyright 20189
Reduce the burden of using a
variety of two-factor
authentication form factors
Preserve user privacy

10. What Problems Does Federation Solve?
Without Federation,
Users have to:
Remember multiple passwords
Sign-in multiple times a day
Administrators have to manage:
Authentication policies,
Group permissions and
User accounts
Across multiple domains
Reduced productivity
Increased number help desk calls
Increased administration overhead
Increased security risks
All Rights Reserved | FIDO Alliance | Copyright 201810

11. How Federation Solves These Problems
All Rights Reserved | FIDO Alliance | Copyright 201811
RP
User
User
Authentication
Authenticated
Session
Identity Information
Three-Party Trust Relationship
IdPRP
RP
RP
Authentication
Statement
Identity
Source

12. Federation Benefits to End Users
RP
User
AuthenticationSession
Identity Information
Three-Party Trust Relationship
Users remember one password,
sign in once and access multiple
applications
IdPRP
RP
RP
All Rights Reserved | FIDO Alliance | Copyright 201812

13. Federation Benefits to Relying Parties
IdPRP
User
AuthenticationSession
Identity Information
Three-Party Trust Relationship
IdP
IdP
RPs move user identity to trusted
third-party authentication
authorities
All Rights Reserved | FIDO Alliance | Copyright 201813

14. Federation Benefits to Identity Providers
IdPRP
User
AuthenticationSingle-Sign On
Identity Information
Three-Party Trust Relationship
RP
RP
IdPs link user identity to multiple RPs
- Reduce security risk and administration overhead
- Enforce strong authentication and enable SSO
- Protect user identity attributes
All Rights Reserved | FIDO Alliance | Copyright 201814

15. The Downside of Federation
Users hate to use complex passwords for primary
authentication
Organizations have major concerns about password security
Stronger and more convenient authentication methods
are needed
All Rights Reserved | FIDO Alliance | Copyright 201815

16. FIDO is the Solution
All Rights Reserved | FIDO Alliance | Copyright 201816

17. How FIDO Deployment Complements
Federation
RP
Authentication
(FIDO-based)
Session
Identity Information
Redirect
IdP
FIDO Server
RP
RP
IdP Server
Browser w/
FIDO Client
Authenticator
All Rights Reserved | FIDO Alliance | Copyright 201817
• Lower cost of ownership
• Lower security risks
• Lower help desk calls
• Increased productivityOne authenticator, one
credential for multiple RPs
No changes to RP
applications

18. User Environment
Relying Party
(Application or Service Provider)
Identity Provider
(e.g SAML IDP, OpenID Provider)
FIDO Server
User Agent
FIDO
Authenticator
FIDO
Client
1 Initial Sign-in or Step-up access
3. FIDO challenge/response
Federation Protocol
Federated Authentication Flow with FIDO
3. FIDO challenge/response
2. Authentication Request
4. Authentication Response indicating FIDO
All Rights Reserved | FIDO Alliance | Copyright 201818

19. How to Apply FIDO-based Authentication
Preconfigured IdP Authentication Policy
• Global or per-RP policy set in the IdP
Just-in-Time RP Authentication Policy
• Specified by RP in the authentication request using authn context class reference
• AuthnContextClassRef parameter in SAML
• Acr_values request parameter in OIDC
• IdP returns information indicating that FIDO-based auth was used
• Using AuthnContextClassRef in SAML
• Using acr and amr claims In ID Token in OIDC
All Rights Reserved | FIDO Alliance | Copyright 201819

20. Use AuthnContextClassRef in SAML for JIT
enforcement
Sa m ple SA ML Reques t
Sa m ple SA ML Res po ns e
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
…
<samlp:RequestedAuthnContext Comparison="exact">
...
<saml:AuthnContextClassRef>urn:rsa:names:tc:SAML:2.0:ac:classes:MediumAssurance</saml:AuthnContextClassRef>
…
</samlp:RequestedAuthnContext>
…
</samlp:AuthnRequest>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ….
<saml:AuthnStatement AuthnInstant="2014-07-17T01:01:48Z" …..
….
<saml:AuthnContextClassRef>urn:rsa:names:tc:SAML:2.0:ac:classes:FIDO</saml:AuthnContextClassRef>
……
</saml:AuthnStatement>
…
</samlp:Response>
All Rights Reserved | FIDO Alliance | Copyright 201820

21. Use acr_values in OIDC for JIT
enforcement
Sample OIDC Request /Response
EndpointURI: https://tenant.server.example.com/oidc/auth
Http Parameters: {
response_type: id_token,
client_id: rp_client,
response_mode: query,
redirect_uri: https://rp.example.com/oidc-rp/,
scope: openid,
……
acr_values: phr phrh mfa
RedirectURI: https://rp.example.com/oidc-rp/
Http Parameters: {
…….
'id_token' content:
{
"auth_time":1490898779,
"exp":1490899139,
"sub":"someone@example.com",
…….
"iss":" https://tenant.server.example.com/oidc-fe",
"iat":1490898779,
"acr":“phrh",
"amr":[“hwk"]
}
}
ACR policy identifiers that can be satisfied by FIDO Authenticators are defined OpenID Connect (EAP) ACR Values specification
All Rights Reserved | FIDO Alliance | Copyright 201821

22. Other
Deployment
Options
IdP
Primary Authentication
using non-FIDO method
Session
Identity Information
Secondary/Step-up
Authentication Using FIDO
RP
FIDO Server
RP Server
Browser w/
FIDO Client
Authenticator
All Rights Reserved | FIDO Alliance | Copyright 201822

23. Other
Deployment
Options
Primary
Authentication
using 1st key
Session
Identity Information
Proof of Possession of
2nd key
IdP
FIDO Server
IdP Server
RP
FIDO Server
RP Server
Based on NIST 800-63-3 requirements for FAL3,
this deployment model can qualify for FAL 3
(provided that other conditions are met)
Browser w/
FIDO Client
Authenticator
All Rights Reserved | FIDO Alliance | Copyright 201823

24. Benefits of FIDO & Federation Integration
Users continue to enjoy the benefits of Federated SSO,
while FIDO provides a more convenient, more secure and
privacy preserving method of authentication
Organizations offer a streamlined authentication method
without putting user identity attributes at risk
All Rights Reserved | FIDO Alliance | Copyright 201824

25. While using Federation Authentication, add FIDO support
today and get its benefits
- 200+ Certified FIDO authenticators
- 85+ FIDO certified server implementations
- Some are deployed as part of a Federated authentication solution
For more details on FIDO and Federation integration, read
FIDO Alliance Enterprise Adoption Best Practices white
paper
All Rights Reserved | FIDO Alliance | Copyright 201825