FIDO — How to configure and use

FIDO support and usage

Pointsharp currently supports FIDO for web resources published in the Gateway Server and also the MFA Adapter for ADFS.

It can be used with external security keys from Feitian, Titan and Yubikey, as well as be used with on-device authenticators such as Windows Hello.

Configuration in Pointsharp ID — token setup

  1. Start the PSID Admin GUI.

  2. Go to the tab Tokens.

  3. Click FIDO.

admin gui tokens fido

Change the Relying Party Name and Relying Party ID to fit your company names.

See Tokens for a complete description on how to configure the FIDO settings.

Configuration in Pointsharp ID - authentication method

authentication fido

  1. Start the PSID Admin GUI.

  2. Go to the tab Authentication.

  3. Click Add and choose FIDO as the Authentication method.

  4. The value Name is a Friendly Name (and is the name that will be seen in the Access Gateway later on).

  5. IP Address is only needed to be entered if the Pointsharp ID Server should use a specific network card with its specific IP. Default leave as it is.

  6. Port number does not need to be edited.

  7. Choose an authentication method or None if passwordless is to be used.

  8. Click OK when done, and go to the tab General and restart the service.

Registering tokens — IIS manager and application settings

The process for registering a FIDO token is done in the User Portal, so the first thing to do is to enable the option FIDO token.

There are two options:

  • hardware tokens, and

  • on-device authenticators.

Do as follows:

  1. Start the IIS Manager on the Pointsharp ID Server.

  2. Expand the sites and click User Portal.

  3. Open the Application Settings for the User Portal site.

    user portal token

  4. Locate the value SECURITY_TOKEN_SELECTABLE_TYPES and double-click to edit.

    user portal token fido

  5. There are two values that can be entered. FidoTpmToken is on-device authenticators such as Windows Hello. FidoToken is external security keys. Add one or both exactly as shown in screenshot above. Case-sensitive!

  6. The configuration in User Portal is now done and the option for FIDO should now be seen in the User Portal when adding new tokens.

    user portal fido

Adding FIDO authentication in Access Gateway Server

The next step is to add the FIDO authentication method as an option. This is done on the Access Gateway. In this example we have added Fido to our OWA. If you are setting up a new Listener, for example OWA, then the FIDO option will be presented in the Wizard.

This guide shows how to change authentication method to OWA, or add FIDO as an additional option on an already existing OWA Listener.

  1. Open up the OWA Listener and the /owa/ rule.

    listener owa

  2. Right-click the modForms module and choose Go to module.

    fido modforms

  3. In the modForms module under Authentication Methods, click Add and add the newly created FIDO authentication method.

  4. Click Save and then Publish to complete the Gateway configuration.

MFA Adapter

When FIDO is used in combination with the MFA Adapter - simply add the new FIDO Authentication Method created in the PSID Admin GUI in the MFA Adapter configuration file as a regular authentication method.

Please see Secure ADFS Access