Add support for EntraID FIDO2/WebAuthn authentication #1254
Comments
|
I already did this for Okta in #1221. This works by using the Windows Hello platform Webautn API. I'm not sure "Windows Hello" and "Windows Hello for Business" are the same here though. Looks like "Windows Hello for Business" is Windows Hello + extra features like passwordless options. I think/hope the Webauthn 2FA API is the same. @dpreetam what are you looking for "Windows Hello" as 2nd factor through Webauthn, or "Windows Hello for Business" passwordless authentication? I think it should be fairly straight-forward to support other SAML providers like AAD / EntraID. Is there some test EntraID environment I could use / set up to register and authenticate a Windows Hello Webauthn factor? If so, I would be willing to look into this. @missingcharacter is there any documentation on the AAD / EntraID API? Specifically, what the |
EntraID supports device bound passkeys which are FIDO2 compliant and users webauthn protocol for end user authentication. With move towards phishing resistant authentication methods lack of support for passkeys by saml2aws makes it a weak link where administrators have to exempt it from fido2 requirements.
Users should be able to authenticate to EntraID SSO enabled AWS admin interface using WebAuthn protocol. Users should be able to sign-in with Yubikey/Security key with pin or Windows Hello for Business.
The text was updated successfully, but these errors were encountered: