<?php
require_once('vendor/autoload.php');
/* Start to develop here. Best regards https://php-download.com/ */
simplesamlphp / simplesamlphp-module-webauthn example snippets
100 => [
'class' => 'webauthn:WebAuthn',
/* should FIDO2 be enabled by default for all users? If not, users need to
* be white-listed in the database - other users simply pass through the
* filter without being subjected to 2FA.
*
* defaults to "disabled by default" === false
*/
'default_enable' => false,
/* only if default_enable is false:
* the toggle to turn on 2FA can either be a database lookup in the module's
* internal database or be dependent on the existence or absence of a
* user attribute as retrieved in the first-factor auth. The following
* options control which variant to use.
*/
/*
* this parameter determines if the database will be used to check
* whether to trigger second factor authentication or use the "attrib_toggle" instead.
* Default value of this attribute is true
*/
'use_database' => true,
/* this parameter is used only if "use_database" is false. If the value of
* "force" is true then we trigger WebAuthn only if "attrib_toggle" from the
* user is not empty. If the value of "force" is false then we switch the value of
* "default_enable" only if "attrib_toggle" from the user is not empty.
* Default falue is true.
*/
'force' => true,
/* this parameter stores the name of the attribute that is sent with user and which
* determines whether to trigger WebAuthn.
* Default value is 'toggle'
*/
'attrib_toggle' => 'toggle',
/**
* The module can be configured to assert that MFA was executed towards the
* SP by setting an appropriate <AuthnContextClassRef> tag in the response.
* The original SAML 2.0 spec in that regard contains only contexts which
* are rather useless in a FIDO2 context.
*
* FIDO alliance has its own to indicate that a FIDO key was used, and it
* is the default if unset. The semantics does not indicate then that an
* additional authentication besides the FIDO key was used (i.e. your
* first-factor authsource authentication). Thus, you may want to consider
* setting the more accurate REFEDS identifier below instead.
*
* Defaults to 'urn:rsa:names:tc:SAML:2.0:ac:classes:FIDO' if not set
*
* If you authenticate towards Microsoft 365 SPs which may trigger their
* own variant of 2FA, then you can tell them to skip this by
* - setting the SP tenant parameter "supportsMFA" to "true"
* - returning the AuthnContextClassRef
* "http://schemas.microsoft.com/claims/multipleauthn"
*/
// 'authncontextclassref' => 'https://refeds.org/profile/mfa',
],
'name-your-source' => [
'webauthn:Passwordless',
/*
* Defaults to 'urn:rsa:names:tc:SAML:2.0:ac:classes:FIDO' if not set
*
* If you authenticate towards Microsoft 365 SPs which may trigger their
* own variant of 2FA, then you can tell them to skip this by
* - setting the SP tenant parameter "supportsMFA" to "true"
* - returning the AuthnContextClassRef
* "http://schemas.microsoft.com/claims/multipleauthn"
*/
// 'authncontextclassref' => 'https://refeds.org/profile/mfa',
],