This repo is home to the Gluu Agama-securitykey project. Use this project to authenticate using security devices (Yubico Key, Windows Hello, Touch ID on Mac, etc.).
The project can be deployed to any IAM server that runs an implementation of the Agama Framework like Janssen Server and Gluu Flex.
Different IAM servers may provide different methods and user interfaces from where an Agama project can be deployed on that server. The steps below show how the Agama-securitykey project can be deployed on the Janssen Server. Deployment of an Agama project involves three steps.
- Downloading the
.gamapackage from project repository - Adding the
.gamapackage to the IAM server - Configure the project
Running instances of Jans Auth Server, Jans Fido2', and Jans Casa`
- Download
latest agama-securitykey-custom.jar
from Releases
2.'scp
the jar file to/opt/jans/jetty/jans-auth/custom/libs/` on Auth Server. - On Auth Server, edit
/opt/jans/jetty/jans-auth/webapps/jans-auth.xmland add the jar file to the<set name="extractClasspath">...</Set>element. For example:
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Set name="contextPath">/jans-auth</Set>
<Set name="war">
<Property name="jetty.webapps" default="." />/jans-auth.war
</Set>
<Set name="extractWAR">true</Set>
<Set name="extraClasspath">
...
/opt/jans/jetty/jans-auth/custom/libs/agama-securitykey-custom.jar,
...
</Set>
</Configure>
- Restart Auth Server to load the new jar:
systemctl restart jans-auth
Tip
Skip this step if you use the Janssen Server TUI tool to
configure this project. The TUI tool enables the download and adding of this
project directly from the tool, as part of the community projects listing.
The project is bundled as
.gama package.
Visit the Assets section of the
Releases to download
the .gama package.
The Janssen Server provides multiple ways an Agama project can be deployed and configured. Either use the command-line tool, REST API, or a TUI (text-based UI). Refer to Agama project configuration page in the Janssen Server documentation for more details.
The Agama project accepts configuration parameters in the JSON format. Every Agama project comes with a basic sample configuration file for reference.
Below is a typical configuration of the agama-securitykey project. As shown, it contains configuration parameters for the flows contained in it:
Sample JSON
{
"org.gluu.agama.securitykey.fidoAuthn": {},
"org.gluu.agama.securitykey.main": {}
}
Use any relying party implementation (like jans-tarp) to send an authentication request that triggers the flow.
From the incoming authentication request, the Janssen Server reads the ACR
parameter value to identify which authentication method should be used.
To invoke the org.gluu.agama.securitykey.main flow contained in the Agama-securitykey project,
specify the ACR value as agama_<qualified-name-of-the-top-level-flow>,
i.e agama_org.gluu.agama.securitykey.main.
Fork this repo to start customizing the Agama-securitykey project. It is possible to customize the user interface provided by the flow to suit your organisation's branding guidelines. Or customize the overall flow behavior. Follow the best practices and steps listed here to achieve these customizations in the best possible way. This project can be reused in other Agama projects to create more complex authentication journeys. To reuse trigger the org.gluu.agama.securitykey.main flow from other Agama projects.
To make it easier to visualise and customize the Agama Project, use Agama Lab.
| Qualified Name | Description |
|---|---|
org.gluu.agama.securitykey.main |
When the main flow of this project is launched, the user's browser is redirected to a view where they must first enter their username, then validate one of the security keys that they have. configured for their user (Yubico Key, Windows Hello, Touch ID on Mac, etc.). Finally, the user's browser is redirected to the registered URI. |
Note: You must have registered security devices for your user; to register, you must use Jans Casa.
Check out this video to see the agama-securitykey authentication flow in action. Also check the Agama Project Of The Week video series for a quick demo on this flow.
Note: While the video shows how the flow works overall, it may be dated. Do check the Test The Flow section to understand the current method of passing the ACR parameter when invoking the flow.
