End-to-End Flow
The following section describes the complete process of authentication using FIDO2.
Admin Flow
Token Management
Navigate to the Assignment tab and select the desired user to view their enrolled FIDO token. The tenant can manage the FIDO token using two available actions: View and Delete.
Monitor Authentication Activity
For FIDO authentication, all authentication logs are stored and displayed under the Snapshot tab in the SAS Admin Console.
-
Log in as an operator and select the appropriate tenant to view user authentication logs.
-
Navigate to the Snapshot tab, where authentication logs for FIDO—similar to other token types—will be visible, as illustrated below for the user demouser.
Troubleshooting
-
For correct authentication activity logs on the SAS console, SafeNet Access Exchange (SAE) and FIDO Server must be deployed on servers in the same time zone.
-
If you are installing SafeNet Access Exchange for the first time, you can use the compose.yml file and update the IP Address for FIDO2_API_URL environment variable for SAE. If you are using existing SafeNet Access Exchange, then add a configuration FIDO2_API_URL under the environment variables.
FIDO2_API_URL=http://<<IP-Address>>:8080/fido2
-
If you encounter any issues related to FIDO enrollment, ensure that all the required prerequisites are complete as outlined in the documentation. Additionally, verify that SafeNet Access Exchange, FIDO server, and SAS PCE are up and running with correct configurations.
-
Since multiple FIDO token support is not available, users may experience issues if they use an incorrect FIDO token or PIN during authentication. In such cases, ensure to use the correct FIDO token and PIN to log in.
-
For existing SafeNet Access Exchange users utilizing existing realms, the FIDO Authentication Form must be manually added to their authentication flow.