2.3 Setting up the FIDO metadata

To allow MyID to carry out attestation checks on FIDO authenticators during registration, it requires access to the FIDO Alliance Metadata Service metadata. You can obtain FIDO metadata online (this is the default) or from a local file system repository.

Access to online metadata is controlled from the configuration file for the MyID authentication web service (web.oauth2) using the OnlineMetadata Fido setting:

Copy 
"Fido": {
"Config": {
// If OnlineMetadata is true FIDO metatdata will be downloaded from https://mds.fidoalliance.org/
"OnlineMetadata": true,
// Optionally provide a FIDO metadata Blob root certificate in base64 format
"MetadataBlobRootCert": "",
// Control whether the certificates in the chain of trust for the FIDO metadata service BLOB is CRL checked.
"DisableCrlCheck": false,
}
}

The installer sets OnlineMetadata to true by default in the appsettings.json file, meaning that FIDO metadata is obtained from the online source. If you need to change any settings, you can edit the appsettings.Production.json file to override the settings in the appsettings.json file.

The MyID FIDO implementation uses an built-in FIDO Alliance ROOT certificate which is part of the certificate chain of trust for the signed metadata blob.jwt (see section 2.3.1, Setting up a local metadata repository). This certificate has an expiry date of 2029. If this certificate expires, or the FIDO Alliance certificate chain changes, you can provide an external root certificate as a base64 string through the MetadataBlobRootCert setting above. The root certificate is then used to verify cryptographically any blob.jwt obtained online or used by the local metadata repositories.

For online metadata during FIDO registration, you can disable CRL checking of the metadata chain of trust certificates by setting DisableCrlCheck to true. The default value is false which means that CRL checking is enabled by default. The DisableCrlCheck setting applies only to online metadata; no CRL checking is done on a local metadata repository.

Previous versions of FIDO on MyID used the FIDO Alliance MDS2 metadata service, which required an access token to be able to download the metadata. With the newer MDS3 FIDO Alliance metadata service, this is no longer the case, with metadata now freely available as a direct download from:

mds.fidoalliance.org

The MyID web server must be able to access the above FIDO Alliance URL to download the metadata. If your server cannot access this URL, or if you are experiencing performance issues when verifying metadata, you can create a local repository; see section 2.3.1, Setting up a local metadata repository.

Note: If you are using the standalone authentication service (web.oauth2.ext) in conjunction with the AD FS Adapter OAuth to allow for FIDO authentication to your AD FS, the web.oauth2.ext service configuration for OnlineMetadata is ignored, because attestation checks are relevant only for registration, and the standalone authentication service provides only authentication and not registration for FIDO authenticators.

2.3.1 Setting up a local metadata repository

You can create a local metadata repository, which you can then configure the authentication service to use instead of the live metadata from the FIDO Alliance website.

To create a local repository:

  1. Download the MDS3 FIDO Alliance metadata.

    In your browser, navigate to:

    mds.fidoalliance.org

    This downloads a single blob.jwt file that contains, amongst other things, the FIDO Alliance metadata statements for all registered FIDO authenticators.

  2. Open the appsettings.Production.json file for the authentication service in a text editor.

    By default, this is:

    C:\Program Files\Intercede\MyID\web.oauth2\appsettings.Production.json

  3. Edit the file to include the following settings:

    Copy 
    "Fido": {
    "Config": {
    // If OnlineMetadata is true FIDO metatdata will be downloaded from https://mds.fidoalliance.org/
    "OnlineMetadata": false,
    // If a filesystem FIDO metadata repository is provided by the customer its path should be entered here.
    "MDSCacheDirPath": "<path of cache folder",
    // If a filesystem FIDO metadata repository is provided by the customer and the customer wishes to override
    // the nextUpdate time in the metadata BLOB file then this can be done by setting the cache time in days from
    // the time now.  A default value of 2 days ensures that during fido registration the file is read only once
    // from the file system with all subsequent times read from memory cache until the system is restarted.
    "CacheTimeDays": <validity period>
    }
    }

    where:

    • <path of cache folder> is the path of the folder where the blob.jwt is located. Use forward slashes or double backslashes in the path. A non-empty value here enables the local file system metadata repository.

    • <validity period> is the number of days from the current time after which the cache will no longer be valid, and the authentication service will revert to re-reading the metadata from the file system rather than its own in-memory cache.

    The installer sets a default value of 2 days for CacheTimeDays in the appsettings.json file. This means, after reading the file system metadata into memory cache, it will keep using the memory cache for two days (or until the server app pool is recycled) then re-read the file system metadata into memory cache and then use memory cache for another 2 days and so on. If you set the CacheTimeDays value to 0 it will be ignored and the nextUpdate time specified in the blob.jwt file will apply; when that expires it will keep reading from the file system.

    Important: Merge these settings into your existing Fido:Config section. Do not delete any existing settings.

    If you want to use the local repository in preference to the live data, you can set the OnlineMetadata option to false as shown above.

    If you leave the OnlineMetadata set to true in the configuration file, MyID uses both live metadata and metadata from the local repository. You can use either or both options.

  4. Save the appsettings.Production.json file.

  5. Recycle the web service app pool:

    1. On the MyID web server, in Internet Information Services (IIS) Manager, select Application Pools.

    2. Right-click the myid.web.oauth2.pool application pool, then from the pop-up menu click Recycle.

    This ensures that the web service has picked up the changes to the configuration file.

Note: Earlier versions of FIDO on MyID used a MyID.FIDO.Metadata.App to obtain a local metadata repository from the MDS2 server. With MDS3 no such app is required as the metadata is all in a single blob.jwt file that is freely available from the FIDO Alliance MDS3 server.

Existing MDS2 metadata JSON files are not compatible with the MDS3 metadata specification. This means customers who already have MDS2 metadata JSON files in their local repository must replace them with a single MDS3 compatible blob.jwt metadata file.

You can place individual MDS3-compliant JSON metadata statement files alongside the blob.jwt in the file system repository folder and they are read in and appended to the metadata extracted from the blob.jwt file. This is useful if you want to use metadata for authenticators that have not been registered with the FIDO Alliance.

JWT metadata files are cryptographically verified as originating from the FIDO Alliance before being accepted as a source of metadata.

Only one JWT file is supported in the local repository path. If more than one file is present, only the first found alphabetically will be used.