2.3 Setting up the FIDO metadata
To allow MyID to carry out attestation checks on passkeys during registration, it requires access to the FIDO Alliance Metadata Service metadata. You can obtain FIDO metadata online (this is the default) or from a local file system repository.
Access to online metadata is controlled from the configuration file for the MyID authentication web service (web.oauth2) using the OnlineMetadata Fido setting:
"Fido": {
"Config": {
// If OnlineMetadata is true FIDO metatdata will be downloaded from https://mds.fidoalliance.org/
"OnlineMetadata": true,
// Optionally provide a FIDO metadata Blob root certificate in base64 format
"MetadataBlobRootCert": "",
// Control whether the certificates in the chain of trust for the FIDO metadata service BLOB is CRL checked.
"DisableCrlCheck": false,
}
}The installer sets OnlineMetadata to true by default in the appsettings.json file, meaning that FIDO metadata is obtained from the online source. If you need to change any settings, you can edit the appsettings.Production.json file to override the settings in the appsettings.json file.
The MyID FIDO implementation uses an built-in FIDO Alliance ROOT certificate which is part of the certificate chain of trust for the signed metadata blob.jwt (see section 2.3.1, Setting up a local metadata repository). This certificate has an expiry date of 2029. If this certificate expires, or the FIDO Alliance certificate chain changes, you can provide an external root certificate as a base64 string through the MetadataBlobRootCert setting above. The root certificate is then used to verify cryptographically any blob.jwt obtained online or used by the local metadata repositories.
For online metadata during FIDO registration, you can disable CRL checking of the metadata chain of trust certificates by setting DisableCrlCheck to true. The default value is false which means that CRL checking is enabled by default. The DisableCrlCheck setting applies only to online metadata; no CRL checking is done on a local metadata repository.
Previous versions of FIDO on MyID used the FIDO Alliance MDS2 metadata service, which required an access token to be able to download the metadata. With the newer MDS3 FIDO Alliance metadata service, this is no longer the case, with metadata now freely available as a direct download from:
The MyID web server must be able to access the above FIDO Alliance URL to download the metadata. If your server cannot access this URL, if you are experiencing performance issues when verifying metadata, or if you want to use metadata for authenticators not included in the public repository, you can create a local repository; see section 2.3.1, Setting up a local metadata repository. You can also create a local repository to provide a restricted list of devices that can pass the attestation check.
Note: If you are using the standalone authentication service (web.oauth2.ext) in conjunction with the AD FS Adapter OAuth to allow for FIDO authentication to your AD FS, the web.oauth2.ext service configuration for OnlineMetadata is ignored, because attestation checks are relevant only for registration, and the standalone authentication service provides only authentication and not registration for passkeys.
2.3.1 Setting up a local metadata repository
You can create a local metadata repository, which you can then configure the authentication service to use in addition to or instead of the live metadata from the FIDO Alliance website.
You can set up a local repository for basic attestation or for enterprise attestation:
- 
                        For basic attestation, you can either use the MDS3 FIDO Alliance metadata or set up a custom repository that contains only those specific devices you want to issue. 
- 
                        For enterprise attestation, you can set up a custom repository containing metadata for your enterprise attestation certificates. 
When issuing passkeys, the attestation check used is determined by the Require Attestation option in the credential profile. See section 5.1, Setting up a passkey credential profile for the MyID Operator Client or section 5.2, Setting up a passkey credential profile for the Self-Service Request Portal for details.
To create a local repository:
- 
                        Obtain your metadata repository. For example, you can download the MDS3 FIDO Alliance metadata; in your browser, navigate to: This downloads a single blob.jwt file that contains, amongst other things, the FIDO Alliance metadata statements for all registered passkeys. 
- 
                        Open the appsettings.Production.json file for the authentication service in a text editor. By default, this is: C:\Program Files\Intercede\MyID\web.oauth2\appsettings.Production.json 
- 
                        Edit the file to include the following settings: Copy"Fido": {
 "Config": {
 // If OnlineMetadata is true FIDO metatdata will be downloaded from https://mds.fidoalliance.org/
 "OnlineMetadata": false,
 // If a filesystem FIDO metadata repository is provided by the customer its path should be entered here.
 "MDSCacheDirPath": "<path of basic metadata folder>",
 // If a filesystem FIDO metadata repository is provided by the customer and the customer wishes to override
 // the nextUpdate time in the metadata BLOB file then this can be done by setting the cache time in days from
 // the time now. A default value of 2 days ensures that during fido registration the file is read only once
 // from the file system with all subsequent times read from memory cache until the system is restarted.
 "MDSCacheDirPathEnterprise": "<path of enterprise attestation metadata folder>",
 "CacheTimeDays": <validity period>
 }
 }where: - 
                                <path of basic metatdata folder> is the path of the folder where the blob.jwt is located. Use forward slashes or double backslashes in the path. A non-empty value here enables the local file system metadata repository. This folder must only ever contain metadata with root certificates that validate direct attestation certificates for a given AAGUID. 
- 
                                <path of enterprise attestation metatdata folder> is the path of the folder where the .jwt or JSON files containing the enterprise attestation metadata is stored. Use forward slashes or double backslashes in the path. A non-empty value here enables the local file system enterprise attestation metadata repository. This folder must only ever contain metadata with root certificates that validate enterprise attestation certificates for a given AAGUID. See section 4, Enterprise attestation for details of enterprise attestation checks. 
- 
                                <validity period> is the number of days from the current time after which the cache will no longer be valid, and the authentication service will revert to re-reading the metadata from the file system rather than its own in-memory cache. 
 The installer sets a default value of 2 days for CacheTimeDays in the appsettings.json file. This means, after reading the file system metadata into memory cache, it will keep using the memory cache for two days (or until the server app pool is recycled) then re-read the file system metadata into memory cache and then use memory cache for another 2 days and so on. If you set the CacheTimeDays value to 0 it will be ignored and the nextUpdate time specified in the blob.jwt file will apply; when that expires it will keep reading from the file system. Important: Merge these settings into your existing Fido:Config section. Do not delete any existing settings. If you want to use the local repository in preference to the live data, you can set the OnlineMetadata option to false as shown above. If you leave the OnlineMetadata set to true in the configuration file, MyID uses both live metadata and metadata from the local repository. You can use either or both options. 
- 
                                
- 
                        Save the appsettings.Production.json file. 
- 
                        Recycle the web service app pool: - 
                                On the MyID web server, in Internet Information Services (IIS) Manager, select Application Pools. 
- 
                                Right-click the myid.web.oauth2.pool application pool, then from the pop-up menu click Recycle. 
 This ensures that the web service has picked up the changes to the configuration file. 
- 
                                
Note: Earlier versions of FIDO on MyID used a MyID.FIDO.Metadata.App to obtain a local metadata repository from the MDS2 server. With MDS3 no such app is required as the metadata is all in a single blob.jwt file that is freely available from the FIDO Alliance MDS3 server.
Existing MDS2 metadata JSON files are not compatible with the MDS3 metadata specification. This means customers who already have MDS2 metadata JSON files in their local repository must replace them with a single MDS3 compatible blob.jwt metadata file.
If you place individual MDS3-compliant JSON metadata statement files alongside the blob.jwt in the file system repository folder and they are read in and appended to the metadata extracted from the blob.jwt file. This is useful if you want to use metadata for authenticators that have not been registered with the FIDO Alliance.
Alternatively, you can populate your metadata folder with individual MDS3-compliant JSON metadata statement files instead of the blob.jwt, in which case the data in these files is used instead of the general metadata repository; this allows you to support specific tokens.
JWT metadata files are cryptographically verified as originating from the FIDO Alliance before being accepted as a source of metadata.
Only one JWT file is supported in the local repository path. If more than one file is present, only the first found alphabetically will be used. However, you can include many individual JSON metadata files in the local repository path.
2.3.1.1 Metadata repository priority
When MyID CMS reads the AAGUID (a 128-bit identifier of the type of the authenticator) from the authenticator device, it tries to match the identifier against the metadata repositories in the following priority order:
- 
                        The local enterprise attestation repository, as configured using the MDSCacheDirPathEnterprise option. 
- 
                        The local basic attestation repository, as configured using the MDSCacheDirPath option. 
- 
                        The online MDS3 FIDO Alliance metadata, as configured using the OnlineMetadata option. 
As soon as MyID CMS finds a match for the AAGUID, it does not proceed to look any further; this means that you cannot have multiple sets of metadata for a single AAGUID, as MyID CMS always uses the first match.