Passkeys (FIDO2) Policy for Relying Parties

This tutorial helps you to understand the various options available to configure a policy for registration and authentication of the FIDO2 passkeys for relying parties (RPs) such as Entra ID and Okta.

Prerequisites

Configure Policy for Entra ID

Navigate to Configuration > Passkey (FIDO2) Policy. Select Add Policy and follow the below steps:

  1. Registration Policy: Enter the following information for registration of a passkey (FIDO2):
    1. Relying Party Application: Select the Entra ID relying party application for which you need to configure the passkeys policy. You can create a policy only once per application. This list of relying party applications is populated based on the applications that have been integrated using the Passkeys (FIDO2) Provisioning feature on the Unifyia platform.
    2. Relying Party Name: Provide a unique name to identify the Entra ID configuration.
    3. Relying Party ID: Enter a unique registrable domain URL or the domain suffix of the relying party’s domain, for example, login.microsoftonline.com. This field is visible only during the first time configuration. It not visible in the edit mode.
    4. Signature Algorithms: Select the required signature algorithms to use for the Public Key Credential. You may select one or all the available algorithms - ES256, ES384, ES512, RS256, RS384, RS1, RS512, EdDSA
    5. Authenticator Attachment: Authenticator Attachment refers to the way an authenticator (e.g., a security key or a built-in biometric sensor) is integrated or connected to the device (e.g., a computer or smartphone) used for authentication. Select Cross-Platform. The platform supports only external security keys that connect to the host device via USB (e.g., YubiKey), NFC, or Bluetooth (e.g., smartphones) for relying parties.
  2. Authentication Policy: Leave the default values for the authentication policy.
  3. Select Save to complete the addition of a passkeys policy for Entra ID users.

Configure Policy for Okta

Navigate to Configuration > Passkey (FIDO2) Policy. Select Add Policy and follow the below steps:

  1. Registration Policy: Enter the following information for registration of a passkey (FIDO2):
    1. Relying Party Application: Select the Okta relying party application for which you need to configure the passkeys policy. You can create a policy only once per application. This list of relying party applications is populated based on the applications that have been integrated using the Passkeys (FIDO2) Provisioning feature on the Unifyia platform.
    2. Relying Party Name: Provide a unique name to identify the Okta configuration.
    3. Relying Party ID: Enter a unique registrable domain URL or the domain suffix of the relying party’s domain, for example, example.okta.com. This field is visible only during the first time configuration. It not visible in the edit mode.
    4. Signature Algorithms: Select the required signature algorithms to use for the Public Key Credential. You may select one or all the available algorithms - ES256, ES384, ES512, RS256, RS384, RS1, RS512, EdDSA
    5. Authenticator Attachment: Authenticator Attachment refers to the way an authenticator (e.g., a security key or a built-in biometric sensor) is integrated or connected to the device (e.g., a computer or smartphone) used for authentication. Select Cross-Platform. The platform supports only external security keys that connect to the host device via USB (e.g., YubiKey), NFC, or Bluetooth (e.g., smartphones) for relying parties.
  2. Authentication Policy: Leave the default values for the authentication policy.
  3. Select Save to complete the addition of a passkeys policy for Okta users.

You have successfully configured the passkeys (FIDO2) policies for Entra and Okta. To test if your configuration is successful, navigate to Configuration > Workflows > Create Workflow. If an external credential management system is integrated, you will be prompted to confirm if you wish to create a workflow for it. Select No to proceed. Under the General section, select the identity type that has FIDO2. Scroll down to the section FIDO2 Registration. Check the option Enable FIDO2 Passkeys provisioning for relying parties. The Relying Parties dropdown lists the configured passkeys (FIOD2) policies of the relying parties.


Back Next
On this page
Related Links