Configuring Delinea Secret Server for FIDO2 authentication with FX series

The following instructions will guide you through the basics of editing an existing authentication profile, allowing a user to register a FIDO2 token, and ensuring that the identity policy has the appropriate authentication profiles assigned.

Configuring Delinea Secret Server for authenticating with FIDO2 passkeys involves the following steps:

• Creating authentication profiles. Authentication profiles define which available authentication challenge mechanisms are permitted for authentication, such as passwords, OTP, FIDO2, etc.

• Creating identity policies and assigning the identity polices to user groups. Identity policies define a number of properties and conditions that pertain to an identity. These options include what type of authentication options can be registered or actions that can be performed by users based on their group membership (for example, changing passwords, OTP, FIDO2, etc.), as well as conditions when a given authentication profile is enforced, for example, signing in from a new/unknown device, identity cookie not present, etc.

Before you begin

• Ensure that you have an FX series FIDO2 device, e.g. FX7 or FX1 Bio.

• Ensure that you have a Secret Server Vault license or greater.

• Ensure that you have Administer Users or User Owner permissions in Secret Server.

• Ensure that you use a Firefox or Chromium browser, for example, Google Chrome or Microsoft Edge.

Setting up FIDO2 authentication for Delinea Secret Server

1. Sign in to the Delinea Secret Server Admin Portal.

2. Create or edit an authentication policy:

   1. Navigate to Settings > MFA and Security > Authentication Profiles.

   2. Select an existing policy or add a new one that you will use in your identity policy.

   3. Click Edit.

   4. Enable FIDO2 authenticators in one or both of the available challenge options.

      You can chose a single challenge or two challenges in the profile. To allow users to authenticate with FIDO2 authenticators as a challenge option, select FIDO2 authenticator in one or both challenges and click Save.

   5. Repeat this process for each profile you’ll use in your identity policy.

3. Create or edit an identity policy:

   1. Navigate to Access > Identity Policies.

   2. Select an existing policy or create a new one.

   3. Switch to the User Security > Authenticator settings tab.

   4. Click Edit.

   5. Set Enable users to enroll FIDO2 authenticators to Enabled. Type a name in the FIDO2 security key display name box, for example, FX7 Token. This is the name that end users will see when they register a FIDO2 token.

4. Assign the authentication policies to the identity policy:

   1. Navigate to Access > Identity policies.

   2. Select the policy to which you want to assign an authentication profile.

   3. Switch to the Authentication tab.

   4. Confirm or assign the desired authentication profiles that contain your FIDO2 challenge settings to the various services and or authentication rules as appropriate for your business requirements.

   5. Save any changes you’ve made.