FIDO U2F to FIDO2 migration#
Administrators offering U2F security keys as an authentication method are strongly encouraged to migrate to FIDO2. This newer protocol is intended to provide an extended set of functionality to cover additional use-cases than U2F. Additionally FIDO2 is better supported in web browsers than FIDO U2F.
If you are already offering U2F and FIDO2 separately in Casa, migrating will allow you to consolidate security key usage into a single authentication method (credential type).
Migration consists of the following steps:
- Conversion of existing U2F entries into FIDO2: This is an automatic process that will allow using already enrolled U2F security keys in the context of FIDO2 authentication.
- Enabling FIDO2 and disabling U2F custom script
Conversion of existing entries#
This process consists of creating entries under every user's
fido2_register branch corresponding to already existing entries found under
fido branches. See Storage of User Credentials.
active entries not corresponding to Super Gluu enrollments are converted. Every successfully migrated U2F entry acquires the state
migrated and thus cannot be used for U2F authentication anymore.
To perform the conversion follow these steps:
- Download or clone Casa repository, eg.
- Extract the file contents and transfer the folder
casa/extras/fido2-migrationto the server - where Casa is running - in a temporary location.
fido2-migrationin the temporary location
jar -xf /opt/gluu/jetty/casa/webapps/casa.war WEB-INF/lib
- Run `wget -P WEB-INF/lib https://ox.gluu.org/maven/org/gluu/oxcore-script/4.2.0.Final/oxcore-script-4.2.0.Final.jar
java -cp .:WEB-INF/lib/* bsh.Interpreter script.bsh
The script will output some feedback in the console. You can
tail the file
log.txt to see more details of the processing. Identifiers of failed entries (if any) are dumped to file
Regardless of the steps above are executed, by default Gluu Server will attempt to migrate U2F entries when users attempt to login using FIDO2 acr. For example, if a user has already enrolled a key using the FIDO2 authentication mechanism and logins to Casa using such method, all their existing U2F enrollments (if any) will be migrated, this way all security keys will be listed under the one single widget in the user's dashboard.
Something went wrong? Please open a support ticket.
Once entries have been successfully migrated, in oxTrust visit
Person authentication scripts. Ensure to enable
fido2 and disable
Update at the bottom of the page.
Wait for 1 minute, then log into Casa admin console. In
Enabled authentication methods check
fido2 and save changes. From now on, users can enroll security keys and also use their already enrolled keys seamlessly.