Policies

Password policy

Within the Password Policy section, various policies for password setup can be defined.

For example, requirements such as including one uppercase letter, one numeric character, or setting limits on password length and many others can all be configured from this tab.

You can incorporate the desired settings by selecting the appropriate option from the dropdown menu according to your needs.

The selection that you made from the dropdown menu will be automatically reflected here.

You can set the threshold value for the Policy Type that you selected.

For example - If Uppercase Characters was chosen from the dropdown, it will appear under the Policy Type section as shown below

The threshold value can then be configured accordingly.

In the example shown above, a value of 1 indicates that a password must contain at least 1 uppercase character to be considered valid.

Save

After making the necessary adjustments, click Save to apply the changes.

Reload

If you wish to discard the changes made, click on Reload to revert to the previous settings.

OTP Policy

In the OTP Policy section, you can configure various settings related to OTP (One-Time Password).

OTP Type

In this setting, you can choose the OTP Type—either Time Based OTP or Counter Based OTP—by selecting your preferred option.

OTP Hash Algorithm

This pertains to the Hashing Algorithm type utilized for generating the OTP.

You can select your preferred option from the dropdown menu.

Number of Digits

You can change this setting by selecting a different option.

You can choose between 6 or 8 digits for the OTP length.

Look Around Window

This setting refers to the intervals the server attempts to match the hash. It's a feature in ZTrust that addresses situations where the OTP generator or authenticator server's clock becomes out of sync.

It has a default value of 1 and can be modified as required.

OTP Token Period

The default value is 30 seconds, but it can be adjusted as required.

This represents the duration (in seconds) for which the OTP remains valid.

Supported Applications

It lists the applications that have been verified to be compatible with the current OTP policy.

Reusable token

This toggle button can be turned ON or OFF according to your needs.

When enabled, the same OTP code can be reused after successful authentication.

If disabled, the user cannot log in again using the same OTP code after successful authentication.

Webauthn Policy

In the WebAuthn Policy section, you can configure the policies for WebAuthn authentication.

These settings are utilized by the WebAuthn Register required action and the WebAuthn Authenticator authenticator.

This setup is commonly employed for implementing WebAuthn in two-factor authentication scenarios.

Relying Party Entity Name

It refers to the Human-readable server name for a WebAuthn Relying Party.

This is a mandatory field and required for registering the WebAuthn authenticator.

The default setting is Keycloak.

Signature Algorithms

This algorithm tells the WebAuthn authenticator which signature algorithm has to be used for Public Key Credential.

ZTrust relies on Public Key Credentials for signing and verifying Authentication Assertions.

You can choose the desired option from the dropdown menu.

If no specific algorithms are specified, the default ES256 algorithm is used.

It is an optional configuration item while applying to the registration of WebAuthn authenticators.

Relying Party ID

It refers to the ID of a WebAuthn Relying Party, which defines the scope of Public Key Credentials.

It should correspond to the effective domain of the origin.

This is an optional configuration that is applied during the registration of WebAuthn Authenticators.

Attestation Conveyance Preference

This setting specifies the preference for generating an attestation statement to the authenticator.

You can choose the desired option from the dropdown menu.

It is an optional configuration field while applying to the registration of the WebAuthn authenticator.

Authenticator Attachment

This indicates an acceptable attachment pattern to the authenticator.

You can select your preference between platform or cross-platform patterns from the dropdown menu.

It is an optional configuration item while applying to the registration of WebAuthn Authenticator.

Require discoverable credential

It instructs an authenticator whether to create a public key credential as a resident key or not.

It is an optional configuration item while applying to the registration of WebAuthn Authenticator.

User Verification Requirement

This setting communicates the authenticator to confirm the verification of a user.

It's an optional configuration applied during the registration and authentication processes of a WebAuthn authenticator.

You can select your preferred option from the available choices in the dropdown menu.

If left unselected, it defaults to the behavior same as having preferred option.

Timeout

This value determines the timeout duration for registering a WebAuthn authenticator and authenticating the user with it.

If set to 0, the timeout option is not adapted, and it relies on the implementation behavior of the WebAuthn authenticator.

Avoid Same Authenticator Registration

This is a toggle button, When activated (toggled ON), ZTrust prevents the re-registration of an already registered WebAuthn authenticator.

If deactivated (toggled OFF), an already registered WebAuthn authenticator can be registered again.

Acceptable AAGUIDs

It mentions the white list of AAGUIDs (Authenticator Attestation Global Unique Identifier) of which an authenticator can be registered.

This indicates the whitelist of AAGUIDs that a WebAuthn authenticator needs to register against.

You can include any AAGUID by selecting the '+ Add AAGUID' option. To remove any existing AAGUID, simply click on the '-' symbol.

Extra Origins

This specifies the list of extra origins for non-web applications.

You can add a new origin by entering the necessary details and clicking on + Add Origin.

To remove an existing origin, click on the '-' symbol.

Save

After making the necessary adjustments, click Save to apply the changes.

Reload

If you wish to discard the changes made, click on Reload to revert to the previous settings.

Webauthn Passwordless Policy

Under the WebAuthn Passwordless Policy, you can establish guidelines for Passwordless WebAuthn Authentication.

These policies are applied to both the WebAuthn Register Passwordless required action and the WebAuthn Passwordless Authenticator.

This setup is commonly utilized when WebAuthn serves as the initial authentication factor. If both the WebAuthn Policy and WebAuthn Passwordless Policy are configured within the same realm, it enables the use of WebAuthn for both first-factor and second-factor authentication within that realm.

Relying Party Entity Name

It refers to the Human-readable server name for a WebAuthn Relying Party.

This is a mandatory field and required for registering the WebAuthn authenticator.

The default setting is Keycloak.

Signature Algorithms

This algorithm tells the WebAuthn authenticator which signature algorithm has to be used for Public Key Credential.

ZTrust relies on Public Key Credentials for signing and verifying Authentication Assertions.

You can choose the desired option from the dropdown menu.

If no specific algorithms are specified, the default ES256 algorithm is used.

It is an optional configuration item while applying to the registration of WebAuthn authenticators.

Relying Party ID

It refers to the ID of a WebAuthn Relying Party, which defines the scope of Public Key Credentials.

It should correspond to the effective domain of the origin.

This is an optional configuration that is applied during the registration of WebAuthn Authenticators.

Attestation Conveyance Preference

This setting specifies the preference for generating an attestation statement to the authenticator.

You can choose the desired option from the dropdown menu.

It is an optional configuration field while applying to the registration of the WebAuthn authenticator.

Authenticator Attachment

This indicates an acceptable attachment pattern to the authenticator.

You can select your preference between platform or cross-platform patterns from the dropdown menu.

It is an optional configuration item while applying to the registration of WebAuthn Authenticator.

Require discoverable credential

It instructs an authenticator whether to create a public key credential as a resident key or not.

It is an optional configuration item while applying to the registration of WebAuthn Authenticator.

User Verification Requirement

This setting communicates the authenticator to confirm the verification of a user.

It's an optional configuration applied during the registration and authentication processes of a WebAuthn authenticator.

You can select your preferred option from the available choices in the dropdown menu.

If left unselected, it defaults to the behavior same as having preferred option.

Timeout

This value determines the timeout duration for registering a WebAuthn authenticator and authenticating the user with it.

If set to 0, the timeout option is not adapted, and it relies on the implementation behavior of the WebAuthn authenticator.

Avoid Same Authenticator Registration

This is a toggle button, When activated (toggled ON), ZTrust prevents the re-registration of an already registered WebAuthn authenticator.

If deactivated (toggled OFF), an already registered WebAuthn authenticator can be registered again.

Acceptable AAGUIDs

It mentions the white list of AAGUIDs (Authenticator Attestation Global Unique Identifier) of which an authenticator can be registered.

This indicates the whitelist of AAGUIDs that a WebAuthn authenticator needs to register against.

You can include any AAGUID by selecting the '+ Add AAGUID' option. To remove any existing AAGUID, simply click on the '-' symbol.

Extra Origins

This specifies the list of extra origins for non-web applications.

You can add a new origin by entering the necessary details and clicking on + Add Origin.

To remove an existing origin, click on the '-' symbol.

Save

After making the necessary adjustments, click Save to apply the changes.

Reload

If you wish to discard the changes made, click on Reload to revert to the previous settings.

CIBA Policy

In the context of CIBA Policy, an admin can set up operations related to Client Initiated Backchannel Authentication (CIBA) for a specific realm.

Backchannel Token Delivery Mode

This setting is mandatory and determines how the Consumption Device (CD) receives the authentication result and associated tokens.

Two modes are available - Poll and Ping, with the default value set to Poll.

Expires In

This setting mentions the expiration time of the auth_req_id in seconds, starting from when the authentication request was received.

The default setting is 120 seconds, but you can adjust this duration based on your needs.

Interval

This setting specifies the time duration in seconds that the Consumption Device (CD) needs to wait for between polling requests to the token endpoint.

It's an optional configuration, with a default setting of 5 seconds.

You have the flexibility to adjust this duration according to your needs.

Authentication Requested User Hint

It's a mandatory field, which refers to the way of identifying the end-user for whom the identification is being requested.

The default option is login_hint, and currently, ZTrust only supports this method.

Save

After making the necessary adjustments, click Save to apply the changes.

Reload

If you wish to discard the changes made, click on Reload to revert to the previous settings.

Last updated