View Source

Requirements

In order to add the credentials (security keys or fingerprints) your instance should have HTTPS protocol enabled.

Installation

(1) Click Gear Icon which leads to Administration area and select Manage apps. You will be redirected to the Atlassian Marketplace.

WebAuthn for Jira > Administrator Guide > manageapps.png

(2) Enter WebAuthn in the search field and click the magnifying glass. You will see WebAuthn for Jira in the search results.
(3) Click Free trial to get a free trial license for 30 days.
(4) Click Buy now to purchase a license for WebAuthn for Jira

Navigation

WebAuthn for Jira can be configured in the administrator area (add-ons tab).

(1) Click Gear Icon and select Manage apps You will be redirected to the Atlassian Marketplace.

In the left navigation menu Jira Administrator can do the following:

WebAuthn for Jira > Administrator Guide > navmenu.png

(2) Click “WebAuthn Configuration” to change plugin settings.
(3) Click “User Management” to reset authentication settings for a certain user.
(4) Click “Authentication Log” to see all relevant actions.

Configuration

All basic and additional settings are explained below.

WebAuthn for Jira > Administrator Guide > webauthnsettings.png

(1) Label is displayed as an identifier for the underlying Atlassian application

(2) Attestation Type defines the semantics of attestation statements and their underlying trust models.

WebAuthn Relying Parties use Attestation Type to specify their preference regarding attestation conveyance during credential generation.

“None” - this value indicates that the Relying Party is not interested in authenticator attestation. For example, in order to potentially avoid having to obtain user consent to relay identifying information to the Relying Party, or to save a roundtrip to an Attestation CA.
“Indirect” - this value indicates that the Relying Party prefers an attestation conveyance yielding verifiable attestation statements, but allows the client to decide how to obtain such attestation statements. The client MAY replace the authenticator-generated attestation statements with attestation statements generated by an Anonymization CA, in order to protect the user’s privacy, or to assist Relying Parties with attestation verification in a heterogeneous ecosystem.
“Direct” - This value indicates that the Relying Party wants to receive the attestation statement as generated by the authenticator.

(3) Authenticator Type makes further restrictions on the type of authenticators allowed for registration

“Platform” - this value indicates platform attachment. A platform authenticator is attached using a client device-specific transport, called platform attachment, and is usually not removable from the client device. A public key credential bound to a platform authenticator is called a platform credential.
“Cross-platform” - this value indicates cross-platform attachment. A roaming authenticator is attached using cross-platform transports, called cross-platform attachment. Authenticators of this class are removable from, and can "roam" among client devices. A public key credential bound to a roaming authenticator is called a roaming credential.

(4) User Verification requires user verification for the login and registration operations.

“Required” - this value indicates that the Relying Party requires user verification for the operation and will fail the operation if the response does not have the UV flag set.
“Preferred” - this value indicates that the Relying Party prefers user verification for the operation if possible, but will not fail the operation if the response does not have the UV flag set.
“Discouraged” - this value indicates that the Relying Party does not want user verification employed during the operation (e.g., in the interest of minimizing disruption to the user interaction flow).

(5) Register with Resident Key allows to login by proving a local PIN on the device.

(6) WebAuthn permissions allow to grant permissions for passwordless authentication for all Jira users or for the chosen groups. Users that don’t belong to chosen groups will sign in to accounts using passwords.

(7) Mark the checkbox Enable authentication log to allow logging all action with WebAuthn. For example: adding or remove device, log it in to system, etc.

(8) If you want to clear the logs select retention period and click the Clear logs button. Logs for retention period will be kept while other logs will be cleared. Can be applied as needed.

(9) Reset to defaults will restore plugin settings to defaults and delete user's credentials.

(10) Click the Save button to save the configuration. Save button is not applied to Clear logs functionality that can be used as needed.

User Management

The User Management can be useful when there is a need to reset WebAuthn settings for a certain user.

WebAuthn for Jira > Administrator Guide > resettodefaults.png

(1) Start to type user name in Username field. You will see all users (username with email address) based on username you typed. Find user in drop-down list and select it.
(2) Click "Reset" to reset settings.

Authentication Logs

All relevant actions of WebAuthn for Jira are logged. Logs are accessible for administrators only: you can easily find which user has logged in or registered and when.

WebAuthn for Jira > Administrator Guide > logs.png

(1) Username column. Type username for filtering.
(2) Date of an action. Select a date.
(3) Action type. Stores all relevant actions.
(4) IP from which action was performed.
(5) "Filter" button applies chosen filters.
(6) “Clear filter” button clears all filters.
(7) Pagination.