3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-30 02:46:30 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/docs/guides/enroll-device.md
Alex Fornuto f65041ebd1
DOCS: Document webauthn with device ID (#2830) 
* init device identity topic page

* add device options to PPL

* init device enrollment guide

* adjust for #2835 and crosslink

* tooltip in PPL on finding device ID

* sort and link matchers

* adjust terminology and crosslink

* standardize new topic name

* Apply suggestions from code review

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* rewrite device identity topic page

* rebase cleanup

* Apply suggestions from code review

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* add links from review with footer refs

* Apply suggestions from code review

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* rm errant newlines

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
2021-12-29 11:19:21 -06:00

2.3 KiB
Raw Blame History

title lang meta description
Enroll a Device en-US
name content
keywords pomerium identity-access-proxy webauthn device id enroll authentication authorization
This guide covers how to enroll a trusted execution environment device as a Pomerium end-user.

Enroll a Device

If a Pomerium route is configured to require device authentication, then the user must register a trusted execution environment (TEE) device before accessing the route. Registration is easy, but different depending on the device being used to provide ID.

  1. Users are prompted to register a new device when accessing a route that requires device authentication:

    The WebAuthn Registration page with no devices registered

    Users can also get to the registration page from the special .pomerium endpoint available on any route, at the bottom of the page:

    The Device Credentials section of the .pomerium endpoint with the WebAuthn link highlighted

  2. Click on Register New Device. Your browser will prompt you to provide access to a device. This will look different depending on the browser, operating system, and device type:

    ::::: tabs :::: tab Windows The device authentication prompt on Windows :::: :::: tab Chrome The device authentication prompt in Google Chrome :::: :::: tab Firefox The device authentication prompt in Firefox :::: :::: tab ChromeOS The device authentication prompt on ChromeOS ::::

Find Device ID

If a route's policy is configured to only allow specific device IDs you will see a 450 error even after registering:

450 device not authorized error screen

From the .pomerium endpoint you can copy your device ID to provide to your Pomerium administrator.

Device ID list at /.pomerium

From here you can also delete the ID for devices that should no longer be associated with your account.