# Enabling WebAuthn redirection support in Amazon WorkSpaces Secure Browser
<a name="web-authentication"></a>

**Warning**  
WebAuthn redirection only works in browser sessions with internet access enabled. Ensure your portal's network settings allow internet access for WebAuthn functionality to work properly.

WorkSpaces Secure Browser supports WebAuthn (Web Authentication) for websites accessed within the remote browser session. This allows users to authenticate to websites using their local FIDO2 security keys, biometric authenticators, and platform authenticators while browsing in their WorkSpaces Secure Browser session.

**Note**  
WebAuthn redirection is available for end users using Google Chrome 136 (or later) or Microsoft Edge 137 (or later). **This feature is not available for non-Chromium browsers such as Safari or Firefox.**  
**To enable WebAuthn redirection functionality, administrators must configure both:**  
**Portal User settings** - Enable WebAuthn redirection in the portal settings
**End-user local browser policies** - Configure the WebAuthenticationRemoteDesktopAllowedOrigins browser policy on user devices to allow WebAuthn redirection

**Topics**
+ [Enabling WebAuthn redirection in portal settings](enable-webauthn-portal.md)
+ [Configuring local browser policy for WebAuthn](configure-local-browser-policy.md)
+ [Using WebAuthn redirection in remote browser sessions](webauthn-usage.md)
+ [Troubleshooting WebAuthn redirection issues](webauthn-troubleshooting.md)

# Enabling WebAuthn redirection in portal settings
<a name="enable-webauthn-portal"></a>

To enable WebAuthn redirection for websites accessed within the remote browser session, follow these steps.

1. Open the WorkSpaces Secure Browser console at [https://console.aws.amazon.com/workspaces-web/home?region=us-east-1#/](https://console.aws.amazon.com/workspaces-web/home?region=us-east-1#/).

1. Choose **WorkSpaces Secure Browser**, **Web portals**, choose your web portal, and then choose **Edit**.

1. Navigate to the **User settings** section.

1. Under **User permissions**, set **Allow users to use local authentication in their portal session** to **Allowed**.

1. Choose **Save** to apply the configuration.

# Configuring local browser policy for WebAuthn
<a name="configure-local-browser-policy"></a>

In addition to enabling WebAuthn redirection in your portal settings, the local browser policy must be configured to allow WebAuthn redirection between the user's local device and the remote browser session and vice versa. This configuration is typically managed by IT administrators for enterprise environments, or by individual users for BYOD scenarios.

The browser policy must include the WorkSpaces Secure Browser content domain for your region. Add the following origin to the `WebAuthenticationRemoteDesktopAllowedOrigins` policy based on your region:

`https://<region>.content.workspaces-web.com`

For example, in us-west-2: `https://us-west-2.content.workspaces-web.com`

The specific configuration method depends on whether you are managing browsers in an enterprise environment or configuring individual devices for BYOD users. For more information about the browser policy, see the [ Chrome Enterprise policy documentation](https://chromeenterprise.google/policies/?policy=WebAuthenticationRemoteDesktopAllowedOrigins) and [ Microsoft Edge policy documentation](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#webauthenticationremotedesktopallowedorigins).

**Note**  
Browser restart may be required for the policy to take effect.

# Using WebAuthn redirection in remote browser sessions
<a name="webauthn-usage"></a>

Once WebAuthn redirection is enabled in the portal settings and the local browser policy is configured, users can use WebAuthn authentication on websites within their WorkSpaces Secure Browser remote browser sessions.

Users can authenticate to websites using:
+ FIDO2 security keys connected to their local device
+ Passkeys
+ Platform authenticators like Windows Hello or Touch ID

The WebAuthn authentication process is seamlessly forwarded from the remote browser session to the user's local device, providing secure passwordless authentication while maintaining the security benefits of the remote browsing environment.

# Troubleshooting WebAuthn redirection issues
<a name="webauthn-troubleshooting"></a>

If users experience issues with WebAuthn redirection in their remote browser sessions, use the following troubleshooting steps to identify and resolve common problems.

**Topics**
+ [WebAuthn redirection not working](webauthn-not-working.md)
+ [Common error messages](common-error-messages.md)

# WebAuthn redirection not working
<a name="webauthn-not-working"></a>

If WebAuthn authentication prompts do not appear or fail to work:

1. Verify WebAuthn is enabled in the portal settings under **User permissions**.

1. Check that the local browser policy is configured correctly by navigating to `chrome://policy` or `edge://policy` and confirming `WebAuthenticationRemoteDesktopAllowedOrigins` includes your region's content URL.

1. Ensure the browser version meets requirements: Chrome 136\$1 or Edge 137\$1.

1. Test with a different authenticator (security key vs. platform authenticator).

# Common error messages
<a name="common-error-messages"></a>

The following are common error messages and their resolutions:


**WebAuthn error messages and resolutions**  

| Error message | Resolution | 
| --- | --- | 
| Amazon DCV WebAuthn redirection failed to complete the registration request: Webauthn redirection is not supported by the client | Check that you are using a supported browser and version (Chrome 136\$1 or Edge 137\$1). | 
| Prompt appears but unable to interact with local authenticators | Check that the Amazon DCV WebAuthn redirection extension is installed and enabled in your remote browser. | 
| Amazon DCV WebAuthn redirection failed to complete the registration request: The relying party ID is not a registrable domain suffix of, nor equal to the current domain. Subsequently, an attempt to fetch the .well-known/webauthn resource of the claimed RP ID failed. | This means that the WebAuthenticationRemoteDesktopAllowedOrigins local browser policy is not applied. Check the policy and update to allow the content domain. Ensure that the browser is restarted. You may have to start a new session for changes to apply. | 
| The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/\$1sctn-privacy-considerations-client. | This error could occur if: (1) The DCV WebAuthn redirection extension is not installed or enabled, (2) The user cancels the authentication prompt, (3) The user enters an incorrect PIN for their security key, or (4) The user does not interact with the prompt and the request times out. |