WebAutn redirection and IWA
8 views
Skip to first unread message
Xtralogic
Jun 5, 2026, 8:43:17 PM (6 days ago) Jun 5
to iwa-dev
We are getting requests to implement WebAutn redirection support in our Xtralogic Remote Desktop IWA app.
The implementation requires support for remoteDesktopClientOverride extension in navigator.credentials.get({publicKey:{...}} (see explainer at https://github.com/w3c/webauthn/wiki/Explainer:-Remote-Desktop-Support/a4e158c569f456c759d0ddd294a9015bd4d4eb9a)
Is remoteDesktopClientOverride supported for IWA apps on ChromeOS and if yes, how to enable it? Using JSON configuration for WebAuthenticationRemoteDesktopAllowedOrigins policy on ChromeOS (https://chromeenterprise.google/policies/?policy=WebAuthenticationRemoteDesktopAllowedOrigins) does not seem to work.
The implementation requires support for remoteDesktopClientOverride extension in navigator.credentials.get({publicKey:{...}} (see explainer at https://github.com/w3c/webauthn/wiki/Explainer:-Remote-Desktop-Support/a4e158c569f456c759d0ddd294a9015bd4d4eb9a)
Is remoteDesktopClientOverride supported for IWA apps on ChromeOS and if yes, how to enable it? Using JSON configuration for WebAuthenticationRemoteDesktopAllowedOrigins policy on ChromeOS (https://chromeenterprise.google/policies/?policy=WebAuthenticationRemoteDesktopAllowedOrigins) does not seem to work.
Olga Korokhina
Jun 8, 2026, 9:32:07 AM (4 days ago) Jun 8
to iwa-dev, Xtralogic
Greetings! You're correct, you need to set up the remoteDesktopClientOverride extensions with the list of allowed relying party ids, and add permissions permissions_policy.publickey-credentials-get (and publickey-credentials-create if needed) in your IWA manifest. Then you need to add your IWA's origin (isolated-app://[your IWA bundle id]) to the list managed by WebAuthenticationRemoteDesktopAllowedOrigins policy. And here we enter the gray zone: recently you cannot set this policy values via Google Admin Panel, we are working on it actively, ETA is the end of Q2 2026. Without an ability to set up values of this policy via Admin Panel you can set it via custom JSON configuration for Windows, Mac, Linux and Android but not for Chrome OS. For the Chrome OS the only way to set this policy will be via Admin Panel, so you have to wait.
Important: WebAuthn for VDI will work for affiliated users only (user profile belonging to same organization as the device) on CrOS for Chrome Browser 147+ and on W/M/L/Android for Chrome Browser 151+. You're expected to get the meaningful error message if user is not affiliated.
Please let me know if I can help you with anything else,
Please let me know if I can help you with anything else,
- Olga
Xtralogic
Jun 8, 2026, 4:16:59 PM (3 days ago) Jun 8
to iwa-dev, Olga Korokhina, Xtralogic
Hi Olga! Thank you for the prompt response. I hope the Google Admin Panel support for
WebAuthenticationRemoteDesktopAllowedOrigins will be available soon.
Reply all
Reply to author
Forward
0 new messages