webauthn

3 years ago · f1db477fda
6 changed files with 106 additions and 6 deletions
--- a/lam/docs/manual-sources/appendix-security.xml
+++ b/lam/docs/manual-sources/appendix-security.xml
@ -445,4 +445,51 @@ semodule -i httpdlocal.pp</programlisting>
 </programlisting>
    </section>
  </section>
+
+  <section id="a_webauthn">
+    <title>Webauthn/FIDO2</title>
+
+    <para>LAM allows to secure logins via <ulink
+    url="https://en.wikipedia.org/wiki/WebAuthn">Webauthn/FIDO2</ulink>. This
+    means your users login with their LDAP password and an additional hardware
+    token (e.g. Yubico Security Key, Windows Hello and many more).</para>
+
+    <para>Webauthn/FIDO2 is a very strong 2-factor-authentication method as it
+    also checks the website domain. This prevents attacks via web
+    proxies.</para>
+
+    <para>To use this feature you need to activate the 2-factor authentication
+    in LAM.</para>
+
+    <para><emphasis role="bold">LAM admin interface</emphasis></para>
+
+    <para>Please activate Webauthn/FIDO2 in your <link
+    linkend="conf_serverprofile_2fa">LAM server profile</link>. Then users
+    will be asked to authenticate via Webauthn/FIDO2 on each login.</para>
+
+    <para>If no device is registered for a user then LAM will ask for this
+    during login. Afterwards, users can manage their devices with the <link
+    linkend="tool_webauthn">Webauthn tool</link>.</para>
+
+    <para><emphasis role="bold">LAM Self Service</emphasis></para>
+
+    <para>Please activate Webauthn/FIDO2 in your <link
+    linkend="selfservice_2fa">LAM self service profile</link>. Then users will
+    be asked to authenticate via Webauthn/FIDO2 on each login.</para>
+
+    <para>If no device is registered for a user then LAM will ask for this
+    during login. Afterwards, users can manage their devices with the <link
+    linkend="selfservice_fields">Webauthn field</link>.</para>
+
+    <para><emphasis role="bold">Global device management</emphasis></para>
+
+    <para>This is for cases where one of your users has no more access to his
+    device and cannot login anymore. In this case you can delete his device(s)
+    in the <link linkend="confmain_webauthn">LAM main
+    configuration</link>.</para>
+
+    <para>Note that devices can only be deleted. Registration of devices can
+    only be done by the user during login or on the management pages listed
+    above.</para>
+  </section>
 </appendix>
--- a/lam/docs/manual-sources/chapter-configuration.xml
+++ b/lam/docs/manual-sources/chapter-configuration.xml
@ -259,8 +259,11 @@
      </screenshot>
    </section>

-    <section>
-      <title>Webauthn devices</title>
+    <section id="confmain_webauthn">
+      <title>Webauthn/FIDO2 devices</title>
+
+      <para>See the <link linkend="a_webauthn">Webauthn/FIDO2 appendix</link>
+      for an overview about Webauthn/FIDO2 in LAM.</para>

      <para>Here you can delete any webauthn device registrations. This
      section is only shown if at least one device is registered.</para>
@ -655,7 +658,8 @@
          </mediaobject>
        </screenshot>

-        <para><emphasis role="bold">2-factor authentication</emphasis></para>
+        <para id="conf_serverprofile_2fa"><emphasis role="bold">2-factor
+        authentication</emphasis></para>

        <para>LAM supports 2-factor authentication for your users. This means
        the user will not only authenticate by user+password but also with
@ -783,6 +787,9 @@

        <para><emphasis role="bold">Webauthn/FIDO2</emphasis></para>

+        <para>See the <link linkend="a_webauthn">Webauthn/FIDO2
+        appendix</link> for an overview about Webauthn/FIDO2 in LAM.</para>
+
        <para>Users will be asked to register a device during login if no
        device is setup.</para>

--- a/lam/docs/manual-sources/chapter-selfService.xml
+++ b/lam/docs/manual-sources/chapter-selfService.xml
@ -304,7 +304,7 @@

      <para/>

-      <section>
+      <section id="selfservice_2fa">
        <title>2-factor authentication</title>

        <para>LAM supports 2-factor authentication for your users. This means
@ -329,6 +329,11 @@
          <listitem>
            <para><ulink url="https://duo.com/">Duo</ulink></para>
          </listitem>
+
+          <listitem>
+            <para><ulink
+            url="https://en.wikipedia.org/wiki/WebAuthn">Webauthn/FIDO2</ulink></para>
+          </listitem>
        </itemizedlist>

        <para><emphasis role="bold">privacyIDEA</emphasis></para>
@ -424,6 +429,30 @@
          </listitem>
        </itemizedlist>

+        <para><emphasis role="bold">Webauthn/FIDO2</emphasis></para>
+
+        <para>See the <link linkend="a_webauthn">Webauthn/FIDO2
+        appendix</link> for an overview about Webauthn/FIDO2 in LAM.</para>
+
+        <para>Users will be asked to register a device during login if no
+        device is setup.</para>
+
+        <itemizedlist>
+          <listitem>
+            <para>Domain: Please enter the WebAuthn domain. This is the public
+            domain of the web server (e.g. "example.com"). Do not include
+            protocol or port. Browsers will reject authentication if the
+            domain does not match the web server domain.</para>
+          </listitem>
+
+          <listitem>
+            <para>Optional: By default LAM will enforce to use a 2FA device
+            and reject users that do not setup one. You can set this check to
+            optional. But if a user has setup a device then this will always
+            be required.</para>
+          </listitem>
+        </itemizedlist>
+
        <screenshot>
          <mediaobject>
            <imageobject>
@ -495,7 +524,8 @@
        </mediaobject>
      </screenshot>

-      <para><emphasis role="bold">Possible input fields</emphasis></para>
+      <para id="selfservice_fields"><emphasis role="bold">Possible input
+      fields</emphasis></para>

      <para>This is a list of input fields you may add to the self service
      page.</para>
@ -985,6 +1015,19 @@
              each time the Windows password is changed.</entry>
            </row>

+            <row>
+              <entry><inlinemediaobject>
+                  <imageobject>
+                    <imagedata fileref="images/webauthn.png"/>
+                  </imageobject>
+                </inlinemediaobject>Webauthn</entry>
+
+              <entry>Webauthn devices</entry>
+
+              <entry>Allows the user to manage his webauthn/FIDO2 security
+              keys.</entry>
+            </row>
+
            <row>
              <entry morerows="1"><inlinemediaobject>
                  <imageobject>
--- a/lam/docs/manual-sources/chapter-tools.xml
+++ b/lam/docs/manual-sources/chapter-tools.xml
@ -423,6 +423,9 @@
  <section>
    <title id="tool_webauthn">Webauthn devices</title>

+    <para>See the <link linkend="a_webauthn">Webauthn/FIDO2 appendix</link>
+    for an overview about Webauthn/FIDO2 in LAM.</para>
+
    <para>Here you can manage your webauthn/FIDO2 devices.</para>

    <para>You can register additional security devices and remove old ones. If
--- a/lam/docs/manual-sources/images/webauthn.png
+++ b/lam/docs/manual-sources/images/webauthn.png
--- a/lam/lib/tools/webauthn.inc
+++ b/lam/lib/tools/webauthn.inc
@ -43,7 +43,7 @@ class toolWebauthn implements \LAMTool {
 	 * @return string name
 	 */
 	 function getName() {
-	 	return "Webauthn";
+	 	return _('Webauthn devices');
 	 }

 	/**