From f1db477fda627298371e2dfe49c475e2cc07d60d Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Sun, 12 Jan 2020 10:57:39 +0100
Subject: [PATCH] webauthn

---
 lam/docs/manual-sources/appendix-security.xml |  47 ++++++++++++++++++
 .../manual-sources/chapter-configuration.xml  |  13 +++--
 .../manual-sources/chapter-selfService.xml    |  47 +++++++++++++++++-
 lam/docs/manual-sources/chapter-tools.xml     |   3 ++
 lam/docs/manual-sources/images/webauthn.png   | Bin 0 -> 810 bytes
 lam/lib/tools/webauthn.inc                    |   2 +-
 6 files changed, 106 insertions(+), 6 deletions(-)
 create mode 100644 lam/docs/manual-sources/images/webauthn.png

diff --git a/lam/docs/manual-sources/appendix-security.xml b/lam/docs/manual-sources/appendix-security.xml
index 497b483b..0ed2b02f 100644
--- a/lam/docs/manual-sources/appendix-security.xml
+++ b/lam/docs/manual-sources/appendix-security.xml
@@ -445,4 +445,51 @@ semodule -i httpdlocal.pp</programlisting>
 </programlisting>
     </section>
   </section>
+
+  <section id="a_webauthn">
+    <title>Webauthn/FIDO2</title>
+
+    <para>LAM allows to secure logins via <ulink
+    url="https://en.wikipedia.org/wiki/WebAuthn">Webauthn/FIDO2</ulink>. This
+    means your users login with their LDAP password and an additional hardware
+    token (e.g. Yubico Security Key, Windows Hello and many more).</para>
+
+    <para>Webauthn/FIDO2 is a very strong 2-factor-authentication method as it
+    also checks the website domain. This prevents attacks via web
+    proxies.</para>
+
+    <para>To use this feature you need to activate the 2-factor authentication
+    in LAM.</para>
+
+    <para><emphasis role="bold">LAM admin interface</emphasis></para>
+
+    <para>Please activate Webauthn/FIDO2 in your <link
+    linkend="conf_serverprofile_2fa">LAM server profile</link>. Then users
+    will be asked to authenticate via Webauthn/FIDO2 on each login.</para>
+
+    <para>If no device is registered for a user then LAM will ask for this
+    during login. Afterwards, users can manage their devices with the <link
+    linkend="tool_webauthn">Webauthn tool</link>.</para>
+
+    <para><emphasis role="bold">LAM Self Service</emphasis></para>
+
+    <para>Please activate Webauthn/FIDO2 in your <link
+    linkend="selfservice_2fa">LAM self service profile</link>. Then users will
+    be asked to authenticate via Webauthn/FIDO2 on each login.</para>
+
+    <para>If no device is registered for a user then LAM will ask for this
+    during login. Afterwards, users can manage their devices with the <link
+    linkend="selfservice_fields">Webauthn field</link>.</para>
+
+    <para><emphasis role="bold">Global device management</emphasis></para>
+
+    <para>This is for cases where one of your users has no more access to his
+    device and cannot login anymore. In this case you can delete his device(s)
+    in the <link linkend="confmain_webauthn">LAM main
+    configuration</link>.</para>
+
+    <para>Note that devices can only be deleted. Registration of devices can
+    only be done by the user during login or on the management pages listed
+    above.</para>
+  </section>
 </appendix>
diff --git a/lam/docs/manual-sources/chapter-configuration.xml b/lam/docs/manual-sources/chapter-configuration.xml
index dba4bed7..16b71aad 100644
--- a/lam/docs/manual-sources/chapter-configuration.xml
+++ b/lam/docs/manual-sources/chapter-configuration.xml
@@ -259,8 +259,11 @@
       </screenshot>
     </section>
 
-    <section>
-      <title>Webauthn devices</title>
+    <section id="confmain_webauthn">
+      <title>Webauthn/FIDO2 devices</title>
+
+      <para>See the <link linkend="a_webauthn">Webauthn/FIDO2 appendix</link>
+      for an overview about Webauthn/FIDO2 in LAM.</para>
 
       <para>Here you can delete any webauthn device registrations. This
       section is only shown if at least one device is registered.</para>
@@ -655,7 +658,8 @@
           </mediaobject>
         </screenshot>
 
-        <para><emphasis role="bold">2-factor authentication</emphasis></para>
+        <para id="conf_serverprofile_2fa"><emphasis role="bold">2-factor
+        authentication</emphasis></para>
 
         <para>LAM supports 2-factor authentication for your users. This means
         the user will not only authenticate by user+password but also with
@@ -783,6 +787,9 @@
 
         <para><emphasis role="bold">Webauthn/FIDO2</emphasis></para>
 
+        <para>See the <link linkend="a_webauthn">Webauthn/FIDO2
+        appendix</link> for an overview about Webauthn/FIDO2 in LAM.</para>
+
         <para>Users will be asked to register a device during login if no
         device is setup.</para>
 
diff --git a/lam/docs/manual-sources/chapter-selfService.xml b/lam/docs/manual-sources/chapter-selfService.xml
index eebead07..a3b72a40 100644
--- a/lam/docs/manual-sources/chapter-selfService.xml
+++ b/lam/docs/manual-sources/chapter-selfService.xml
@@ -304,7 +304,7 @@
 
       <para/>
 
-      <section>
+      <section id="selfservice_2fa">
         <title>2-factor authentication</title>
 
         <para>LAM supports 2-factor authentication for your users. This means
@@ -329,6 +329,11 @@
           <listitem>
             <para><ulink url="https://duo.com/">Duo</ulink></para>
           </listitem>
+
+          <listitem>
+            <para><ulink
+            url="https://en.wikipedia.org/wiki/WebAuthn">Webauthn/FIDO2</ulink></para>
+          </listitem>
         </itemizedlist>
 
         <para><emphasis role="bold">privacyIDEA</emphasis></para>
@@ -424,6 +429,30 @@
           </listitem>
         </itemizedlist>
 
+        <para><emphasis role="bold">Webauthn/FIDO2</emphasis></para>
+
+        <para>See the <link linkend="a_webauthn">Webauthn/FIDO2
+        appendix</link> for an overview about Webauthn/FIDO2 in LAM.</para>
+
+        <para>Users will be asked to register a device during login if no
+        device is setup.</para>
+
+        <itemizedlist>
+          <listitem>
+            <para>Domain: Please enter the WebAuthn domain. This is the public
+            domain of the web server (e.g. "example.com"). Do not include
+            protocol or port. Browsers will reject authentication if the
+            domain does not match the web server domain.</para>
+          </listitem>
+
+          <listitem>
+            <para>Optional: By default LAM will enforce to use a 2FA device
+            and reject users that do not setup one. You can set this check to
+            optional. But if a user has setup a device then this will always
+            be required.</para>
+          </listitem>
+        </itemizedlist>
+
         <screenshot>
           <mediaobject>
             <imageobject>
@@ -495,7 +524,8 @@
         </mediaobject>
       </screenshot>
 
-      <para><emphasis role="bold">Possible input fields</emphasis></para>
+      <para id="selfservice_fields"><emphasis role="bold">Possible input
+      fields</emphasis></para>
 
       <para>This is a list of input fields you may add to the self service
       page.</para>
@@ -985,6 +1015,19 @@
               each time the Windows password is changed.</entry>
             </row>
 
+            <row>
+              <entry><inlinemediaobject>
+                  <imageobject>
+                    <imagedata fileref="images/webauthn.png"/>
+                  </imageobject>
+                </inlinemediaobject>Webauthn</entry>
+
+              <entry>Webauthn devices</entry>
+
+              <entry>Allows the user to manage his webauthn/FIDO2 security
+              keys.</entry>
+            </row>
+
             <row>
               <entry morerows="1"><inlinemediaobject>
                   <imageobject>
diff --git a/lam/docs/manual-sources/chapter-tools.xml b/lam/docs/manual-sources/chapter-tools.xml
index 436d8853..63ffcb1d 100644
--- a/lam/docs/manual-sources/chapter-tools.xml
+++ b/lam/docs/manual-sources/chapter-tools.xml
@@ -423,6 +423,9 @@
   <section>
     <title id="tool_webauthn">Webauthn devices</title>
 
+    <para>See the <link linkend="a_webauthn">Webauthn/FIDO2 appendix</link>
+    for an overview about Webauthn/FIDO2 in LAM.</para>
+
     <para>Here you can manage your webauthn/FIDO2 devices.</para>
 
     <para>You can register additional security devices and remove old ones. If
diff --git a/lam/docs/manual-sources/images/webauthn.png b/lam/docs/manual-sources/images/webauthn.png
new file mode 100644
index 0000000000000000000000000000000000000000..31072bb20ff9bf505cb2154d0186f69c6757ab2b
GIT binary patch
literal 810
zcmV+_1J(SAP)<h;3K|Lk000e1NJLTq000mG000mO1^@s6AM^iV00006VoOIv0RI60
z0RN!9r;`8x010qNS#tmY4c7nw4c7reD4Tcy000McNliru<N*Z{4I!_bjp6_R0=G#-
zK~y-)ZIjJwT}2p&pLu7_$2~W>xgoiR(ln7$N*j<u7fKgJD+p4$5p<`b#Sd%{`~$kU
zE?gHB16_3E)`b{Bkt(GYv{V;%Q4AWPCdSCMiMi)~ojd2885e0nV)Mc*2Hxl4_s;Mt
z4yc#zHN(cn)I6nr)Bb$?sH)j7x3b{XPv_5d|KF?jUM}7E_?XxJ1<><2nZ+6G?UQ&B
zq~Z!cl6`G7SFXPH?6;2y-o5eRbfIN6mIxuhImmL4y?vaC@d}gU6;?I|^sJ}ySm()w
zm!J6&!0ZTyffrp0XQt)|Bp}uyi@)DRc~4}7r9avno~qIt4k?_I9d1`(a<l10SlU`=
zz1!wcG67z|dBCH*hli)M_O~5w*R*hMzKfTvs$*tG8jJ=NaB3Hto2@a(3Y2nOd*k`d
zM-l+wrMJBGPmCAvdOLylthajn^<V%Zs7SfJ$UcGpZfev!0nvC7FbZ>eV_Sv*g7W(B
zy^QSp(@aTSC!Bp^hKVSFfks81nMRGr8)Hn?5>(*ReF<KF>yxKck*~(_XzG+Ns}*Cc
zEvd$ajdTcJ5U)`Pp(vb}{>6*eMn$5rLgj}9+}mEu+VcIox0HC>ZfC@y&`z_54=5PX
z<fY#p0lm4hw)|5;u`0+b2G5b)=9Fb{qP4O*h=V%Uze!PHfQ~|3221x_1i7a3pilSL
z&4wqM&2vi>hDXduoL=}db<ZhfzG%1pjmwb%ozfA6hAhh|@0G-HNEjN*!qH9pr<5`b
z`n?ObU%#&J-1(}Uoj%*~ic`Sk^z=lOR3oZM#8@q%n#5RJ5Jd*16#aosfm_9}SXf+q
zr@e2Pn$4!%{6S8R9UgzN8rCnDLub@c1=_6jmRs+4*3$2vKI49AHk<CiZQNV$UHPnT
oZSpyD`li<QgOARiA0E{AAC3Vi()(mrb^rhX07*qoM6N<$f|nABp8x;=

literal 0
HcmV?d00001

diff --git a/lam/lib/tools/webauthn.inc b/lam/lib/tools/webauthn.inc
index eb97ec29..ab0317ae 100644
--- a/lam/lib/tools/webauthn.inc
+++ b/lam/lib/tools/webauthn.inc
@@ -43,7 +43,7 @@ class toolWebauthn implements \LAMTool {
 	 * @return string name
 	 */
 	 function getName() {
-	 	return "Webauthn";
+	 	return _('Webauthn devices');
 	 }
 
 	/**