This commit is contained in:
Roland Gruber 2020-01-12 10:57:39 +01:00
parent 691055b83e
commit f1db477fda
6 changed files with 106 additions and 6 deletions

View File

@ -445,4 +445,51 @@ semodule -i httpdlocal.pp</programlisting>
</programlisting>
</section>
</section>
<section id="a_webauthn">
<title>Webauthn/FIDO2</title>
<para>LAM allows to secure logins via <ulink
url="https://en.wikipedia.org/wiki/WebAuthn">Webauthn/FIDO2</ulink>. This
means your users login with their LDAP password and an additional hardware
token (e.g. Yubico Security Key, Windows Hello and many more).</para>
<para>Webauthn/FIDO2 is a very strong 2-factor-authentication method as it
also checks the website domain. This prevents attacks via web
proxies.</para>
<para>To use this feature you need to activate the 2-factor authentication
in LAM.</para>
<para><emphasis role="bold">LAM admin interface</emphasis></para>
<para>Please activate Webauthn/FIDO2 in your <link
linkend="conf_serverprofile_2fa">LAM server profile</link>. Then users
will be asked to authenticate via Webauthn/FIDO2 on each login.</para>
<para>If no device is registered for a user then LAM will ask for this
during login. Afterwards, users can manage their devices with the <link
linkend="tool_webauthn">Webauthn tool</link>.</para>
<para><emphasis role="bold">LAM Self Service</emphasis></para>
<para>Please activate Webauthn/FIDO2 in your <link
linkend="selfservice_2fa">LAM self service profile</link>. Then users will
be asked to authenticate via Webauthn/FIDO2 on each login.</para>
<para>If no device is registered for a user then LAM will ask for this
during login. Afterwards, users can manage their devices with the <link
linkend="selfservice_fields">Webauthn field</link>.</para>
<para><emphasis role="bold">Global device management</emphasis></para>
<para>This is for cases where one of your users has no more access to his
device and cannot login anymore. In this case you can delete his device(s)
in the <link linkend="confmain_webauthn">LAM main
configuration</link>.</para>
<para>Note that devices can only be deleted. Registration of devices can
only be done by the user during login or on the management pages listed
above.</para>
</section>
</appendix>

View File

@ -259,8 +259,11 @@
</screenshot>
</section>
<section>
<title>Webauthn devices</title>
<section id="confmain_webauthn">
<title>Webauthn/FIDO2 devices</title>
<para>See the <link linkend="a_webauthn">Webauthn/FIDO2 appendix</link>
for an overview about Webauthn/FIDO2 in LAM.</para>
<para>Here you can delete any webauthn device registrations. This
section is only shown if at least one device is registered.</para>
@ -655,7 +658,8 @@
</mediaobject>
</screenshot>
<para><emphasis role="bold">2-factor authentication</emphasis></para>
<para id="conf_serverprofile_2fa"><emphasis role="bold">2-factor
authentication</emphasis></para>
<para>LAM supports 2-factor authentication for your users. This means
the user will not only authenticate by user+password but also with
@ -783,6 +787,9 @@
<para><emphasis role="bold">Webauthn/FIDO2</emphasis></para>
<para>See the <link linkend="a_webauthn">Webauthn/FIDO2
appendix</link> for an overview about Webauthn/FIDO2 in LAM.</para>
<para>Users will be asked to register a device during login if no
device is setup.</para>

View File

@ -304,7 +304,7 @@
<para/>
<section>
<section id="selfservice_2fa">
<title>2-factor authentication</title>
<para>LAM supports 2-factor authentication for your users. This means
@ -329,6 +329,11 @@
<listitem>
<para><ulink url="https://duo.com/">Duo</ulink></para>
</listitem>
<listitem>
<para><ulink
url="https://en.wikipedia.org/wiki/WebAuthn">Webauthn/FIDO2</ulink></para>
</listitem>
</itemizedlist>
<para><emphasis role="bold">privacyIDEA</emphasis></para>
@ -424,6 +429,30 @@
</listitem>
</itemizedlist>
<para><emphasis role="bold">Webauthn/FIDO2</emphasis></para>
<para>See the <link linkend="a_webauthn">Webauthn/FIDO2
appendix</link> for an overview about Webauthn/FIDO2 in LAM.</para>
<para>Users will be asked to register a device during login if no
device is setup.</para>
<itemizedlist>
<listitem>
<para>Domain: Please enter the WebAuthn domain. This is the public
domain of the web server (e.g. "example.com"). Do not include
protocol or port. Browsers will reject authentication if the
domain does not match the web server domain.</para>
</listitem>
<listitem>
<para>Optional: By default LAM will enforce to use a 2FA device
and reject users that do not setup one. You can set this check to
optional. But if a user has setup a device then this will always
be required.</para>
</listitem>
</itemizedlist>
<screenshot>
<mediaobject>
<imageobject>
@ -495,7 +524,8 @@
</mediaobject>
</screenshot>
<para><emphasis role="bold">Possible input fields</emphasis></para>
<para id="selfservice_fields"><emphasis role="bold">Possible input
fields</emphasis></para>
<para>This is a list of input fields you may add to the self service
page.</para>
@ -985,6 +1015,19 @@
each time the Windows password is changed.</entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/webauthn.png"/>
</imageobject>
</inlinemediaobject>Webauthn</entry>
<entry>Webauthn devices</entry>
<entry>Allows the user to manage his webauthn/FIDO2 security
keys.</entry>
</row>
<row>
<entry morerows="1"><inlinemediaobject>
<imageobject>

View File

@ -423,6 +423,9 @@
<section>
<title id="tool_webauthn">Webauthn devices</title>
<para>See the <link linkend="a_webauthn">Webauthn/FIDO2 appendix</link>
for an overview about Webauthn/FIDO2 in LAM.</para>
<para>Here you can manage your webauthn/FIDO2 devices.</para>
<para>You can register additional security devices and remove old ones. If

Binary file not shown.

After

Width:  |  Height:  |  Size: 810 B

View File

@ -43,7 +43,7 @@ class toolWebauthn implements \LAMTool {
* @return string name
*/
function getName() {
return "Webauthn";
return _('Webauthn devices');
}
/**