dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1718efe6d5
lemonldap-ng/doc/pages/documentation/current/u2f.html
Xavier Guimard ce59789747 Update doc
2019-06-28 16:53:45 +02:00

167 lines
8.9 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:u2f</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,u2f"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="u2f.html"/>
<link rel="contents" href="u2f.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:u2f","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#prerequisites_and_dependencies">Prerequisites and dependencies</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div></li>
<li class="level1"><div class="li"><a href="#browser_compatibility">Browser compatibility</a></div></li>
<li class="level1"><div class="li"><a href="#enrollment">Enrollment</a></div></li>
<li class="level1"><div class="li"><a href="#assistance">Assistance</a></div></li>
<li class="level1"><div class="li"><a href="#developer_corner">Developer corner</a></div></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="universal_2nd_factor_authentication_u2f">Universal 2nd Factor Authentication (U2F)</h1>
<div class="level1">
<p>
<a href="https://en.wikipedia.org/wiki/Universal_2nd_Factor" class="urlextern" title="https://en.wikipedia.org/wiki/Universal_2nd_Factor" rel="nofollow">Universal 2nd Factor</a> (U2F) is an open authentication standard that strengthens and simplifies two-factor authentication using specialized USB or NFC devices.
</p>
<p>
LLNG can propose to users to register their keys. When done, 2F registered users can not login without using their key.
</p>
<div class="notetip">Note that it&#039;s a second factor, not an authentication module. Users are authenticated by both login form and U2F form.
</div>
</div>
<!-- EDIT1 SECTION "Universal 2nd Factor Authentication (U2F)" [1-529] -->
<h2 class="sectionedit2" id="prerequisites_and_dependencies">Prerequisites and dependencies</h2>
<div class="level2">
<p>
This feature uses <a href="https://metacpan.org/pod/Crypt::U2F::Server::Simple" class="urlextern" title="https://metacpan.org/pod/Crypt::U2F::Server::Simple" rel="nofollow">Crypt::U2F::Server::Simple</a> that is only available on CPAN repository for now. Before compiling it, you must install Yubico&#039;s C library headers (called libu2f-server-dev on Debian).
</p>
<div class="noteimportant">An HTTPS portal is required to use U2F
</div>
</div>
<!-- EDIT2 SECTION "Prerequisites and dependencies" [530-891] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">
<p>
In the manager (second factors), you just have to enable it:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Activation</strong>: set it to “on”</div>
</li>
<li class="level1"><div class="li"> <strong>Self registration</strong>: set it to “on” if users are authorized to register their keys</div>
</li>
<li class="level1"><div class="li"> <strong>Authentication level</strong>: you can overwrite here auth level for U2F registered users. Leave it blank keeps auth level provided by first authentication module <em>(default: 2 for user/password based modules)</em>. <strong>It is recommended to set an higher value here if you want to give access to some apps only for enrolled users</strong></div>
</li>
<li class="level1"><div class="li"> <strong>Allow users to remove U2F key</strong>: If enabled, users can unregister enrolled U2F device.</div>
</li>
<li class="level1"><div class="li"> <strong>Lifetime</strong>: Unlimited by default. Set a Time To Live in seconds. TTL is checked at each login process if set. If TTL is expired, relative 2F device is removed.</div>
</li>
</ul>
<div class="noteimportant">If you want to use a custom rule for “activation” and enable self-registration, you have to include this in your rule: <code>$_2fDevices =~ /“type”:\s*“U2F”/s</code>, else U2F will be required even if users are not registered. This is automatically done when “activation” is set to “on”.
</div>
</div>
<!-- EDIT3 SECTION "Configuration" [892-1992] -->
<h2 class="sectionedit4" id="browser_compatibility">Browser compatibility</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> Chrome/Chromium ≥ 38</div>
</li>
<li class="level1"><div class="li"> Firefox :</div>
<ul>
<li class="level2"><div class="li"> 38 to 56 with <a href="https://addons.mozilla.org/fr/firefox/addon/u2f-support-add-on/" class="urlextern" title="https://addons.mozilla.org/fr/firefox/addon/u2f-support-add-on/" rel="nofollow">U2F Support Add-on</a></div>
</li>
<li class="level2"><div class="li"> 57 to 59, with “security.webauth.u2f” set to “true” in “about:config” <em>(see <a href="https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/" class="urlextern" title="https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/" rel="nofollow">Yubico explanations</a>)</em></div>
</li>
<li class="level2"><div class="li"> probably enabled by default for versions ≥ 60</div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> Opera ≥ 40</div>
</li>
</ul>
</div>
<!-- EDIT4 SECTION "Browser compatibility" [1993-2433] -->
<h2 class="sectionedit5" id="enrollment">Enrollment</h2>
<div class="level2">
<p>
If you have enabled self registration, users can register their U2F keys using <a href="https://portal/2fregisters" class="urlextern" title="https://portal/2fregisters" rel="nofollow">https://portal/2fregisters</a>
</p>
</div>
<!-- EDIT5 SECTION "Enrollment" [2434-2564] -->
<h2 class="sectionedit6" id="assistance">Assistance</h2>
<div class="level2">
<p>
If a user loses its key, you can delete it from the manager Second Factor module. To enable manager Second Factor Administration Module, set <code>enabledModules</code> key in your <code>lemonldap-ng.ini</code> file :
</p>
<pre class="code ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">enabledModules</span> <span class="sy0">=</span><span class="re2"> conf, sessions, notifications, 2ndFA</span></pre>
</div>
<!-- EDIT6 SECTION "Assistance" [2565-2872] -->
<h2 class="sectionedit7" id="developer_corner">Developer corner</h2>
<div class="level2">
<p>
If you have another U2F registration interface, you have to set these keys in Second Factor Devices array (JSON) in your user-database. Then map it to the _2fDevices attribute <em>(see <a href="exportedvars.html" class="wikilink1" title="documentation:2.0:exportedvars">exported variables</a>)</em>:
</p>
<pre class="code file json">$_2fDevices = [{&quot;name&quot; : &quot;MyU2FKey&quot; , &quot;type&quot; : &quot;U2F&quot; , &quot;_userKey&quot; : &quot;########&quot; , &quot;_keyHandle&quot;:&quot;########&quot; , &quot;epoch&quot;:&quot;1524078936&quot;}, ...]</pre>
<div class="noteimportant"><code>_userKey</code> must be base64 encoded
</div>
<p>
Note that both “origin” and “appId” are fixed to portal <abbr title="Uniform Resource Locator">URL</abbr>.
</p>
</div>
<!-- EDIT7 SECTION "Developer corner" [2873-] --></div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink