Deploying FIDO2 with GreenRADIUS for PHP-powered websites
Prerequisites
- A web application which supports PHP integration and has a valid certificate installed
- PHP 7.3.27 or later
- GreenRADIUS v4.5.7.7 or later
Configuration Instructions
- Download and unzip the FIDO2 relying party installation package.
- The module is divided into two sections. One is written in Javascript and runs on the client's browser; the other is written in PHP and runs server-side. These are stored in the
js/
andphp/
subdirectories, respectively, of the installation package. Both need to be installed in your web application; the exact location and configuration depends on your specific web server. In this guide, the location of the PHP modules will be referred to as$PHPCLIENT
and the location of the Javascript modules as$JSCLIENT
. - Configure the
$PHPCLIENT/config.php
. The folloing should be configured:server
: IP address/hostname of the GreenRADIUS server to authenticate against.relying-party
: A valid domain string that identifies the FIDO2 relying party (e.g. fido2demo.com). The same identifier with have to be configured on the GreenRADIUS FIDO2 server.client-id
: A unique identifier for this particular client. The same ID must be configured in GreenRADIUS and cannot be shared by any other client.shared-secret
: A shared secret key to authenticate the client module with GreenRADIUS. The same secret must also be configured in GreenRADIUS.
- In GreenRADIUS, go to Global Configuration > Client-Based Authentication Policies and select Add a New Client.
- Populate the new client with the same client ID, shared secret, and relying party identifier as in the
$PHPCLIENT/config.php
file. Set the client type toFIDO2_Web_API
, and configure the other settings as preferred. - You can now begin to develop your application. To help with this, a minimal example site has been provided as part of the installation package in the
demosite/
directory. To deploy the demo site, place the$JSCLIENT
files into the same directory as the demo site, and place the$PHPCLIENT
file so that auth.php is accessible at the/mgmt-api/
path on the server. You may need to make adjustments depending on your particular configuration.
Updated 2023-05-26
© 2023 Green Rocket Security Inc. All rights reserved.
© 2023 Green Rocket Security Inc. All rights reserved.