Deploying FIDO2 with GreenRADIUS for PHP-powered websites

Prerequisites

  • A web application which supports PHP integration and has a valid certificate installed
  • PHP 7.3.27 or later
  • GreenRADIUS v5.1.2.2 or later

Configuration Instructions

  1. Download and unzip the FIDO2 relying party installation package.
  2. The module is divided into two sections. One is written in Javascript and runs on the client's browser; the other is written in PHP and runs server-side. These are stored in the js/ and php/ subdirectories, respectively, of the installation package. Both need to be installed in your web application; the exact location and configuration depends on your specific web server. In this guide, the location of the PHP modules will be referred to as $PHPCLIENT and the location of the Javascript modules as $JSCLIENT.
  3. On the server, run the following commands as root:
    1. touch /var/log/fido2.log
    2. chown www-data:root /var/log/fido2.log
  4. Configure the $PHPCLIENT/config.php. The following should be configured:
    1. server: IP address/hostname of the GreenRADIUS server to authenticate against.
    2. relying-party: A valid domain string that identifies the FIDO2 relying party (e.g. fido2demo.com). The same identifier with have to be configured on the GreenRADIUS FIDO2 server.
    3. client-id: A unique identifier for this particular client. The same ID must be configured in GreenRADIUS and cannot be shared by any other client.
    4. shared-secret: A shared secret key to authenticate the client module with GreenRADIUS. The same secret must also be configured in GreenRADIUS.
  5. In GreenRADIUS, go to Global Configuration > Client-Based Authentication Policies and select Add a New Client.
  6. Populate the new client with the same client ID, shared secret, and relying party identifier as in the $PHPCLIENT/config.php file. Set the client type to FIDO2_Web_API, and configure the other settings as preferred.
  7. You can now begin to develop your application. To help with this, a minimal example site has been provided as part of the installation package in the demosite/ directory. To deploy the demo site, place the $JSCLIENT files into the same directory as the demo site, and place the $PHPCLIENT file so that auth.php is accessible at the /mgmt-api/ path on the server. You may need to make adjustments depending on your particular configuration.
Updated 2023-06-10
© 2024 Green Rocket Security Inc. All rights reserved.