Deploying FIDO2 with GreenRADIUS for PHP-powered websites

Prerequisites

• A web application which supports PHP integration and has a valid certificate installed
• PHP 7.3.27 or later
• GreenRADIUS v5.1.2.2 or later

Multiple Relying Parties

Starting with version 5.2.6.6 GreenRADIUS offers support for multiple FIDO2 relying parties. For each relying party, follow the instructions below to set up and configure it.

Configuration Instructions

1. Download and unzip the FIDO2 relying party installation package.
2. The module is divided into two sections. One is written in Javascript and runs on the client's browser; the other is written in PHP and runs server-side. These are stored in the js/ and php/ subdirectories, respectively, of the installation package. Both need to be installed in your web application; the exact location and configuration depends on your specific web server. In this guide, the location of the PHP modules will be referred to as $PHPCLIENT and the location of the Javascript modules as $JSCLIENT.
3. On the server, run the following commands as root:
   1. touch /var/log/fido2.log
   2. chown www-data:root /var/log/fido2.log
4. Configure the $PHPCLIENT/config.php. The following should be configured:
   1. server: IP address/hostname of the GreenRADIUS server to authenticate against.
   2. relying-party: A valid domain string that identifies the FIDO2 relying party (e.g. fido2demo.com). The same identifier with have to be configured on the GreenRADIUS FIDO2 server.
   3. client-id: A unique identifier for this particular client. The same ID must be configured in GreenRADIUS and cannot be shared by any other client.
   4. shared-secret: A shared secret key to authenticate the client module with GreenRADIUS. The same secret must also be configured in GreenRADIUS.
5. In GreenRADIUS, go to Global Configuration > Client-Based Authentication Policies and select Add a New Client.
6. Populate the new client with the same client ID, shared secret, and relying party identifier as in the $PHPCLIENT/config.php file. Set the client type to FIDO2_Web_API, and configure the other settings as preferred.
7. You can now begin to develop your application. To help with this, a minimal example site has been provided as part of the installation package in the demo-site/ directory. To deploy the demo site, place the $JSCLIENT files into the same directory as the demo site, and place the $PHPCLIENT file so that auth.php is accessible at the /mgmt-api/ path on the server. You may need to make adjustments depending on your particular configuration.

More details about the GreenRADIUS FIDO2 token registration and authentication processes plus integration with a web application can be found in this integration guide.

Note

The FIDO2 relying party support on GreenRADIUS allows the relying party (that is, the server side of your web application) to register new FIDO2 tokens to a user, even if Single Factor is disabled for that user and a key is already present. Care must be taken, therefore, to write your server application to prohibit this unless you have already verified the user's identity through another token.