stewartshea
commented
5 years ago Just tested with dev successfully... technically this is 3FA if you already perform 2FA on a GitHub account ;)
Closed mitovskaol closed 5 years ago
stewartshea
commented
5 years ago Just tested with dev successfully... technically this is 3FA if you already perform 2FA on a GitHub account ;)
ShellyXueHan
commented
5 years ago @stewartshea yes it's redundent for github account with 2fa. Can probably make it simpler if we could limit to only github identity provider and let the github org membership enforce 2fa. However, looks like IDIR was required for the login, then we do need the OTP for it. You can remove OTP from github idp, but then there's still no check to make sure all github user has 2fa.
stewartshea
commented
5 years ago All good @ShellyXueHan I don't mind the extra step ;) Even ever more super secure
ShellyXueHan
commented
5 years ago Updates: There will only be GitHub identity provider and we will be relying on the 2FA from github. For now, github users that do not belong to bcdevops github organization will be blocked on aporeto (seeing nothing). This flow should satisfy the security requirements. To improve the user experience, unauthorized users will be redirected to another page. This work will be captured in another ticket: #306
mitovskaol
commented
5 years ago UPDATE: Successfully tested the access to the Aporeto console via KeyCloak PROD using GitHub . GitHub has been set as the only identity provider for the new Security realm created in KeyCloak and the Aporeto client is part of the new realm.
KeyCloak relies on GitHub for the 2FA and after a successful authentication checks that the user is a member of BCDevOps organization in GitHub. BCDevOps org in GitHub mandates its members to have the 2FA enabled on their account.
If the user authenticated successfully with GitHub but are NOT member of BCDevOps, they will be redirected to the "Access denied" page.
Closing the issue.
Authentication to the Aporeto Orchestration Console at https://console.aporeto.com needs to be stepped up with 2nd factor authentication.
Currently all gov users with access to /bcgov namespace in Aporeto use KeyCloak SSO with federated identities from IDIR (employees) and GitHub (contractors). At this moment KeyCloak supports Google Authenticator and FreeOTP mobile apps only.
The "OTP Form" step has been added as REQUIRED to the authentication flow for the Aporeto client in KeyCloak PROD , however, for some reason, the OTP Form step is NOT enforced, a user gets redirected to the Aporeto Console once they have been successfully authenticated with their identity providers (IDIR or GitHub). This needs to be troubleshot further.