Open nixklai opened 1 year ago
Thanks for the request @nixklai. Possible something we look to do when we add the next MFA option (Maybe #3912). At that point, we'd probably want to provide control of MFA options to users, so could disable MFA setup if admin has configured no MFA options to be available.
Easiest/safest route to take would probably be to prevent new MFA registration/setup via this, rather than toggle entire MFA availability on/off. Avoids core conditional auth logic and some flexibility of enabling MFA for core/important accounts before making unavailable, with the impact being some potential pain to existing MFA environments where full disabling is required but there are other options for dealing with that one-time case (DB lookup & de-activation via CLI ).
I'm facing this issue also. As a Admin I'm setting up SSO for my users on a Synology NAS using the buildin app Synology SSO Server
to serve the SSO to my users.
I've succesfully manage to setup SAML for my exsisting Bookstack users, the only problem I'm facing now is the double 2FA/MFA for the users.
In the standard
method the 2FA/MFA was already enabled for the users, and now with the SSO migration every users need to authenticate 2 time the MFA.
As this is a old post I was wondering if there is already a solution for this?
`
@BobWs There's a command to reset user MFA: https://www.bookstackapp.com/docs/admin/commands/#reset-user-mfa-methods
You could export the user list (API, Database, Scrape UI) to then batch that for each user.
I second this request. An ENV variable to deactiveate 2FA would really be handy. There is some confusion in an SSO scenario to have an additional 2FA pop up.
Describe the feature you'd like
I think we should consider a "global kill switch" to disable 2FA.
This option should be limited to SSO-enabled BookStack instance.
Describe the benefits this would bring to existing BookStack users
This feature is intended to make life easier for BookStack admins.
For a SSO-enabled BookStack instance, admins may already enable MFA requirements at SSO instead of BookStack, However, currently BookStack allows users to enable both with no way to globally turning BookStack 2FA off, which cause nuisance to admin and confusions to users.
Case 1: An existing user may have enabled BookStack 2FA, and then enrolled into SSO MFA. Case 2: A new user enabled SSO MFA can also enable BookStack 2FA.
In both cases, users can encounter 2 MFA challenges. Also, having 2 pathways to "enable 2FA/MFA" may cause user to enable the wrong MFA mechanism.
Can the goal of this request already be achieved via other means?
No. The BookStack 2FA mechanism cannot be disabled by admins.
Have you searched for an existing open/closed issue?
How long have you been using BookStack?
0 to 6 months
Additional context
No response