Closed gooseleggs closed 1 year ago
dovholuknf
commented
1 year ago When this occurs, the UI is getting an event that the identity is disconnected. We need to handle this event in the UI. I'm going to transfer this issue to the new UI project and we'll fix this in there.
dovholuknf
commented
1 year ago @JeremyTellier when this happens the client will receive a "controller" event that looks like these:
{"Op":"controller","Action":"connected","Identifier":"...test_mfa.json","Fingerprint":"test_mfa"}
{"Op":"controller","Action":"disconnected","Identifier":"...test_mfa.json","Fingerprint":"test_mfa"}When this happens, we should indicate that the identity is not connected to the controller. However, there's are other bugs that I'll file for this because right now the UI will get connected/disconnected events over and over from ziti-edge-tunnel.
JeremyTellier
commented
1 year ago These will toggle off in 3.2.8 and show a prompt when trying to toggle on but it doesn't look like you get a controller unavailable event at launch so the statis is kind of weird. Going to add another UI request to figure out controller state at launch.
dovholuknf
commented
1 year ago when the UI connect or when the tunneler restarts you'll get a single, large message with the whole status at launch. not a controller unavailable
So I have started to play around with Authentication policies, in particular 2FA enforcement. However, the UI could do with some improvement around the notification to the user of the requirement to enroll into 2FA.
Setup
MFA test identity, ZDEW client with MFA test identity loaded
Identity has a service listed against it (using the default authentication policy to start with)
2FA Authentication policy configured as thus: \
Client is showing configured
2FA is NOT configured on the client for the identity
Can browse to the service
If I change the auth policy on the controller to MFA ENABLED, the client still shows one service is active, but I cannot now connect to the service and no notification as to why ( If I stop/start the client, then the identity is showing, but with 0 services )
What would be helpful would be if two things happened when an enforcement of 2FA is enabled to an identity: a) The services count would drop to zero, as these are not available to you until enrollment (if not already enrolled) - perhaps disable the identity? b) a popup would occur that said something like "Administrator requires 2FA to be enabled on \<identity>. Until you enable this, services will not be available" - possibly with a link to configure it from the pop-up. c) Maybe a red MFA symbol or something to symbolize that 2FA has not been enrolled d) If I disable, then enable the identity (if it is not disabled when 2FA policy enforced), then when I enable the identity, have a pop-up like in b) above
Otherwise, like I was, the user is not aware of the reason why they cannot connect to said services and causes calls to the service desk. Having the pop-up will reduce friction of post identity enrollment enforcement of 2FA.