2 Factor Authentication

[brimdor]

It currently uses basic auth with its own user management. What about incorporating 2 factor authentication? Building out users and allowing access via their enterprise authentication?

[fiftin]

Hi @brimdor, may be LDAP can help?

[brimdor]

I'm sure LDAP works fine in general, however, I use SAML SSO in my environment that I'm trying to implement this.

[nlvw]

SAML or OIDC (OpenID Connect) would be amazing. Really convenient as the SSO provided will handle 2FA instead of have to code that into this App.

[KenK73]

Or... since this project recommends nginx for SSL support anyway, why not support passing user creds from nginx? I am running an nginx proxy as a docker container in front of the semaphore container. I have nginx prompting for username/pass and on some of my other containers that support web auth it just passes that through (phpIPAM and mediawiki for example). Currently the nginx does the authentication against my LDAPS servers, and when the time comes to get that working with smartcard, I only have to reconfigure nginx.

[hmoffatt]

@KenK73 indeed just trusting the remote user name in REMOTE_USER would be good. I use Apache with mod_auth_openidc to handle authentication with OpenID Connect here.

[fiftin]

Hi @KenK73, @hmoffatt How it can be implemented?

[hmoffatt]

Apache will handle the authentication and provide the username in an HTTP header.

The admin will need to configure Apache to pass the username in a header. See https://renaudmarti.net/posts/make-apache-proxy-remote-user-to-backend/ for example.

Then the app would skip the login page and use the username from the header.

[Weilbyte]

@fiftin I could give it a try at implementing 2FA (TOTP) for non-LDAP users.

[KenK73]

If it were closer to Christmas, I would be asking for SAML support instead, so someone could use their chosen IDP (like Ping Federate) to bring SSO and 2FA support to this app.

-Ken K

On Jul 4, 2022, at 6:03 PM, Weilbyte @.***> wrote:

@fiftin I could give it a try at implementing 2FA (TOTP) for non-LDAP users.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.

[Weilbyte]

@KenK73 what SAML provider do you use?

[KenK73]

Are you asking about the IDP? Ping Federate is what we've started rolling out. Maybe I dont understand what you are asking. I am not well versed in SAML just yet, I just see it working pretty well on our other apps that support it.

[ff-fgomez]

+1 on the SSO implementation. It's a lot cleaner and secure than LDAP. Please and thank you!

[hmoffatt]

OpenID Connect would be good too (preferable to SAML).

[jonahbohlmann]

+1 would be really good

[xrpixer]

+1 would be really really good

[Alex-Giaquinto]

+1 on the SSO implementation. Even being able to authenticate users with Github would be incredible. (Similar to how AWX does it)

[wakawakaaa]

2FA is needed

[hmoffatt]

Use OpenID Connect and let your IDP do 2FA.

[tboerger]

IMHO this issue can get closed. It is possible to enable 2FA on an OIDC/OAuth2 provider. There are much more important features or fixes than building your own 2FA mechanism for local or LDAP users.