Open christopher-hopper opened 1 year ago
tobybellwood
commented
1 year ago The MFA requirements would technically be handled by Keycloak, not the UI. In the next release, we will be making user accounts accessible via the UI (#95). We'll have to do some resdearching/documenting how keycloak should enforce MFA (and whether these enforcements can be enforced selectively)
christopher-hopper
commented
1 year ago Update: Multi-factor authentication is now available on Lagoon
Looks like the last release to Amazee.io's Lagoon has surfaced the ability to change a password, set-up multi-factor authentication, and see linked federated log-in sources ( uselagoon/lagoon-ui#95 ). This is a huge step forward, allowing people to now self-manage their account and use multi-factor auth.
The feature request to provide enforced MFA for accounts, as a control or security policy, remains in this request. I might update the title and description to reflect that.
tobybellwood
commented
1 year ago Enforcing MFA is preferably done outside of Lagoon core to minimise complication - Keycloak fully supports it, and the configuration lives outside of the config files that Lagoon loads.
Any Lagoon administrator can set up the appropriate MFA workflow, and potentially choose how to apply it (and who to). If you're, for example, an amazee.io customer, it would be worth logging a support ticket with their support team to see whether MFA can be enabled for select accounts.
shreddedbacon
commented
11 months ago We generally think modifying keycloak outside of Lagoon is a bad idea. We should look at a way to configure these options as part of Lagoon properly before abandoning the idea entirely.
At the moment, because this is quite a complex thing to do (an example of how it could be done is here) it may not be straight forward to implement, but it would be good to explore how this could be done either in our startup script, or some other method that is more supportable.
Being able to manage these configurations inside of Helm some how is better than manually adjusting.
Multi-factor authentication should be available for all accounts using the Lagoon platform.
Developer and engineer access credentials are a prized target. Would it be possible to raise the floor on the minimum allowed security settings to enforce MFA across all Lagoon accounts?