polr
polr copied to clipboard
cydrobolt
Request to add 2FA and/or SAML SSO support
Expected Behavior
It would be helpful if Polr could be setup to require TOTP authenticator for user/admin access and/or SAML SSO support so that authentication/authorization/accounting could be handled outside of Polr.
Current Behavior
Currently Polr only offers local, username/password-based credentials for "non-public" features that require signup/login.
Possible Solution
Adding the ability to use an Authenticator app (e.g. Authy or Google Authenticator) and/or a hardware-based token (e.g. Yubikey) for more secure authentication access would be a good security practice. Currently, I am enforcing "2FA" by forcing users to connect via a VPN and then I can limit access to the non-public side of Polr via a crude ACL in the web server config. Here is an example for NGINX:
location / {
location ~ (login|admin|signup|setup|lost_password) {
allow <TRUSTED_IP_ADDRESS>;
deny all;
try_files $uri $uri/ /index.php$is_args$args;
# rewrite ^/([a-zA-Z0-9]+)/?$ /index.php?$1;
}
try_files $uri $uri/ /index.php$is_args$args;
# rewrite ^/([a-zA-Z0-9]+)/?$ /index.php?$1;
}
Steps to Reproduce (for bugs)
N/A
Context
Not being able to require 2FA on a service that needs to be exposed to the public internet to function requires other security measures be put in place to protect from possible unauthorized access.
Your Environment
- Version or latest commit hash (
git rev-parse HEAD): 2.2.0 release - Environment name and version (e.g. Chrome 39, PHP 7.0, etc): Ubuntu 18.04LTS, PHP 7.2, NGINX
This would be a fantastic feature. We have been mulling over Azure AD integration via SAML for a while..
I agree this would be excellent to have. We might end up deprecating our Polr installation in favor of a commercial offering specifically for this feature. But the project also seems abandoned more or less without any commits in 2 years....
