semaphore icon indicating copy to clipboard operation
semaphore copied to clipboard

Published 20 hours ago verified publisher icon semaphoreui

2 Factor Authentication

Open brimdor opened this issue 2 years ago • 14 comments

It currently uses basic auth with its own user management. What about incorporating 2 factor authentication? Building out users and allowing access via their enterprise authentication?

brimdor avatar Jul 24 '21 00:07 brimdor

Hi @brimdor, may be LDAP can help?

fiftin avatar Aug 11 '21 17:08 fiftin

I'm sure LDAP works fine in general, however, I use SAML SSO in my environment that I'm trying to implement this.

brimdor avatar Aug 20 '21 16:08 brimdor

SAML or OIDC (OpenID Connect) would be amazing. Really convenient as the SSO provided will handle 2FA instead of have to code that into this App.

nlvw avatar Sep 27 '21 22:09 nlvw

Or... since this project recommends nginx for SSL support anyway, why not support passing user creds from nginx? I am running an nginx proxy as a docker container in front of the semaphore container. I have nginx prompting for username/pass and on some of my other containers that support web auth it just passes that through (phpIPAM and mediawiki for example). Currently the nginx does the authentication against my LDAPS servers, and when the time comes to get that working with smartcard, I only have to reconfigure nginx.

KenK73 avatar Oct 15 '21 21:10 KenK73

@KenK73 indeed just trusting the remote user name in REMOTE_USER would be good. I use Apache with mod_auth_openidc to handle authentication with OpenID Connect here.

hmoffatt avatar Jan 13 '22 23:01 hmoffatt

Hi @KenK73, @hmoffatt How it can be implemented?

fiftin avatar Jan 14 '22 08:01 fiftin

Apache will handle the authentication and provide the username in an HTTP header.

The admin will need to configure Apache to pass the username in a header. See https://renaudmarti.net/posts/make-apache-proxy-remote-user-to-backend/ for example.

Then the app would skip the login page and use the username from the header.

hmoffatt avatar Jan 14 '22 08:01 hmoffatt

@fiftin I could give it a try at implementing 2FA (TOTP) for non-LDAP users.

Weilbyte avatar Jul 05 '22 01:07 Weilbyte

If it were closer to Christmas, I would be asking for SAML support instead, so someone could use their chosen IDP (like Ping Federate) to bring SSO and 2FA support to this app.

-Ken K

On Jul 4, 2022, at 6:03 PM, Weilbyte @.***> wrote:

@fiftin I could give it a try at implementing 2FA (TOTP) for non-LDAP users.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.

KenK73 avatar Jul 05 '22 03:07 KenK73

@KenK73 what SAML provider do you use?

Weilbyte avatar Jul 06 '22 00:07 Weilbyte

Are you asking about the IDP? Ping Federate is what we've started rolling out. Maybe I dont understand what you are asking. I am not well versed in SAML just yet, I just see it working pretty well on our other apps that support it.

KenK73 avatar Jul 06 '22 07:07 KenK73

+1 on the SSO implementation. It's a lot cleaner and secure than LDAP. Please and thank you!

ff-fgomez avatar Feb 22 '23 19:02 ff-fgomez

OpenID Connect would be good too (preferable to SAML).

hmoffatt avatar Feb 23 '23 06:02 hmoffatt

+1 would be really good

jonahbohlmann avatar Jun 07 '23 18:06 jonahbohlmann

+1 would be really really good

xrpixer avatar Jun 16 '23 15:06 xrpixer

+1 on the SSO implementation. Even being able to authenticate users with Github would be incredible. (Similar to how AWX does it)

Alex-Giaquinto avatar Jun 30 '23 12:06 Alex-Giaquinto

2FA is needed

wakawakaaa avatar Mar 01 '24 21:03 wakawakaaa

Use OpenID Connect and let your IDP do 2FA.

hmoffatt avatar Mar 02 '24 09:03 hmoffatt

IMHO this issue can get closed. It is possible to enable 2FA on an OIDC/OAuth2 provider. There are much more important features or fixes than building your own 2FA mechanism for local or LDAP users.

tboerger avatar Mar 02 '24 09:03 tboerger