Project

General

Profile

Actions

Feature #22627

open

Support 2FA in Foreman web UI

Added by Ondřej Pražák about 6 years ago. Updated over 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Difficulty:
Triaged:
No
Fixed in Releases:
Found in Releases:

Description

Description of problem:

This is a request for supporting two-factor authentication in web UI. There is #8852 for API and #8016 for hammer, but UI has been left out.

Actions #1

Updated by Ondřej Pražák about 6 years ago

  • Subject changed from Support 2FA in Foreman web UI to Support 2FA in Foreman web UI
  • Category set to Authentication
  • Priority changed from High to Normal
Actions #2

Updated by Marek Hulán about 6 years ago

Isn't this already possible through FreeIPA? If you configure FreeIPA as external authentication, you use FreeIPA 2FA there. See https://www.theforeman.org/manuals/1.16/index.html#5.7ExternalAuthentication for more details. I think we shouldn't implement the solution as part of Foreman codebase

Actions #3

Updated by Ondřej Pražák about 6 years ago

If this is possible with FreeIPA, then I think we can close.

Actions #4

Updated by Kodiak Firesmith almost 6 years ago

Ondřej Pražák wrote:

If this is possible with FreeIPA, then I think we can close.

Hello! I'm piling onto this 2FA RFE as a Satellite 6.3 customer to say that FreeIPA cannot always be counted on as a solution for bringing 2FA into Satellite.
US GOVT DFARS requirements require putting services like Satellite into 2FA authentication, and for that we need to use existing tools (Duo, RADIUS) which is integrated with our Active Directory infra. We do not have the option of deploying FreeIPA.

Actions #5

Updated by Marek Hulán over 5 years ago

  • Triaged set to No

If this is configurable in active directory, could you use transparently active directory as Foreman LDAP auth source? Or you could configure Apache module to take care of $authentication and set REMOTE_USER, then just use external auth source for users. Would that help?

Actions #6

Updated by Steve Vogt over 3 years ago

I have to echo Kodiak's sentiments. 2FA is essential to using Foreman in many environments. I don't think it is right to assume users are using ipa and it doesn't seem like it would be that hard to implement something like radius

Actions

Also available in: Atom PDF