You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cloudstack.apache.org by Rakesh Venkatesh <ww...@gmail.com> on 2021/08/10 09:34:16 UTC

2FA

Hello

Has anyone thought about 2FA or about how to implement it in cloudstack?
Looks like this will be good addition to enhance the security. I have some
idea about implementing in the backend but dont have much idea on how to
display the QR code in ui or other functionalities which is needed for
frontend part.

-- 
Thanks and regards
Rakesh

Re: 2FA

Posted by Rohit Yadav <ro...@shapeblue.com>.

Hi Rakesh,

We have a user authentication/login framework that you can extend to do 2FA. Something like (throwing ideas at you):

  *   Implement separate API to do 2FA (general purpose) and implement 2FA plugin-framework (plugins can be sms, captcha, google authenticator)
  *   In UI - the 2FA are called to show/pass a challenge (for example, sms code, google auth code etc) that users inputs in a field
  *   When user enters credentials and 2FA code and submits, the login API piggybacks the new 2FA code as a parameter which is handled by the backend auth framework in a generic way, passed to 2FA framework to check (which calls a check() method by the configured 2FA plugin) - on pass it does not do anything, on fail it throws an exception and invalidates the login

If you want to do something really quick as Simon suggests, you can enable SAML based single-sign-on and enable 2FA on the SAML IDP.

Regards.

________________________________
From: David Jumani <Da...@shapeblue.com>
Sent: Wednesday, August 11, 2021 09:49
To: users <us...@cloudstack.apache.org>; dev <de...@cloudstack.apache.org>
Subject: Re: 2FA

Hi Rakesh,

MFA is generally done via an IAM rather than on a per-application basis. As Simon had mentioned, CloudStack does support SAML / LDAP so, in a general / corporate use case, the MFA would go there. So I do not think adding support for 2FA will add any significant benefit
That being said, I'll be happy to review any PR that's raised
________________________________
From: Simon Weller <sw...@ena.com.INVALID>
Sent: Wednesday, August 11, 2021 12:31 AM
To: users <us...@cloudstack.apache.org>; dev <de...@cloudstack.apache.org>
Subject: Re: 2FA

Rakesh,

ACS does support SAML2 and in order to deploy 2FA/MFA, you could integrate it with an Identity and Access Management System such as Keycloak (https://www.keycloak.org/).

-Si

________________________________
From: Rakesh Venkatesh <ww...@gmail.com>>>
Sent: Tuesday, August 10, 2021 4:34 AM
To: users <us...@cloudstack.apache.org>; dev <de...@cloudstack.apache.org>
Subject: 2FA

Hello

Has anyone thought about 2FA or about how to implement it in cloudstack?
Looks like this will be good addition to enhance the security. I have some
idea about implementing in the backend but dont have much idea on how to
display the QR code in ui or other functionalities which is needed for
frontend part.

--
Thanks and regards
Rakesh

Re: 2FA

Posted by Rohit Yadav <ro...@shapeblue.com>.

Hi Rakesh,

We have a user authentication/login framework that you can extend to do 2FA. Something like (throwing ideas at you):

  *   Implement separate API to do 2FA (general purpose) and implement 2FA plugin-framework (plugins can be sms, captcha, google authenticator)
  *   In UI - the 2FA are called to show/pass a challenge (for example, sms code, google auth code etc) that users inputs in a field
  *   When user enters credentials and 2FA code and submits, the login API piggybacks the new 2FA code as a parameter which is handled by the backend auth framework in a generic way, passed to 2FA framework to check (which calls a check() method by the configured 2FA plugin) - on pass it does not do anything, on fail it throws an exception and invalidates the login

If you want to do something really quick as Simon suggests, you can enable SAML based single-sign-on and enable 2FA on the SAML IDP.

Regards.

________________________________
From: David Jumani <Da...@shapeblue.com>
Sent: Wednesday, August 11, 2021 09:49
To: users <us...@cloudstack.apache.org>; dev <de...@cloudstack.apache.org>
Subject: Re: 2FA

Hi Rakesh,

MFA is generally done via an IAM rather than on a per-application basis. As Simon had mentioned, CloudStack does support SAML / LDAP so, in a general / corporate use case, the MFA would go there. So I do not think adding support for 2FA will add any significant benefit
That being said, I'll be happy to review any PR that's raised
________________________________
From: Simon Weller <sw...@ena.com.INVALID>
Sent: Wednesday, August 11, 2021 12:31 AM
To: users <us...@cloudstack.apache.org>; dev <de...@cloudstack.apache.org>
Subject: Re: 2FA

Rakesh,

ACS does support SAML2 and in order to deploy 2FA/MFA, you could integrate it with an Identity and Access Management System such as Keycloak (https://www.keycloak.org/).

-Si

________________________________
From: Rakesh Venkatesh <ww...@gmail.com>>>
Sent: Tuesday, August 10, 2021 4:34 AM
To: users <us...@cloudstack.apache.org>; dev <de...@cloudstack.apache.org>
Subject: 2FA

Hello

Has anyone thought about 2FA or about how to implement it in cloudstack?
Looks like this will be good addition to enhance the security. I have some
idea about implementing in the backend but dont have much idea on how to
display the QR code in ui or other functionalities which is needed for
frontend part.

--
Thanks and regards
Rakesh

Re: 2FA

Posted by David Jumani <Da...@shapeblue.com>.

Hi Rakesh,

MFA is generally done via an IAM rather than on a per-application basis. As Simon had mentioned, CloudStack does support SAML / LDAP so, in a general / corporate use case, the MFA would go there. So I do not think adding support for 2FA will add any significant benefit
That being said, I'll be happy to review any PR that's raised
________________________________
From: Simon Weller <sw...@ena.com.INVALID>
Sent: Wednesday, August 11, 2021 12:31 AM
To: users <us...@cloudstack.apache.org>; dev <de...@cloudstack.apache.org>
Subject: Re: 2FA

Rakesh,

ACS does support SAML2 and in order to deploy 2FA/MFA, you could integrate it with an Identity and Access Management System such as Keycloak (https://www.keycloak.org/).

-Si

________________________________
From: Rakesh Venkatesh <ww...@gmail.com>>
Sent: Tuesday, August 10, 2021 4:34 AM
To: users <us...@cloudstack.apache.org>; dev <de...@cloudstack.apache.org>
Subject: 2FA

Hello

Has anyone thought about 2FA or about how to implement it in cloudstack?
Looks like this will be good addition to enhance the security. I have some
idea about implementing in the backend but dont have much idea on how to
display the QR code in ui or other functionalities which is needed for
frontend part.

--
Thanks and regards
Rakesh

Re: 2FA

Posted by David Jumani <Da...@shapeblue.com>.

Hi Rakesh,

MFA is generally done via an IAM rather than on a per-application basis. As Simon had mentioned, CloudStack does support SAML / LDAP so, in a general / corporate use case, the MFA would go there. So I do not think adding support for 2FA will add any significant benefit
That being said, I'll be happy to review any PR that's raised
________________________________
From: Simon Weller <sw...@ena.com.INVALID>
Sent: Wednesday, August 11, 2021 12:31 AM
To: users <us...@cloudstack.apache.org>; dev <de...@cloudstack.apache.org>
Subject: Re: 2FA

Rakesh,

ACS does support SAML2 and in order to deploy 2FA/MFA, you could integrate it with an Identity and Access Management System such as Keycloak (https://www.keycloak.org/).

-Si

________________________________
From: Rakesh Venkatesh <ww...@gmail.com>>
Sent: Tuesday, August 10, 2021 4:34 AM
To: users <us...@cloudstack.apache.org>; dev <de...@cloudstack.apache.org>
Subject: 2FA

Hello

Has anyone thought about 2FA or about how to implement it in cloudstack?
Looks like this will be good addition to enhance the security. I have some
idea about implementing in the backend but dont have much idea on how to
display the QR code in ui or other functionalities which is needed for
frontend part.

--
Thanks and regards
Rakesh

Re: 2FA

Posted by Simon Weller <sw...@ena.com.INVALID>.

Rakesh,

ACS does support SAML2 and in order to deploy 2FA/MFA, you could integrate it with an Identity and Access Management System such as Keycloak (https://www.keycloak.org/).

-Si

________________________________
From: Rakesh Venkatesh <ww...@gmail.com>
Sent: Tuesday, August 10, 2021 4:34 AM
To: users <us...@cloudstack.apache.org>; dev <de...@cloudstack.apache.org>
Subject: 2FA

Hello

Has anyone thought about 2FA or about how to implement it in cloudstack?
Looks like this will be good addition to enhance the security. I have some
idea about implementing in the backend but dont have much idea on how to
display the QR code in ui or other functionalities which is needed for
frontend part.

--
Thanks and regards
Rakesh

Re: 2FA

Posted by Simon Weller <sw...@ena.com.INVALID>.

Rakesh,

ACS does support SAML2 and in order to deploy 2FA/MFA, you could integrate it with an Identity and Access Management System such as Keycloak (https://www.keycloak.org/).

-Si

________________________________
From: Rakesh Venkatesh <ww...@gmail.com>
Sent: Tuesday, August 10, 2021 4:34 AM
To: users <us...@cloudstack.apache.org>; dev <de...@cloudstack.apache.org>
Subject: 2FA

Hello

Has anyone thought about 2FA or about how to implement it in cloudstack?
Looks like this will be good addition to enhance the security. I have some
idea about implementing in the backend but dont have much idea on how to
display the QR code in ui or other functionalities which is needed for
frontend part.

--
Thanks and regards
Rakesh