On 19-09-2024 14:57, Frank Richter ([email protected]) wrote:
Hi,
we protect more and more services that can be reached from the
Internet by 2FA/TOTP.
Are there any ideas how to force 2FA/TOTP for SOGo when accessing SOGo
from the Internet (outside the intranet), but not from the intranet??
Ideally then, SOGo would ask our privacyIDEA API (username, TOTP code)
to evaluate the TOTP code …
I am doing exactly this by letting the webserver (Apache) handle the
authentication (sogo.conf contains 'SOGoTrustProxyAuthentication = YES;'
to trust apache authentication).
Apache is configured to do OIDC authentication, against Keycloak.
Keycloak then checks the client-ip to determine how to authenticate. If
the IP is not in the internal ip-range it will request MFA and use
Privacyidea as its backend, otherwise user/password is sufficient or a
Kerberos ticket.
- Kees.
Thanks
Frank
