I have a question regarding using multiple forms of authentication for different set of users, here’s my scenario:
We are hosting Passwordstate in 2 Azure VM’s with high-availability, behind an application gateway which has those VM’s as backends. This works fine and without any issues.
We have 2 sets of users: company users, which are supposed to use SAML2 as authentication, and another set of external users which their accounts are only present in our AD and not synchronized with our Azure AD and cannot use SAML, and for these users I want to enable the Manual AD with Google Authenticator. I have created a “User Account Policy” for that group of users and specified the authentication method for them.
The challenge: I have set the system wide authentication method for SAML2, and since Passwordstate automatically forwards anyone coming to the portal to the IdP, it does not allow the external users to use AD to authenticate.
After some digging I found that I could whitelist the IP ranges from our company users, and force any IP outside of the specified ranges to use Manual AD with Google Authenticator, however, since Passwordstate is sitting behind my Application Gateway, all the requests that the webservers sees, are all coming from that application gateway, and therefore making it impossible to filter the IP addresses correctly.
This could fixed by just adding a SSO button on the authentication page, instead of automatically forwarding to the IdP.
Is there some other way that we can get around this?