Jump to content

SAML2 authentication and Google authenticator


Fabio

Recommended Posts

I have a question regarding using multiple forms of authentication for different set of users, here’s my scenario:

We are hosting Passwordstate in 2 Azure VM’s with high-availability, behind an application gateway which has those VM’s as backends. This works fine and without any issues.

We have 2 sets of users: company users, which are supposed to use SAML2 as authentication, and another set of external users which their accounts are only present in our AD and not synchronized with our Azure AD and cannot use SAML, and for these users I want to enable the Manual AD with Google Authenticator. I have created a “User Account Policy” for that group of users and specified the authentication method for them.

 

The challenge:

I have set the system wide authentication method for SAML2, and since Passwordstate automatically forwards anyone coming to the portal to the IdP, it does not allow the external users to use AD to authenticate.

After some digging I found that I could whitelist the IP ranges from our company users, and force any IP outside of the specified ranges to use Manual AD with Google Authenticator, however, since Passwordstate is sitting behind my Application Gateway, all the requests that the webservers sees, are all coming from that application gateway, and therefore making it impossible to filter the IP addresses correctly.

 

This could fixed by just adding a SSO button on the authentication page, instead of automatically forwarding to the IdP.

 

Is there some other way that we can get around this?

Link to comment
Share on other sites

15 hours ago, support said:

Hello Fabio,

 

We've already responded to your email for this request - did you receive that email?

Regards

Click Studios


Yes, I did. However, your solution does not solve the issue we have. I was wondering if someone in the forum community would have had any experience with this kind of setup, long shot, but worth a try. 

I have also been reading on a way to forward the headers to the backend, but since I don't know how Passwordstate gets those IP's I am not sure what's the best way to do it. 

For now I have enabled the temporary pin through email for as the system wide authentication method, and google authenticator for the external users. 

It would be great if Passwordstate had a "Sign in with Microsoft" button for SAML authentication, as so many other platforms and websites do have.
 

image.png

Link to comment
Share on other sites

In this video: https://www.youtube.com/watch?v=eO7SXOQlxrc 

You are able to set a user account policy to use SAML2 as an authentication option, like the screenshot below, however, I can't see that option at all in my passwordstate installation. If this would work it would also solve my issue. Maybe this is no longer available in the latest versions of passwordstate? I am running V9.3 (Build 9350) 

image.thumb.png.55fc9f5cd6bfd43992eb414451685ff7.png

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...