Fabio Posted November 23, 2021 Posted November 23, 2021 I have a question regarding using multiple forms of authentication for different set of users, here’s my scenario: We are hosting Passwordstate in 2 Azure VM’s with high-availability, behind an application gateway which has those VM’s as backends. This works fine and without any issues. We have 2 sets of users: company users, which are supposed to use SAML2 as authentication, and another set of external users which their accounts are only present in our AD and not synchronized with our Azure AD and cannot use SAML, and for these users I want to enable the Manual AD with Google Authenticator. I have created a “User Account Policy” for that group of users and specified the authentication method for them. The challenge:I have set the system wide authentication method for SAML2, and since Passwordstate automatically forwards anyone coming to the portal to the IdP, it does not allow the external users to use AD to authenticate. After some digging I found that I could whitelist the IP ranges from our company users, and force any IP outside of the specified ranges to use Manual AD with Google Authenticator, however, since Passwordstate is sitting behind my Application Gateway, all the requests that the webservers sees, are all coming from that application gateway, and therefore making it impossible to filter the IP addresses correctly. This could fixed by just adding a SSO button on the authentication page, instead of automatically forwarding to the IdP. Is there some other way that we can get around this?
support Posted November 23, 2021 Posted November 23, 2021 Hello Fabio, We've already responded to your email for this request - did you receive that email? Regards Click Studios
Fabio Posted November 24, 2021 Author Posted November 24, 2021 15 hours ago, support said: Hello Fabio, We've already responded to your email for this request - did you receive that email? Regards Click Studios Yes, I did. However, your solution does not solve the issue we have. I was wondering if someone in the forum community would have had any experience with this kind of setup, long shot, but worth a try. I have also been reading on a way to forward the headers to the backend, but since I don't know how Passwordstate gets those IP's I am not sure what's the best way to do it. For now I have enabled the temporary pin through email for as the system wide authentication method, and google authenticator for the external users. It would be great if Passwordstate had a "Sign in with Microsoft" button for SAML authentication, as so many other platforms and websites do have.
support Posted November 24, 2021 Posted November 24, 2021 Hi Fabio, If we've understood your requirements properly, what we suggested should work. Hopefully someone in the community has some other guidance for you. Regards Click Studios
Fabio Posted November 26, 2021 Author Posted November 26, 2021 In this video: https://www.youtube.com/watch?v=eO7SXOQlxrc You are able to set a user account policy to use SAML2 as an authentication option, like the screenshot below, however, I can't see that option at all in my passwordstate installation. If this would work it would also solve my issue. Maybe this is no longer available in the latest versions of passwordstate? I am running V9.3 (Build 9350)
support Posted November 26, 2021 Posted November 26, 2021 Hi Fabio, As mentioned in the email we sent you, you need to disable Anonymous authentication for your site in IIS, and then this is possible. Regards Click Studios
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now