Adding 2FA to BookStack Wiki
-
Running Bookstack and want to add 2FA for security. I don't see any built in solution for this with Bookstack. Has anyone looked into this? Or what would be a good approach to layer on 2FA for this kind of workload (provided over the Internet.)
-
This has been an open feature request for a while. .
-
@DustinB3403 said in Adding 2FA to BookStack Wiki:
This has been an open feature request for a while. .
Yeah, that I know. I'm figuring that getting it built in isn't going to be an option, potentially ever. Another reason that we use Zoho instead of Bookstack internally.
-
@scottalanmiller said in Adding 2FA to BookStack Wiki:
@DustinB3403 said in Adding 2FA to BookStack Wiki:
This has been an open feature request for a while. .
Yeah, that I know. I'm figuring that getting it built in isn't going to be an option, potentially ever. Another reason that we use Zoho instead of Bookstack internally.
Why not take some of the development team you have and task them with getting this created as a PR for the project?
-
As some guidance (and I posted this on the FR above) Snipe-IT already has 2FA built in, and is built on Laravel and PHP as well. So taking the code and making it work with Bookstack is likely a relatively small ask for anyone with the programming chops.
-
What about adding 2-Factor Authentication to Bookstack using Nginx
-
@black3dynamite said in Adding 2FA to BookStack Wiki:
What about adding 2-Factor Authentication to Bookstack using Nginx
I'm going to give that a try.
-
My opinion is that the best way is to put a reverse proxy in front and authenticate on that using SSO (SAML or OpenID) to an identity provider. And then have the identity provider do the 2FA.
Apache has the most advanced options for this but others have it too.. Identity provider can be whatever is suitable. Key is using SSO and not "homebuilt" 2FA. And the proxy server will have nothing to do with passwords or managing users. That's taken care of by the identity provider, which have all the tools already in place for this.
-
Am I missing something? What's wrong with the third party auth and SAML supported by Bookstack?
-
@flaxking said in Adding 2FA to BookStack Wiki:
Am I missing something? What's wrong with the third party auth and SAML supported by Bookstack?
If Bookstack already supports SAML, that would be the most logical choice with the least amount of work.
I don't know which identity provider to pick though - if you are not already committed to something.
For instance, if you are a M365 user do you already have access to SAML authentication through Microsoft or do you need to add Azure AD to get that?
Then you have Google, AWS and more.Then you have the specialized identity providers such as okta, onelogin, jumpcloud etc.
-
@flaxking said in Adding 2FA to BookStack Wiki:
What's wrong with the third party auth and SAML supported by Bookstack?
I suggested that we look at SAML providers for this. That sounds like a good idea.
-
@Pete-S said in Adding 2FA to BookStack Wiki:
I don't know which identity provider to pick though - if you are not already committed to something.
We don't have one yet in this instance.
-
@scottalanmiller said in Adding 2FA to BookStack Wiki:
@Pete-S said in Adding 2FA to BookStack Wiki:
I don't know which identity provider to pick though - if you are not already committed to something.
We don't have one yet in this instance.
Might not make sense in this case but we're actually looking to use Zoho as an identity provider for SAML. So you'd sign in to Bookstack or other app using your Zoho login.
I don't know what other options Zoho have but it looks like Zoho can act as a SAML identity provider if you have Zoho One or Zoho Vault Enterprise.
-
@Pete-S said in Adding 2FA to BookStack Wiki:
I don't know what other options Zoho have but it looks like Zoho can act as a SAML identity provider if you have Zoho One or Zoho Vault Enterprise.
That's what I'd like, but we don't have either of those and neither does the client in question.
-
@scottalanmiller said in Adding 2FA to BookStack Wiki:
@Pete-S said in Adding 2FA to BookStack Wiki:
I don't know what other options Zoho have but it looks like Zoho can act as a SAML identity provider if you have Zoho One or Zoho Vault Enterprise.
That's what I'd like, but we don't have either of those and neither does the client in question.
IDaaS providers such as onelogin are not ultra cheap. I think SSO+MFA is going to be $4/user/month.
But then you have support for SAML and OpenID Connect for unlimited apps as well as hardware tokens, OTP, APIs and the works.
-
@Pete-S said in Adding 2FA to BookStack Wiki:
@scottalanmiller said in Adding 2FA to BookStack Wiki:
@Pete-S said in Adding 2FA to BookStack Wiki:
I don't know what other options Zoho have but it looks like Zoho can act as a SAML identity provider if you have Zoho One or Zoho Vault Enterprise.
That's what I'd like, but we don't have either of those and neither does the client in question.
IDaaS providers such as onelogin are not ultra cheap. I think SSO+MFA is going to be $4/user/month.
But then you have support for SAML and OpenID Connect for unlimited apps as well as hardware tokens, OTP, APIs and the works.
Yeah, that might defeat the overall purpose. That adds up really quickly when it's just for a wiki.
-
@scottalanmiller said in Adding 2FA to BookStack Wiki:
@Pete-S said in Adding 2FA to BookStack Wiki:
@scottalanmiller said in Adding 2FA to BookStack Wiki:
@Pete-S said in Adding 2FA to BookStack Wiki:
I don't know what other options Zoho have but it looks like Zoho can act as a SAML identity provider if you have Zoho One or Zoho Vault Enterprise.
That's what I'd like, but we don't have either of those and neither does the client in question.
IDaaS providers such as onelogin are not ultra cheap. I think SSO+MFA is going to be $4/user/month.
But then you have support for SAML and OpenID Connect for unlimited apps as well as hardware tokens, OTP, APIs and the works.
Yeah, that might defeat the overall purpose. That adds up really quickly when it's just for a wiki.
True, but don't they use mail or any other service?
-
@Pete-S said in Adding 2FA to BookStack Wiki:
@scottalanmiller said in Adding 2FA to BookStack Wiki:
@Pete-S said in Adding 2FA to BookStack Wiki:
@scottalanmiller said in Adding 2FA to BookStack Wiki:
@Pete-S said in Adding 2FA to BookStack Wiki:
I don't know what other options Zoho have but it looks like Zoho can act as a SAML identity provider if you have Zoho One or Zoho Vault Enterprise.
That's what I'd like, but we don't have either of those and neither does the client in question.
IDaaS providers such as onelogin are not ultra cheap. I think SSO+MFA is going to be $4/user/month.
But then you have support for SAML and OpenID Connect for unlimited apps as well as hardware tokens, OTP, APIs and the works.
Yeah, that might defeat the overall purpose. That adds up really quickly when it's just for a wiki.
True, but don't they use mail or any other service?
Sure, but that doesn't offset the Vault cost. So still looking at $6/u/mo just for wiki sign in!
-
I don't know what all is required but is it possible to use the google-authenticator-libpam module with modifications to the /etc/pam.d/nginx file.
I was thinking, if Ubuntu GUI can use it, nginx can use pam modules, is it possible to mesh it with bookstack???
This could be totally irrelevant as I am just throwing some crap ideas out there.
-
@scottalanmiller said in Adding 2FA to BookStack Wiki:
@Pete-S said in Adding 2FA to BookStack Wiki:
@scottalanmiller said in Adding 2FA to BookStack Wiki:
@Pete-S said in Adding 2FA to BookStack Wiki:
@scottalanmiller said in Adding 2FA to BookStack Wiki:
@Pete-S said in Adding 2FA to BookStack Wiki:
I don't know what other options Zoho have but it looks like Zoho can act as a SAML identity provider if you have Zoho One or Zoho Vault Enterprise.
That's what I'd like, but we don't have either of those and neither does the client in question.
IDaaS providers such as onelogin are not ultra cheap. I think SSO+MFA is going to be $4/user/month.
But then you have support for SAML and OpenID Connect for unlimited apps as well as hardware tokens, OTP, APIs and the works.
Yeah, that might defeat the overall purpose. That adds up really quickly when it's just for a wiki.
True, but don't they use mail or any other service?
Sure, but that doesn't offset the Vault cost. So still looking at $6/u/mo just for wiki sign in!
It could. First with SSO you move everything to SSO so it's not just for the wiki. Log in once and be done with it. And if the client for instance use google for email (workplace) then they already have an SSO solution without needing anything extra.
