Adding 2FA to BookStack Wiki
-
My opinion is that the best way is to put a reverse proxy in front and authenticate on that using SSO (SAML or OpenID) to an identity provider. And then have the identity provider do the 2FA.
Apache has the most advanced options for this but others have it too.. Identity provider can be whatever is suitable. Key is using SSO and not "homebuilt" 2FA. And the proxy server will have nothing to do with passwords or managing users. That's taken care of by the identity provider, which have all the tools already in place for this.
-
Am I missing something? What's wrong with the third party auth and SAML supported by Bookstack?
-
@flaxking said in Adding 2FA to BookStack Wiki:
Am I missing something? What's wrong with the third party auth and SAML supported by Bookstack?
If Bookstack already supports SAML, that would be the most logical choice with the least amount of work.
I don't know which identity provider to pick though - if you are not already committed to something.
For instance, if you are a M365 user do you already have access to SAML authentication through Microsoft or do you need to add Azure AD to get that?
Then you have Google, AWS and more.Then you have the specialized identity providers such as okta, onelogin, jumpcloud etc.
-
@flaxking said in Adding 2FA to BookStack Wiki:
What's wrong with the third party auth and SAML supported by Bookstack?
I suggested that we look at SAML providers for this. That sounds like a good idea.
-
@Pete-S said in Adding 2FA to BookStack Wiki:
I don't know which identity provider to pick though - if you are not already committed to something.
We don't have one yet in this instance.
-
@scottalanmiller said in Adding 2FA to BookStack Wiki:
@Pete-S said in Adding 2FA to BookStack Wiki:
I don't know which identity provider to pick though - if you are not already committed to something.
We don't have one yet in this instance.
Might not make sense in this case but we're actually looking to use Zoho as an identity provider for SAML. So you'd sign in to Bookstack or other app using your Zoho login.
I don't know what other options Zoho have but it looks like Zoho can act as a SAML identity provider if you have Zoho One or Zoho Vault Enterprise.
-
@Pete-S said in Adding 2FA to BookStack Wiki:
I don't know what other options Zoho have but it looks like Zoho can act as a SAML identity provider if you have Zoho One or Zoho Vault Enterprise.
That's what I'd like, but we don't have either of those and neither does the client in question.
-
@scottalanmiller said in Adding 2FA to BookStack Wiki:
@Pete-S said in Adding 2FA to BookStack Wiki:
I don't know what other options Zoho have but it looks like Zoho can act as a SAML identity provider if you have Zoho One or Zoho Vault Enterprise.
That's what I'd like, but we don't have either of those and neither does the client in question.
IDaaS providers such as onelogin are not ultra cheap. I think SSO+MFA is going to be $4/user/month.
But then you have support for SAML and OpenID Connect for unlimited apps as well as hardware tokens, OTP, APIs and the works.
-
@Pete-S said in Adding 2FA to BookStack Wiki:
@scottalanmiller said in Adding 2FA to BookStack Wiki:
@Pete-S said in Adding 2FA to BookStack Wiki:
I don't know what other options Zoho have but it looks like Zoho can act as a SAML identity provider if you have Zoho One or Zoho Vault Enterprise.
That's what I'd like, but we don't have either of those and neither does the client in question.
IDaaS providers such as onelogin are not ultra cheap. I think SSO+MFA is going to be $4/user/month.
But then you have support for SAML and OpenID Connect for unlimited apps as well as hardware tokens, OTP, APIs and the works.
Yeah, that might defeat the overall purpose. That adds up really quickly when it's just for a wiki.
-
@scottalanmiller said in Adding 2FA to BookStack Wiki:
@Pete-S said in Adding 2FA to BookStack Wiki:
@scottalanmiller said in Adding 2FA to BookStack Wiki:
@Pete-S said in Adding 2FA to BookStack Wiki:
I don't know what other options Zoho have but it looks like Zoho can act as a SAML identity provider if you have Zoho One or Zoho Vault Enterprise.
That's what I'd like, but we don't have either of those and neither does the client in question.
IDaaS providers such as onelogin are not ultra cheap. I think SSO+MFA is going to be $4/user/month.
But then you have support for SAML and OpenID Connect for unlimited apps as well as hardware tokens, OTP, APIs and the works.
Yeah, that might defeat the overall purpose. That adds up really quickly when it's just for a wiki.
True, but don't they use mail or any other service?
-
@Pete-S said in Adding 2FA to BookStack Wiki:
@scottalanmiller said in Adding 2FA to BookStack Wiki:
@Pete-S said in Adding 2FA to BookStack Wiki:
@scottalanmiller said in Adding 2FA to BookStack Wiki:
@Pete-S said in Adding 2FA to BookStack Wiki:
I don't know what other options Zoho have but it looks like Zoho can act as a SAML identity provider if you have Zoho One or Zoho Vault Enterprise.
That's what I'd like, but we don't have either of those and neither does the client in question.
IDaaS providers such as onelogin are not ultra cheap. I think SSO+MFA is going to be $4/user/month.
But then you have support for SAML and OpenID Connect for unlimited apps as well as hardware tokens, OTP, APIs and the works.
Yeah, that might defeat the overall purpose. That adds up really quickly when it's just for a wiki.
True, but don't they use mail or any other service?
Sure, but that doesn't offset the Vault cost. So still looking at $6/u/mo just for wiki sign in!
-
I don't know what all is required but is it possible to use the google-authenticator-libpam module with modifications to the /etc/pam.d/nginx file.
I was thinking, if Ubuntu GUI can use it, nginx can use pam modules, is it possible to mesh it with bookstack???
This could be totally irrelevant as I am just throwing some crap ideas out there.
-
@scottalanmiller said in Adding 2FA to BookStack Wiki:
@Pete-S said in Adding 2FA to BookStack Wiki:
@scottalanmiller said in Adding 2FA to BookStack Wiki:
@Pete-S said in Adding 2FA to BookStack Wiki:
@scottalanmiller said in Adding 2FA to BookStack Wiki:
@Pete-S said in Adding 2FA to BookStack Wiki:
I don't know what other options Zoho have but it looks like Zoho can act as a SAML identity provider if you have Zoho One or Zoho Vault Enterprise.
That's what I'd like, but we don't have either of those and neither does the client in question.
IDaaS providers such as onelogin are not ultra cheap. I think SSO+MFA is going to be $4/user/month.
But then you have support for SAML and OpenID Connect for unlimited apps as well as hardware tokens, OTP, APIs and the works.
Yeah, that might defeat the overall purpose. That adds up really quickly when it's just for a wiki.
True, but don't they use mail or any other service?
Sure, but that doesn't offset the Vault cost. So still looking at $6/u/mo just for wiki sign in!
It could. First with SSO you move everything to SSO so it's not just for the wiki. Log in once and be done with it. And if the client for instance use google for email (workplace) then they already have an SSO solution without needing anything extra.
-
@Pete-S said in Adding 2FA to BookStack Wiki:
And if the client for instance use google for email (workplace) then they already have an SSO solution without needing anything extra.
They have no SSO source right now.