Am 19.09.24 um 15:11 schrieb Kees van Vloten (keesvanvlo...@gmail.com):
On 19-09-2024 14:57, Frank Richter (frank.rich...@hrz.tu-chemnitz.de) wrote:Hi,we protect more and more services that can be reached from the Internet by 2FA/TOTP. Are there any ideas how to force 2FA/TOTP for SOGo when accessing SOGo from the Internet (outside the intranet), but not from the intranet??Ideally then, SOGo would ask our privacyIDEA API (username, TOTP code) to evaluate the TOTP code …I am doing exactly this by letting the webserver (Apache) handle the authentication (sogo.conf contains 'SOGoTrustProxyAuthentication = YES;' to trust apache authentication).Apache is configured to do OIDC authentication, against Keycloak. Keycloak then checks the client-ip to determine how to authenticate. If the IP is not in the internal ip-range it will request MFA and use Privacyidea as its backend, otherwise user/password is sufficient or a Kerberos ticket.
Nice, how do you authenticate to the IMAP server? Frank -- Frank Richter Facharbeitsgruppe Datenkommunikation Universitätsrechenzentrum Technische Universität Chemnitz Straße der Nationen 62 | R. B302A 09111 Chemnitz Germany Tel: +49 371 531 31879 frank.rich...@hrz.tu-chemnitz.de www.tu-chemnitz.de/urz
smime.p7s
Description: Kryptografische S/MIME-Signatur