[OOD-users] TFA

Franz, Eric efranz at osc.edu
Thu Aug 3 17:19:39 EDT 2017 

Susan,

At OSC we provide authentication to OOD through 2 means: external CILogon and local KeyCloak OIDC provider that we configured with our local LDAP. Both are using OIDC (OpenID Connect) and are configured with Apache in OOD using mod_auth_openidc. KeyCloak, when properly configured, can provide users the option to enable 2FA using either FreeOTP or Google Authenticator. So another option would be for you to configure OOD at PSC to authenticate using KeyCloak, and then the subset of users that require 2FA could enable it themselves. You can see the documentation describing what users can do here: https://keycloak.gitbooks.io/documentation/server_admin/topics/account.html

We think KeyCloak can be extended to work with Duo as well, but that is not built into KeyCloak. 

KeyCloak is a RedHat product and the main website here: http://www.keycloak.org/

We have yet to explore these 2FA options with KeyCloak at OSC. But we have started working on making installation directions for using KeyCloak with OOD for authentication and how we can help make that process easier, since many people have asked about 2FA.

Thanks,
Eric

---
Eric Franz, Senior Web & Interface App Engineer
Ohio Supercomputer Center
An Ohio Technology Consortium (OH-TECH) Member
1224 Kinnear Road
Columbus, OH 43212
email: efranz at osc.edu
 

On 8/3/17, 4:04 PM, "OOD-users on behalf of Basil Mohamed Gohar" <ood-users-bounces+efranz=osc.edu at lists.osc.edu on behalf of bgohar at osc.edu> wrote:

    Susan,
    
    This is not exactly the answer to your question, but the way we've 
    handled different classes of users where there may be different 
    requirements was that we setup two separate OOD portals.  This may not 
    be ideal for your case, and in ours two-factor authentication was not 
    the reason either, but rather, it was to provide different portals for 
    our commercial vs. academic clients (sort-of).
    
    So, while less than ideal, that's one possibility.  I'm sure others may 
    have ideas as well, so I hope there is some useful discussion around this.
    
    Basil Mohamed Gohar
    Web and Interface Applications Manager
    Ohio Supercomputer Center (OSC) <https://osc.edu>
    A member of the Ohio Technology Consortium <https://oh-tech.org>
    1224 Kinnear Road, Columbus, Ohio 43212
    Office: (614) 688-0979 <tel:+16146880979> • Mobile: (614) 657-4820 
    <tel:+16146574820> • Fax: (614) 292-7168 <tel:+16142927168>
    bgohar at osc.edu <mailto:bgohar at osc.edu>
    
    Learn more about OSC at https://osc.edu
    
    On 8/3/17 3:54 PM, Susan Litzinger wrote:
    > Hi everyone,
    >
    > At the PEARC17 Open OnDemand BoF, one of the attendees mentioned that 
    > he has two-factor authentication working for OOD at their site.  This 
    > is something we are trying to do here at PSC but with a twist.
    >
    > We have some users that need to use TFA to authenticate while other 
    > users don't.  This is due to the content of the data being accessed.
    >
    > I was wondering whether anyone has a similar situation and if they've 
    > had a chance to tackle it.  Also, does the user with TFA working 
    > already have any pointers to getting that working with OOD?  That 
    > would be helpful as well.
    >
    > Thanks in advance for any information,
    >
    > Susan Litzinger
    > Pittsburgh Supercomputing Center
    >
    >
    > _______________________________________________
    > OOD-users mailing list
    > OOD-users at lists.osc.edu
    > https://lists.osu.edu/mailman/listinfo/ood-users
    
    _______________________________________________
    OOD-users mailing list
    OOD-users at lists.osc.edu
    https://lists.osu.edu/mailman/listinfo/ood-users

More information about the OOD-users mailing list