Joomla - Two Factor Authentication - Opt-in - joomla

Currently, it appears that Joomla has an opt-in 2FA implementation.
Is it possible to force our users to use 2FA login?

Two factor authentication is typically used for Administrators and up. Setting it up can be tricky (the user needs to download and initialize the google app), so each user should do it individually.
Since you're creating the users (you need a Super User to add new users) you could create a new user group with access only to com_users, so they may set up two-factor authentication; then once they do manually move them to a higher group which will give them full access to the administrator.
You will also need to create a template override so the admin users won't be able to change the two factor authentication preferences.

Related

How to authenticate users with an integer such as account number as the username

I have a problem authenticating users in my banking application. I want super users to be created and authenticated using email. However, I want that normal users be registered and assigned account numbers. The normal users would then use the account numbers to login. How do you achieve authentication of these different kinds of users with different username fields in one django project.
I have tried overriding the USERNAME_FIELD to account numbers so that normal users would use that to login. It doesnt help to login normal users. For superusers, it prompts for account number when I run
python manage.py createsuperuser
Kindly assist in understanding how to handle this kind of custom authentication.
Django is ready to support your requirement. AUTHENTICATION_BACKENDS support multiple backend as list. For normal user you have to write custom backend and Add that in AUTHENTICATION_BACKENDS.
This link will help you.

Integrate laravel app with MS Active Directory but restrict users who can access

I have a custom application for internal use only where currently users are created by a super admin. Some of the users are from within the business and some external e.g. suppliers/customers.
I'm looking for a way to integrate MS Active Directory as a login option but want to be able to restrict which users from the business can actually use this method.
I have search through all the MS docs and have all the documentation on the different oauth approaches but not sure which one would be suitable for my needs.
I am thinking that perhaps i need to give the admin a way to browse the AD and select the users that can login which then creates inactive user accounts in the mysql database with some sort of MS user ID. Then provide a 'Sign in with MS' button that does the usual auth redirection process to MS and back to the site. At that point I can check an ID and if that matches an allowed user account and if so, sync the rest of the data e.g. name, email, phone etc..
Links I've already found:
https://learn.microsoft.com/en-gb/azure/active-directory/develop/authentication-scenarios
https://learn.microsoft.com/en-gb/graph/tutorials/php
https://github.com/microsoftgraph/msgraph-training-phpapp/tree/master/Demos/03-add-msgraph
Your first order of business is enabling a user to sign in to the Laravel-based app. For this, I strongly recommend not trying to re-invent the wheel (at least not completely), and make use of an existing Laravel package. Laravel Socialite is probably the best place to start, since it has a long list of existing community-provided Socialite providers, including three which work with Azure AD already: Microsoft, Microsoft-Graph and Microsoft-Azure. (Note: Though I haven't tested any of these myself, the first two seem to be the most promising, as they use the newer v2 endpoint.)
When it comes to authorization (controlling access), you have two options:
Control at Azure AD
Once you've got the app integrated with Azure AD, you can configure the app in Azure AD to require user assignment, and then control access to the app by assigning (or not) users to the app. Users who are not assigned won't even make it past the sign-in page.
You can use Azure AD's existing experiences for managing user and role assignment for the app, or you could go all-out and build this experience directly into the Laravel-based app itself, making use of the Azure AD Graph API to create the [app role assignments](https://learn.microsoft.com/en-us/previous-versions/azure/ad/graph/api/entity-and-complex-type-reference#approleassignment-entity and user picker experience.
Hint: In either case, remember that you can make the app "superuser" an "owner" of the app in Azure AD (Azure AD > Enterprise apps > (app) > Owners), which will allow them to assign users without needing to give them any additional privileges in Azure AD.
Control at the app
In this approach, you allow all users to sign in to the app with Azure AD, but then you use your app's own authorization logic to decide who makes it any further, and what roles they get in the app.
In reality, you will most likely find the best approach is to use a combination of the two, with some of the authorization enforced by Azure AD and the next level enforced by the app itself.
If you would do it in this way, it will be necessary that the super-admin has always this permissions in the AAD. From my point of view it is less practical.
I would perfer such app-assigments with help of Service Principal. You assign a role (look for app roles) to the user and then your business logic must decide which permissions the user has. If you would use the app roles feature, then you can restrict access to the role with it's help. All the user can login, but only users with a specific role would be able to see a content of the app.
I hope this hints can help to find a right direction, but there is no silver bullet solution... :/

Allow admin user to login as other users

Is there any way to login other users account for admin user ?
Currently authentication based on Meteor Accounts
I saw this post but didn't working at all now.
The feature is important for us because when user have problem in system then admin need to see it this by simulating user account.
Thanks in advance.
It seems you want to impersonate a user. This means that you want to have Meteor.userId (or this.userId depending on context) reflect the _id of a specific user both on the client and the server.
afaict the only way to do this is to login as the user. Presumably you don't want to ask the user for their password so you have a couple of choices:
Save their existing password, replace it (temporarily) with a password of your choosing, then after you're done impersonating their account, restore their existing password.
You probably don't want to ask the user for their password and you don't need to. All you need to do is set aside Meteor.user.findOne(userId).services.password.bcrypt, then reset the password to your temporary value, then restore the original bcrypt value later.
The downside is that the original user would not be able to login while you are logged-in. Plus it's really hacky.
Extend Meteor's Accounts package to provide impersonation capability in a more elegant manner.
You might also look at validateLoginAttempt. The docs are unclear as to whether a failed login attempt could be overridden with a successful one but if it could then that would provide another pathway to solve your problem.
Instead of logging in as the users, which requires their password and which is a total no-no, you may use rather alanning:roles and allow the admin to assign the role of any user in order to draw views based the user's role.
This requires a well designed role system.
As a plus you could then at least load the documents associated with the user who you want to support.
This requires a well designed document and data model.
But generally spoken you should rather focus on writing good tests (test driven development) for components as unit tests, integration tests and UI tests.
This will reduce the need to manually view the app as an end user a lot.
The most common end user problems can be reduced by creating a good knowledge base like a wiki or video tutorials.
Even if then an error occurs in the end user side, I would rather try to implement a well designed error log that allows users automatically create tickets on error which also include the error stack.
All the above methods are to be favored before logging in AS THE USER.
As #Jankpunkt has already mentioned alanning-roles I can add something you can use without installing any external package.
Just keep a type key in the profile object of the users collection. Then define some types like 1 for super-admin, 2 for admin, 3 for general etc. Then check the authorisation of particular action by checking the value of user.profile.type key.
Caveats: Make sure you are checking the type in server side. By default profile field is writable from the client end, so if you are putting type field in the profile object make sure that you are not allowing users to modify users collection in the client end.
Here is how to restrict client end update in users collection:
Meteor.users.deny({
update() { return true; }
});
Read more on roles and permissions here:
https://guide.meteor.com/accounts.html#roles-and-permissions

Okta API for modifying user application assignments?

Looking for the developer documentation as to how to modify a users application assignment. I would like to programatically assign, unassign and change the assignment details (ex: roles). So far I can't find that in the developer docs.
You can directly assign and remove users from applications via the Application User Operations.
Depending on what logic you're trying to implement, it might be better to:
Assign the users to groups. You can even setup rules to do this for you automatically based on conditions.
Add the group to the app
By using groups rather than assigning users to the app directly, you can automate more of the flow (i.e. users can be assigned to apps automatically based on user properties and conditions), as well as setup Sign-On, MFA, and password policies.

Spring how to make password on admin panel

I have spring security with 2 roles (ROLE_USER, ROLE_ADMIN).
Now, I want to implement admin panel. I have already done access to panel url only for users which have ROLE_ADMIN. But I want to make extra secure.
When user with ROLE_ADMIN open admin panel pages first time, he will have to enter a admin panel password. So, my question is What the good way to implement this feature?
Your suggested idea, by making user with role 'ROLE_ADMIN' re-enter his password is used to secure in case of leaving your device unlocked. It used for critical high potential actions like changing your mail password, which require something like token renewal. I think implementing Two-factor authentication add a second security layer.

Resources