Versions Compared

Version Old Version 9 New Version Current
Changes made by

MS (Unlicensed)

MS (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

To improve login security, Abiquo supports two-factor authentication for the user interface to improve login security. 

  1. The Systems Administrator configures two-factor authentication for the platform (see steps below)
  2. The Cloud Administrator can configure tenants to force users to work with two-factor authentication
  3. If two-factor authentication is configured for the platform but not required for a user's tenant, the user can still choose to enable it

For a description of the user functionality, see Configure your user account

Note: UI with basic authentication.

Abiquo can send an authentication code:

  • via email

  • using Google Authenticator

The steps to use 2FA are:

  1. Configure the authentication options in the platform

  2. Activate 2FA for the platform

  3. If 2FA must be used in an enterprise, edit the enterprise and select the required option

  4. Users activate 2FA for their accounts.

    1. This is optional if 2FA is not mandatory for their enterprise

Tip

When you enable the Abiquo OpenID Connect integration, Abiquo disables two-factor authentication.

toc

Configure

...

2FA for the platform

Excerpt

To configure the authentication system do these stepsBasic requirements of 2FA:

  • Synchronize system

time:

  • times because two-factor codes are dependent on the system time

  • For a multi-datacenter configuration, configure Appliance manager for template upload and download as described in Uploading and dowloading templates in multi datacenter

    • For each enterprise that requires

    For integration and events requirements, see below.

    To configure 2FA, customize properties and files, and enable it on the platform:

    1. Log in to the Abiquo API Server

    2. Go to /opt/abiquo/config and edit the abiquo.properties file. For full details about any Abiquo property see Abiquo configuration properties

    3. For Google Authenticator

      1. set the property with the name of the issuer of authentication codes.

        Code Block
        abiquo.2fa.issuer=Abiquo

    4. For email:

      1. configure the mail server with server.mail properties, including the sender with the from property. You can also set custom properties by replacing {javax mail property}with a property name.

        Code Block
        abiquo.server.mail.from=  
abiquo.server.mail.password=none  
abiquo.server.mail.port=25
abiquo.server.mail.server=127.0.0.1  
abiquo.server.mail.ssl=false
abiquo.server.mail.tls=false
abiquo.server.mail.user=none@none.es
abiquo.server.mail.extra.{javax mail property}=

      2. Optionally, change the length of time in seconds that the email codes will be valid for

        Code Block
         abiquo.2fa.email.timestep=60

      3. To customize the email message, see Customize emails for two factor authentication

    5. In Abiquo, enable two-factor authentication for the platform:

      1. Go to Configuration → Security

      2. Edit the options and select Enable two factor authentication

    Enable 2FA in Configuration viewImage Added

    Requirements for integrations:

    • For each enterprise that uses 2FA, migrate automation and integrations to OAuth

    , see For

    Requirements for events and event streaming

    ,

    :

    • if the M-user belongs to a tenant that must use 2FA, configure the M-user to use OAuth.

    • Enter the OAuth credentials in the Abiquo properties file. See Abiquo

    Configuration Properties#m

  • Configure Google Authenticator properties. Set the name of the issuer of authentication codes. See Abiquo Configuration Properties#2fa 

  • Configure email authentication properties:

    1. Set the email server configuration, including the sender with the "from" property. See Abiquo Configuration Properties#server

    2. Set the length of time that the email codes will be valid for. See Abiquo Configuration Properties#2fa

  • For email authentication, you can edit the email message. See Configure Email Templates

    • Troubleshooting

    Require 2FA for a tenant

    To configure a tenant so that all the users must work with two-factor authentication

    • Check server date and time synchronization as part of the user issue troubleshooting process.

    Manage two-factor authentication in the Abiquo UI and API

    For the platform, enable :

    1. Go to Users

    2. Edit an enterprise and go to General

    3. Select the checkbox to Require two-factor authentication

    in the Configuration view (or using the API).

    Image Removed

    When an administrator creates or edits an enterprise, they can mark a checkbox to require two-factor authentication of all users in the enterprise.

    In the API, this is done by setting the enterprise attribute of twoFactorAuthenticationMandatory to true.

    Image Removed

    If two-factor authentication is not required, the user can still enable it from the username menu by clicking on the icon or username in the top right-hand corner of the screen and selecting two-factor authentication. Note that you can enable or disable 2fa for your own user only.Using the API, you enable or disable 2fa by posting

    1.  for all users in the enterprise

    2. Click Save

    Select a checkbox to require two-factor authentication for a tenantImage Added

    2FA for users

    When a user’s enterprise requires two-factor authentication, the user must enable it from the user icon menu.

    Even if the enterprise does not require two-factor authentication, the user can enable it for their own account from the user icon menu.

    For details of how the user must enable 2FA, see https://abiquo.atlassian.net/wiki/spaces/doc/pages/311370224/Starting+Abiquo+for+the+first+time#Use-two-factor-authentication.

    User icon menu with 2FA optionImage Added

    Remove the option for users to enable 2fa

    By default, the option to enable 2fa appears in the user icon menu. To remove the Two factor authentication option, edit the client-config-custom.json file, and set the following property:

    Code Block
    client.2fa.activated=false

    For more details, see Configure Abiquo UI.

    Manage two factor authentication via the API

    To require 2fa mandatory for a tenant, edit the enterprise and set the value of the twoFactorAuthenticationMandatory attribute to true.

    To enable or disable 2fa for a user, post the authentication method to the action link of the user.

    Image Removed

    ...