To improve login security, Abiquo supports two-factor authentication for the UI .
When you enable the Abiquo OpenID Connect integration, Abiquo disables two-factor authentication.
Configure 2FA for the platform
Basic requirements of 2FA:Synchronize system times because two-factor codes are dependent on the system time
Configure the Appliance manager to use HTTPS
Requirements for integrations:
For each enterprise that uses 2FA, migrate automation and integrations to OAuth. See Authentication#OAuthv1.0VersionAAuthentication.
To implement two-factor authentication for a portal, see Authentication
Requirements for events and event streaming:
if the M-user belongs to a tenant that must use 2FA, configure the M-user to use OAuth.
Enter the OAuth credentials in the Abiquo properties file. See Abiquo configuration properties and search for
.m.
See Authentication#OAuthv1.0VersionAAuthentication.
To configure 2FA, customize properties and files
Log in to the Abiquo API Server
Go to
/opt/abiquo/config
and edit theabiquo.properties
file. For full details about any Abiquo property see Abiquo configuration propertiesFor Google Authenticator, set the property with the name of the issuer of authentication codes.
abiquo.2fa.issuer=Abiquo
For email, configure the mail server with
server.mail
properties, including the sender with thefrom
property. You can also set custom properties by replacing{javax mail property}
with a property name.abiquo.server.mail.from= abiquo.server.mail.password=none abiquo.server.mail.port=25 abiquo.server.mail.server=127.0.0.1 abiquo.server.mail.ssl=false abiquo.server.mail.tls=false abiquo.server.mail.user=none@none.es abiquo.server.mail.extra.{javax mail property}=
Optionally, change the length of time in seconds that the email codes will be valid for
abiquo.2fa.email.timestep=60
For email authentication, you can customize the email message. See Customize email and SMS messages
Enable 2FA for the platform
To enable two-factor authentication for the platform:
Go to Configuration → Security
Edit the options and select Enable two factor authentication
Require 2FA for a tenant
To configure a tenant so that all the users must work with two-factor authentication:
Go to Users
Edit an enterprise and go to General
Select the checkbox to Require two-factor authentication for all users in the enterprise
Click Save
2FA for users
When two-factor authentication is required, the user must enable it from the user icon menu.
If two-factor authentication is not required, the user can enable it for their own account from the user icon menu.
To remove the Two factor authentication option from the user icon menu, edit the client-config-custom.json
file, and set the following property:
client.2fa.activated=false
For more details, see Configure Abiquo UI.
For details of how the user must enable 2FA, see https://abiquo.atlassian.net/wiki/spaces/doc/pages/311370224/Starting+Abiquo+for+the+first+time#Use-two-factor-authentication.
Manage two factor authentication via the API
To require 2fa mandatory for a tenant, edit the enterprise and set the value of the twoFactorAuthenticationMandatory attribute to true.
To enable or disable 2fa for a user, post the authentication method to the action link of the user.