Has anyone gotten 2FA working with Xwiki - Natively or with a Proxy?

broswell · December 11, 2023, 2:56pm

If so, would you be willing to share your configuration? I’m afraid we will have to abandon Xwiki if we can’t find a reasonable solution.

Thanks
Bob

lanedsmu · December 12, 2023, 2:04am

I’m not sure if this addresses what you’re looking for. Still, we’re using the OIDC authentication extension, so we’re offloading authentication to Azure, and we have 2fa set up as a part of our Azure auth implementation.

If something like that is an option–lots of auth providers like Google and Keycloak are OIDC implementations–we’d be pleased to share our Xwiki OIDC config.

-Lane

broswell · December 12, 2023, 3:12pm

I would love to learn how you did this! broswell@syssrc.com

Pako · December 12, 2023, 3:40pm

In our environment a Entra (Azure) App Proxy acts as gateway for SSO with MFA.

XWiki itself uses the identity which is provided by the App Proxy.

We’ve been using this setup for more than 2 years, works like a charm.

See: Application proxy documentation - Microsoft Entra ID | Microsoft Learn

lanedsmu · December 12, 2023, 7:11pm

We’ve got a similar use case. Here’s what we’ve got:

OIDC authenticator extension: OpenID Connect Authenticator (XWiki.org)
Entra (Azure AD) authentication. App configured with the following optional claims:

image895×601 39.7 KB
Entra app permissions like this:

image687×550 33.4 KB
Xwiki OIDC settings:

xwiki.cfg:xwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl
xwiki.properties:oidc.endpoint.authorization=https://login.microsoftonline.com/<big guid from MS>/oauth2/v2.0/authorize
xwiki.properties:oidc.endpoint.token=https://login.microsoftonline.com/<big guid from MS>/oauth2/v2.0/token
xwiki.properties:oidc.endpoint.userinfo=https://graph.microsoft.com/oidc/userinfo
xwiki.properties:oidc.endpoint.logout=https://login.microsoftonline.com/<big guid from MS>/oauth2/v2.0/logout
xwiki.properties:oidc.endpoint.token.auth_method=client_secret_basic
xwiki.properties:oidc.endpoint.userinfo.method=GET
xwiki.properties:oidc.clientid=<big guid from MS>
xwiki.properties:oidc.secret=<App secret from MS>
xwiki.properties:oidc.scope=openid,profile,email
xwiki.properties:oidc.user.nameFormater=${oidc.idtoken.upn}
xwiki.properties:oidc.user.subjectFormater=${oidc.idtoken.upn}
xwiki.properties:oidc.user.preferredUsername:${oidc.idtoken.upn}
xwiki.properties:oidc.user.mail:${oidc.idtoken.upn}

Note that the oidc.idtoken options are new to the v2.3.0 release of the extension. Previous versions only allowed for userInfo attributes, which are pretty limited in Entra.

Duo 2fa as described here: Duo Two-Factor Authentication for Microsoft Entra ID (formerly Azure Active Directory)

I hope that helps. Pleased to discuss further, if that’s useful.

-Lane