I have read a lot of guides but don’t find a answer to my question, maybe someone can help.
My privacyIDEA installation is up and running (apache2+mysql).
Now I want to protect a “external webapplication” by 2FA with privacyIDEA.
So I have configured a new apache2 location with WSGIAuthUserScript directive pointing to /usr/share/pyshared/privacyidea_apache.py.
<Location /secured>
ProxyPreserveHost On
AuthType Basic
AuthName "Protected Area"
AuthBasicProvider wsgi
WSGIAuthUserScript /usr/share/pyshared/privacyidea_apache.py
Require valid-user
ProxyPass https://my_protected_webapplication:8443/
ProxyPassReverse https://my_protected_webapplication:8443/
</Location>
It would be great to realize this now:
- a user browse to /secured with his webbrowser
- he got a http basic auth prompt and enter this username@realm and PIN (authentication step 1)
- privacyIDEA check this and start the second authentication by email-token
- privacyIDEA send out a OTP token by email
- the user check his inbox and enter the second PIN (authenication step 2)
- privacyIDEA check again and if correct, it send “success” to the apache2 auth_basic module
- apache2 let the user pass and allow communitcaion to configured backend application by using ProxyPass (mod_proxy)
This is working so far:
-
- success
-
- success
-
- success
-
- success; privacyIDEA send a token to users email-adress
-
- failed
After step 4, the apache2 http basic login prompt appears again in users browser (is it possible to redirect to a nice webui to enter the second email OTP PIN?). If I enter username@realm again with OTP PIN from the email, the authentication fails.
What I have to enter in the second step (after the username/password prompt appears again to valide mail token pin)?
Is this setup possible at general?