I have read a lot of guides but don’t find a answer to my question, maybe someone can help.
My privacyIDEA installation is up and running (apache2+mysql).
Now I want to protect a “external webapplication” by 2FA with privacyIDEA.
So I have configured a new apache2 location with
WSGIAuthUserScript directive pointing to
<Location /secured> ProxyPreserveHost On AuthType Basic AuthName "Protected Area" AuthBasicProvider wsgi WSGIAuthUserScript /usr/share/pyshared/privacyidea_apache.py Require valid-user ProxyPass https://my_protected_webapplication:8443/ ProxyPassReverse https://my_protected_webapplication:8443/ </Location>
It would be great to realize this now:
- a user browse to /secured with his webbrowser
- he got a http basic auth prompt and enter this username@realm and PIN (authentication step 1)
- privacyIDEA check this and start the second authentication by email-token
- privacyIDEA send out a OTP token by email
- the user check his inbox and enter the second PIN (authenication step 2)
- privacyIDEA check again and if correct, it send “success” to the apache2 auth_basic module
- apache2 let the user pass and allow communitcaion to configured backend application by using ProxyPass (mod_proxy)
This is working so far:
- success; privacyIDEA send a token to users email-adress
After step 4, the apache2 http basic login prompt appears again in users browser (is it possible to redirect to a nice webui to enter the second email OTP PIN?). If I enter username@realm again with OTP PIN from the email, the authentication fails.
What I have to enter in the second step (after the username/password prompt appears again to valide mail token pin)?
Is this setup possible at general?