3.10. 2FA Helpdesk#
This section provides and overview of the 2FA Helpdesk component in Nubus for Kubernetes. It describes the following components in detail:
Fig. 3.46 shows the 2FA Helpdesk components, their relationship among each other and to other functional components in Nubus. The upcoming sections add the behavior level for each of the components.
Fig. 3.46 ArchiMate view for 2FA Helpdesk component#
See also
- 2FA Helpdesk
in Univention Nubus for Kubernetes - Operation Manual [1] for information for operators about how to configure 2FA Helpdesk.
In Univention Nubus - Nubus Manual [7]:
- 2FA Administrator Helpdesk
for information for functional administrators about how to use the 2FA Administrator Helpdesk.
- 2FA Self-Service
for information for end users about how to use the 2FA Self Service.
3.10.1. 2FA Helpdesk Frontend#
Fig. 3.47 shows the 2FA Helpdesk Frontend and the behavior of its parts. It has the following main components:
- 2FA Self Service
The 2FA Self Service is the frontend for end users that allows them to reset their personal 2FA token.
- 2FA Administrator Helpdesk
The 2FA Administrator Helpdesk is the frontend for functional administrators. It allows them to reset the 2FA token on behalf of end users to restore access for them.
Both frontend components run in the user’s web browser. They have in common that they serve the UI elements for the 2FA Helpdesk and run the frontend as single page application.
Depending on the requesting user, the user either only sees the portal tile for the 2FA Self Service or additionally the portal tile for the 2FA Administrator Helpdesk. The container image with the 2FA Helpdesk Frontend delivers the static files, such as CSS, JavaScript, and HTML.
Fig. 3.47 ArchiMate view for 2FA Helpdesk Frontend component#
3.10.2. 2FA Helpdesk Backend#
Fig. 3.48 shows the 2FA Helpdesk Backend and the behavior of its parts. The backend server HTTP endpoints validate the role of the requesting user and trigger a reset of a 2FA token. To reset a token, the 2FA Helpdesk Backend sends an appropriate request to Keycloak in the Identity Provider. Keycloak resets the token and upon the next sign-in asks the user to set up a new 2FA token.
For authentication with Keycloak, the 2FA Helpdesk Backend uses OpenID Connect.
The 2FA Helpdesk Backend has no data persistence. It requests all information about users and 2FA tokens from Keycloak.
Fig. 3.48 ArchiMate view for 2FA Helpdesk Backend component#