6.12. 2FA Helpdesk#
New in version 1.12.0: 2FA Helpdesk is an application included in Nubus for Kubernetes since version 1.12.0.
2FA stands for two-factor authentication. This page assumes that you as reader are familiar with the term.
This page is for operators and describes how to configure administrative groups and optional customization. It doesn’t cover how to use the 2FA Helpdesk management module. For information about the 2FA Helpdesk management module, refer to 2FA Administrator Helpdesk in Univention Nubus - Nubus Manual [5].
The 2FA Helpdesk application provides the following separate components:
the 2FA Administrator Helpdesk for functional administrators
the 2FA Helpdesk Self-Service for end users
By default, Nubus for Kubernetes has only the 2FA Administrator Helpdesk activated.
During initial deployment or upgrade of Nubus for Kubernetes, operators can define user groups as functional administrators for the 2FA Helpdesk through Helm Chart values in the values file. Functional administrators can reset two-factor authentication for any user in the domain. Additionally, operators can activate 2FA Helpdesk Self-Service to enable users to reset their own two-factor credentials. For information about the 2FA Helpdesk Self Service, refer to 2FA Self-Service in Univention Nubus - Nubus Manual [5].
The application consists of a frontend, a backend, and an extension container.
- Frontend
The frontend uses single sign-on through OpenID Connect to authenticate with the backend. The frontend uses the same theme as your Nubus deployment.
- Backend
The backend takes the user groups and user IDs from the token and verifies them against the list of allowed user groups. Then, it uses its own Keycloak connection to reset credentials if requested.
- Extension container
Nubus for Kubernetes uses the 2FA Helpdesk extension container to create and configure the tiles in the Univention Portal and their visibility.
6.12.1. Group administration#
You can set the functional administrators for 2FA Helpdesk
through the Helm Chart value
nubusTwofaHelpdesk.twofaHelpdeskBackend.config.twofa_admin_groups.
The value takes a list of group names.
The default value is [ "Domain Admins" ].
User groups don’t have to exist at the time of deployment.
These settings don’t add tiles to the portal,
or make them visible for the configured groups,
see Configure the extension.
Listing 6.33
shows an example for your custom values file.
nubusTwofaHelpdesk:
twofaHelpdeskBackend:
config:
twofa_admin_groups:
- twofa-admins-custom_1
- twofa-admins-custom_2
6.12.2. Configure the extension#
By the default, Nubus for Kubernetes has the correct configuration for 2FA Helpdesk. However, you can customize the extension using the UDM data loader.
To customize the extension,
you need to extend the nubusStackDataUms section through Helm Chart custom values,
but not the values for nubusTwofaHelpdesk.
Listing 6.34 shows an example.
The extension offers the following customization of the template context:
portalTwoFaAllowedGroupsList the user groups that see the tile to the 2FA Helpdesk on the Univention Portal. The user groups require the group names only, not the user group paths.
portalTwoFaLinkBaseThe same value as in
nubusTwofaHelpdesk.nubusBaseUrl.The default value is
portal.global.domain, whereglobal.domainis the value fromglobal.domain. For example,portal.example.com.twofaSelfServiceActivatedTo enable the portal tile for the 2FA Self-Service in the Portal, set the value to
true. The default value isfalse.twofaAdminHelpdeskActivatedTo enable the portal tile for the 2FA Administrator Helpdesk in the Portal, set the value to
true. The default value istrue.twofaAdminTileCategoryThe portal category for the 2FA Helpdesk tile in the Univention Portal.
twofaSelfserviceTileCategoryThe portal category for the end user self-service tile in the Univention Portal.
nubusStackDataUms:
templateContext:
portalTwoFaAllowedGroups:
- twofa-admins-custom_1
- twofa-admins-custom_2
portalTwoFaLinkBase: portal.example.com
twofaSelfServiceActivated: true
twofaAdminHelpdeskActivated: true
twofaAdminTileCategory: "your-admin-category"
twofaSelfserviceTileCategory: "your-user-category"
See also
In Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [6]:
- UDM data loader
for more information about customizing through the UDM data loader.
- Template variables in the data loader
for more information about template context.
6.12.3. Frontend configuration#
You can configure individual components of the 2FA Helpdesk frontend through the Helm Chart values in your custom values file. The settings work independently of the template context variables that control tile visibility in the portal. For the template context, see Configure the extension.
To enable the 2FA Self-Service,
set nubusTwofaHelpdesk.twofaHelpdeskFrontend.config.enableSelfService to true.
The default value is false.
To deactivate the 2FA Administrator Helpdesk,
set nubusTwofaHelpdesk.twofaHelpdeskFrontend.config.enableAdminHelpdesk to false.
The default value is true.
Listing 6.35 shows an example for your custom values file.
nubusTwofaHelpdesk:
twofaHelpdeskFrontend:
config:
enableSelfService: true
enableAdminHelpdesk: true
6.12.4. TLS configuration#
To ensure secure communication, 2FA Helpdesk uses TLS encryption for the communication to end users. If you use the default Nubus for Kubernetes installation without any externally created TLS secrets, it isn’t necessary to configure anything, because the Nubus for Kubernetes installation takes care of it.
If you use custom TLS secrets certificates for your Nubus for Kubernetes installation, you need to set the correct secret using custom values, as shown in Listing 6.36.
nubusTwofaHelpdesk: &nubusTwofaHelpdesk
ingress:
tls:
secretName: your-tls-secret-name
Note
Kubernetes doesn’t generate the TLS secret for the 2FA Helpdesk automatically,
if you define nubusTwofaHelpdesk.ingress.tls.secretName.
6.12.5. Additional configuration#
For a complete reference of the Helm Chart values of the 2FA Helpdesk application, see the Helm Chart reference for nubusTwofaHelpdesk.