2FA sync via Cloudron Connector not working
-
Hi - It seems as we are facing a recent issue with regards to 2FA in a setup where one cloudron server is used as the identity provider and other cloudron servers sync with this IDP cloudron server.
Similar to here, please consider the following setup:
In case of 2 Cloudron servers connecting user directories, the docs tells us:
The Cloudron connector is the only one that supports 2FA. If the user has 2FA setup in the Cloudron LDAP Server, then 2FA is required to loginSo in practice, in the setup:
- Cloudron Server A (CSA) is the one owning the user directory. CSA has 2FA enabled / requires users to set up >2FA.
- Cloudron Server B (CSB) user directory is connected with CSA via the "Cloudron connector" (External Directory connection provided by Cloudron)
Until recently, when logging on the CSB server, a "synced-user" was prompted for username, password and then 2FA
Recently (unfortunately, I am not able to pinpoint when exactly this started) however, synced-users are only asked for username and password and not 2FA anymore.
It currently seems as the Cloudron connector does not support 2FA anymore.
Is there anything I should look into to make sure that the "2FA sync" when using the cloudron connector works again?
-
In troubleshooting the following https://forum.cloudron.io/topic/15562/2fa-sync-via-cloudron-connector-not-working?_=1780301632476 last week:
- I enabled local 2FA on the "child" cloudron server (CSB)
- I attempted to login on CSB using a synced user.
- This leads CSB to ask to register for MFA (and in that instance create a passkey)
Having completed the test (and seeing that the "synced user" did not carry the 2FA from the parent Cloudron server - CSA - but rather was forcing to create a new 2FA/passkey for the synced user), I then turned off the enabling/enforcing of 2FA on CSB.
Right now, when this synced user (from CSA) attempt to log into CSB, username / password works fine. However he is prompted to use a passkey which only exists on CSB and which does not correspond to his MFA/passkey from CSA
Because it is a synced user ("synced from the external LDAP directory") there is also no option to reset his local MFA/passkey.
Not too sure how to process from here. Any suggestions?
-
T Teiluj referenced this topic
-
Hello @teiluj
I have merged the topics together since this will be related.Interesting, indeed.
Since passkeys are bound to the domain, a Cloudron doing auth over another Cloudron how that should be handled is something we have to look into.
Thank you very much for working on this and giving us more insights. -
@teiluj thanks for the great report. I have fixed this now. Unfortunately, it's a series of changes, so cannot be applied easily. Fix will be part of next Cloudron release.
-
G girish has marked this topic as solved
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login