Hi there TL Team,
Just a quick question, would “basic authentications” be something possible onto the TL Web Access part? I’m asking this because I’ve got a TL fronting reverse proxy which does all the authentications/2FA ahead of any services and that proxy would be able to “delegate” these auths towards any backend hosts.
Although these delegations would work using basic authentication.
Let me know,
Kind regards,
m.
Hello @mokaz
No, I’m afraid not. Authentication of users in ThinLinc is performed using PAM of the system. The only authentication methods that are supported in web access are password and OTP.
If I understand your use-case correctly, you have a centralized point where all authentication are performed (the proxy) and would all backend services to delegate the authentication step to this proxy instead?
Out of curiosity, what type of stack do you have set up for the authentication part?
Kind regards,
Martin
Hey Martin,
Yes, the WAF/Reverse Proxy would serve as an auth point (plus RADIUS challenges for 2FA’s etc).
Once the “proxy” based auths are done, the proxy can “delegate” the known “username/passwords” towards the backend services. There is a “FORM based delegation” which shall be able to interact with the TL web form but humm, tried all I thought made sense and couldn’t make that work, the username is always applied although not the password…
Okay, easy, let me seek further, I’ll probably find something eventually =)
Thanks,
Cheers,
m.
@mokaz out of interest: would something like SAML or OpenID support be useful in this context? We don’t support this currently but it could in theory be used as a mechanism for token-based authentication in the way you describe.
Hi Aaron,
Yes SAML would be great, my reverse proxy would support that as well as the authentication system/IdP (which the proxy interfaces for auths anyways) – The issue I’m seeing with SAML is that per definition DNS schemes must be in place, which is usually not an issue on steady environments but might be on demo labs where the public facing fqdn isn’t know before a proper launch…
In any cases, SAML is IMPOV a great feature yes. I’m less or well, not at all knowledgeable onto OpenID I’m afraid.
Let me know,
Kind regards,
m.
Thanks @mokaz. We don’t have any plans to implement SAML or OpenID support at present, but it is something we are discussing in the context of third-party identity providers. Appreciate the input.