Add Okta SSO and Duo 2FA to support.mozilla.org/admin

RESOLVED FIXED

Status

Infrastructure & Operations Graveyard
WebOps: Engagement
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: giorgos, Assigned: w0ts0n)

Tracking

(Blocks: 1 bug, {sec-moderate, wsec-authentication})

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/3009] )

(Reporter)

Description

2 years ago
Please place 

 - https://support.mozilla.org/admin

behind LDAP basic auth.

Updated

2 years ago
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/3009]
Are you sure? I see it redirect to the normal login page page

There seems to be a functional redirect bug, I counted four in loading the page with the ultimate url of a loaded page settling at

https://support.mozilla.org/en-US/users/auth?next=/admin/login/?next=/admin/

(I url decoded it)

I couldn't reach a django login page
Flags: needinfo?(amuntner)
(Reporter)

Comment 2

2 years ago
Yes, /admin should be behind ldap. Django's Admin and support share the same login page, thus the redirect.
Giorgos, 

We have an ongoing project to eliminate basic auth / ldap everywhere.  

There is a new draft standard (it will be approved shortly) explaining how this should be configured: 

https://mana.mozilla.org/wiki/display/POLICIES/Website+User+Authentication+Standard

Is it possible for the Admin interface to not be web accessible to the Internet at all? That is most preferable. 

Please needinfo: me if you need any help, thank you
Flags: needinfo?(amuntner)
Keywords: sec-moderate, wsec-authentication
Summary: Add LDAP Basic Auth to support.mozilla.org/admin → Add Okta SSO and Duo 2FA to support.mozilla.org/admin
(Reporter)

Comment 4

2 years ago
Allowing /admin only over VPN is acceptable. Is this something that WebOps would take care? 

Please note that SUMO is in maintenance mode and it's strongly advised that we touch as little code as possible, so implementing a solution on the server level is preferred.
Flags: needinfo?(amuntner)

Updated

2 years ago
Blocks: 1270363

Updated

2 years ago
Assignee: server-ops-webops → rwatson
can you cc me to 1270363 please?
Flags: needinfo?(amuntner) → needinfo?(smani)
(In reply to Adam Muntner [:adamm] (use NEEDINFO) from comment #5)
> can you cc me to 1270363 please?

Done.
Flags: needinfo?(smani)
(Assignee)

Comment 7

2 years ago
I've enabled this at: 
https://support.allizom.org/admin

I will do support.mozilla.org/admin on Monday. going to wait for :giorgos to come back from PTO and file a cab request today.
(Assignee)

Updated

2 years ago
Depends on: 1282421
(Assignee)

Comment 8

2 years ago
All done here!
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.