IAIK-2FA

Introduction

We are introducing two-factor authentication for all internet-facing services at IAIK, due to new guidelines issued by TU-Graz rectorate.

All IAIK service are structured into three service zones.

Depending on the zone, a separate IdP is used to handle authentication from now on. Different IdPs are used because of licensing constraints.

  • Employees: uses Microsoft Hybrid Modern Authentication via Azure.
  • Studentnet: uses Gluu with SuperGluu (Push-Services)
  • Teaching: uses TeachingGit-Gitlab’s integrated IdP.
    • We expect all practical course systems to authenticate against Gitlab.
      • If you are responsible for a testing-system, which allows student login, get in touch with us ASAP.

Not all of you are using all of those zones. Please read the list of affected service carefully, to keep or regain access to the services you use.

Timeline

The timeline is very short, since we already got a very short timeline from ZID, our work-power is limited and the complextiy is not that simple. Therefore we are sorry, if this is going to be a little rough.

Expect service downtimes in the next few days. We are migrating services one-by-one, during work-hours!

  • 27.02.2023, Monday: Enrollment starts. (also service changes implementations start on our side).
    • Enroll now! See enrollment infos at the end of this page.
    • We are starting to send out Studentnet 2FA-tokens at 10:00 am.
  • 28.02.2023, Tuesday: Implementations go on.
  • 01.03.2023, Wednesday: All internet-facing services, across all zones are now actively enforcing 2FA.

We designed the process in a way, that prevents lock-outs.

  • Once we migrated a service, it stops working for a non-2FA enabled account.
  • You can enroll your 2FA token anytime. Even after 2FA has been already enabled for a certain service or even an entire zone.
  • There is no way of being locked out. Services start working again, once you complete the self-enrollment process for the affected zone.
  • If you enroll now, even before we have migrated a service, this does not affect your account in any way. Feel free to enroll any time. There is no time-limit. You just can’t use the services until you complete enrollment.

Employees (Intranet)

Internal IT services used by IAIK.
Most internal services are only available via Intranet or VPN access. Therefore only a few services primarly used by employees are affected by 2FA-changes.

  • Exchange / OWA-Webmail
  • FortiClient VPN
  • Seafile
  • WordPress Websites

Exchange / OWA-Webmail

  • IMAP/SMTP are not 2FA compatible. IMAP/SMTP are going to be blocked from the internet.
    • Those protocols are being blocked from direct access from the internet.
    • They will still work for a brief time internally, please migrate soon.
      • Internally meaning: IAIK or TUGNET networks.
    • We recommend you migrate to a ActiveSync/MAPI compatible connection:
      • Outlook (Windows/Mac): nothing to do. Still works over the internet.
      • Thunderbird: migrate to the Owl addon. Using Owl you will be able to connect directly from the internet.
      • Evolution: use the “Microsoft Exchange” connection type.
      • Mobiles (Android/iOS):
        • via ActiveSync/Exchange:  nothing to do. Still works over the internet.
        • via IMAP/SMTP: migrate to an “ActiveSync/Exchange” connection type, to keep access from the internet.
      • OWA-Webmail: noting to do. Still works over the internet.
  • Microsoft Hybrid Modern Authentication is being used for ActiveSync/MAPI and OWA-based connections from now on. You have to enroll a second-factor, to keep using those services.

FortiClient VPN

The service is going to be migrated to SAML via Hybrid Modern Authentication. Once the migration is complete, we replace your current VPN profile automatically with a SAML-enabled version. Your client updates those profiles every 60 seconds, when you are connected to the internet.

This is going to be fully automated. The only change for you is, that you will see a Microsoft Hybrid Modern Authentication login prompt on your next connection attempt.

Seafile

Seafile is going to be migrated to SAML via Hybrid Modern Authentication. Once the migration is complete, just complete your login at the new login prompt.

WordPress Websites

We did not have the time yet, to look into adding multiple SAML providers to WordPress. Therefore this is not going to be as smooth as the rest of the services.
To avoid blocking access to login functionality, we are enabling the 2FA feature of our WordPress web-application-firewall- Wordfence.

It is going to ask you for enrollment on your next login (once we activated the feature, on a certain site). Just enroll a OTP-token with your favourite OTP app. Once this has been completed there is nothing else to do.
This also affects students logging into IAIK-websites WordPress to edit course materials.

Later we are going to replace WordPress login prompts with combinations of the following IdPs:

  • Hybrid Modern Authentication
  • Gluu

Once this has been done, we are disabling Worfence 2FA again.

Studentnet

These services are used by employees, students and collaborators. This zone is our shared-resources zone.

Important – SSH and RDP logins require enrollment of a SuperGluu push-device.

This zone is special. The Gluu IdP used in this zone is open-source and has it’s rough edges.
To make this transition smoother, we have decided to pre-enroll a OTP-token for every active account. The pre-enrolled token is going to be sent via e-mail to all account owners (on 27.02.2023 – 10:00am).
The e-mail includes detailed instructions on how to enroll your devices, with a clear recommendation to delete our pre-enrolled token afterwards.

We are aware of the security implications of pre-enrollment, there is just no easier way for all users to retain access.

Affected services:

  • ExtGit Gitlab
  • Mattermost
  • HPC-Cluster
  • servitus login

ExtGit Gitlab

ExtGit is going the be migrated to SAML via Gluu. Once the migration is complete, just complete your login at the new login prompt. Existing Studentnet credentials are still valid.

Mattermost

Mattermost is going the be migrated to SAML via Gluu. Once the migration is complete, just complete your login at the new login prompt. Existing Studentnet credentials are still valid.

HPC-Cluster

To keep the SSH and RDP login public available, we have to enforce 2FA on every login.
Since we cannot use 2FA directly in the login-process, we have to use a second-channel. The only way of achieving this, is to enroll a SuperGluu push-notification device.

Once the service has been migrated, users without enrolled SuperGluu device will just fail at login.

servitus login

To keep the SSH and RDP login public available, we have to enforce 2FA on every login.
Since we cannot use 2FA directly in the login-process, we have to use a second-channel. The only way of achieving this, is to enroll a SuperGluu push-notification device.

Once the service has been migrated, users without enrolled SuperGluu device will just fail at login.

Teaching

These services are used by students only. All accounts in this zone are teaching/course related. Since we already have an account for every student at TeachingGit, we are going to facilitate TeachingGit as IdP for this zone.

If you provide a test-system or any other teaching-related service to your students, which requires login, we have changed the way it authenticates. Please contact us ASAP to talk about binding your service to Gitlab’s integrated IdP.

Affected services: (as far as we know)

  • TeachingGit

TeachingGit

Account creation is handled as always. You send us a CSV formatted list. We are going to create the accounts and assign repositories.

Once we enable 2FA at TeachingGit, at first login, the system requires the user to enroll a second-factor.
When completed, the user is able to continue to use TeachingGit.

Some goes for testing-systems, which are going to use TeachingGit’s IdP in the future.

Enrollment Information

Please follow these links to the zones, to start enrolling your 2FA now!