summaryrefslogtreecommitdiffstats
path: root/doc/book-enea-edge-getting-started
diff options
context:
space:
mode:
Diffstat (limited to 'doc/book-enea-edge-getting-started')
-rw-r--r--doc/book-enea-edge-getting-started/doc/security.xml75
1 files changed, 32 insertions, 43 deletions
diff --git a/doc/book-enea-edge-getting-started/doc/security.xml b/doc/book-enea-edge-getting-started/doc/security.xml
index 0812a2f..c98014a 100644
--- a/doc/book-enea-edge-getting-started/doc/security.xml
+++ b/doc/book-enea-edge-getting-started/doc/security.xml
@@ -16,9 +16,9 @@
16 16
17 <note> 17 <note>
18 <para>Configuring MFA will only be possible using the Web interface, and 18 <para>Configuring MFA will only be possible using the Web interface, and
19 not the REST API. Users with MFA enabled will not be able to log 19 not the REST API. Users with MFA enabled will not be able to log in
20 in through the REST API. If attempted, a <literal>401</literal> HTTP 20 through the REST API. If attempted, a <literal>401</literal> HTTP code
21 code will be returned, with the <literal>EMS-Error</literal> header 21 will be returned, with the <literal>EMS-Error</literal> header
22 containing the <literal>EMS_UserMFAEnabled</literal> error.</para> 22 containing the <literal>EMS_UserMFAEnabled</literal> error.</para>
23 </note> 23 </note>
24 24
@@ -26,23 +26,19 @@
26 <title>Configuring User MFA</title> 26 <title>Configuring User MFA</title>
27 27
28 <para>The administrator must enable MFA authentication for the desired 28 <para>The administrator must enable MFA authentication for the desired
29 new user by:</para> 29 new user:</para>
30 30
31 <orderedlist> 31 <orderedlist>
32 <listitem> 32 <listitem>
33 <para>Accessing the <emphasis role="bold">Security</emphasis> 33 <para>Access the <emphasis role="bold">Security</emphasis> tab and
34 tab.</para> 34 choose the <emphasis role="bold">Configuration</emphasis>
35 </listitem>
36
37 <listitem>
38 <para>Accessing the <emphasis role="bold">Configuration</emphasis>
39 menu.</para> 35 menu.</para>
40 </listitem> 36 </listitem>
41 37
42 <listitem> 38 <listitem>
43 <para>Selecting the <emphasis role="bold">Add</emphasis> option, 39 <para>Select the <emphasis role="bold">Add</emphasis> option, enter
44 entering the details for the new user and then enabling the 40 the details for the new user and enable the <emphasis
45 <emphasis role="bold">Enable MFA Login</emphasis> checkbox.</para> 41 role="bold">Enable MFA Login</emphasis> checkbox.</para>
46 </listitem> 42 </listitem>
47 </orderedlist> 43 </orderedlist>
48 44
@@ -53,30 +49,27 @@
53 be asked to configure a new shared secret. For more details on how to 49 be asked to configure a new shared secret. For more details on how to
54 configure a new shared secret, please see the following section.</para> 50 configure a new shared secret, please see the following section.</para>
55 51
56 <note> 52 <para>All MFA information for enabled users will be preserved upon
57 <para>All MFA information for enabled users will be preserved upon 53 upgrading or restoring the Enea Edge Management application.</para>
58 upgrading the Enea Edge Management application.</para>
59 </note>
60 </section> 54 </section>
61 55
62 <section id="security_authentication"> 56 <section id="security_authentication">
63 <title>Security Authentication</title> 57 <title>Security Authentication</title>
64 58
65 <para>Before the user logs in, there is no secret set in the Enea Edge 59 <para>The user will enter his credentials (username and password) as in
66 Management database. Initially, the user will enter his credentials as 60 a typical local authentication. He will then be redirected to a second
67 in a normal, local authentication. He will then be redirected to a 61 page that presents the secret as a QR code, that he must scan using the
68 second page that presents the secret as a QR code, that he must scan 62 Google Authenticator application. The secret is also presented in clear
69 using the Google Authenticator application. The secret is also presented 63 text ready for copying and manual entry, in case scanning the QR code
70 in clear text ready for copying and manual entry, in case scanning the 64 does not work.</para>
71 QR code does not work.</para>
72 65
73 <figure> 66 <figure>
74 <title>Initial setup for Multi-Factor login</title> 67 <title>Initial setup for Multi-Factor login</title>
75 68
76 <mediaobject> 69 <mediaobject>
77 <imageobject> 70 <imageobject>
78 <imagedata align="center" scale="60" 71 <imagedata align="center"
79 fileref="images/mfa_first_time_setup.png" /> 72 fileref="images/mfa_first_time_setup.png" scale="60" />
80 </imageobject> 73 </imageobject>
81 </mediaobject> 74 </mediaobject>
82 </figure> 75 </figure>
@@ -89,34 +82,30 @@
89 correct, authentication is successful. The six digit token is available 82 correct, authentication is successful. The six digit token is available
90 for a maximum of 30 seconds.</para> 83 for a maximum of 30 seconds.</para>
91 84
92 <para>Once the initial login succeeds and the secret is saved in the 85 <para>Subsequent logins will still be done using a two-step method. The
93 database, subsequent logins will still be done using a two-step method. 86 user will provide first his credentials, and on the second page the
94 The user will provide first his classic credentials, and then, on the 87 token as generated by Google Authenticator.</para>
95 second page he will enter the token as generated by Google
96 Authenticator, this time, however, the secret will no longer be
97 displayed.</para>
98 88
99 <figure> 89 <figure>
100 <title>Second login</title> 90 <title>Second login</title>
101 91
102 <mediaobject> 92 <mediaobject>
103 <imageobject> 93 <imageobject>
104 <imagedata align="center" scale="80" 94 <imagedata align="center" fileref="images/mfa_login.png"
105 fileref="images/mfa_login.png" /> 95 scale="80" />
106 </imageobject> 96 </imageobject>
107 </mediaobject> 97 </mediaobject>
108 </figure> 98 </figure>
109 99
110 <note> 100 <note>
111 <para>If the shared secret is ever lost, it can always be regenerated, 101 <para>If the shared secret is lost, it can be regenerated by the
112 but only upon request to the administrator. It is done by accessing 102 administrator by disabling and re-enabling the MFA Login for the selected
113 the <emphasis role="bold">Security</emphasis> tab, selecting the 103 user. For more information, please see <olink targetdoc="book_enea_edge_getting_started"
114 <emphasis role="bold">Configuration</emphasis> menu and choosing the 104 targetptr="config_mfa">Configuring User MFA in the <ns:include
115 user, and on the right-hand side panel unchecking the <emphasis 105 href="../../s_docbuild/olinkdb/pardoc-names.xml"
116 role="bold">Enable MFA Login</emphasis> checkbox. Then pressing the 106 xmlns:ns="http://www.w3.org/2001/XInclude"
117 <emphasis role="bold">Apply</emphasis> button, checking it again, and 107 xpointer="element(book_enea_edge_getting_started/1)" /></olink> Manual. When the
118 clicking <emphasis role="bold">Apply</emphasis> one final time. When 108 MFA Login is disabled, the secret is also erased from the
119 the MFA Login is disabled, the secret is also erased from the
120 database.</para> 109 database.</para>
121 </note> 110 </note>
122 </section> 111 </section>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-09 03:17:14 +0000