You are viewing limited content. For full access, please sign in.

Question

Question

Feature Request - Laserfiche to support MFA (Multi-Factor Authentication)

Ideas Web Client WebLink Mobile Forms
Updated July 11, 2019
asked on January 31, 2017

Hi,

I've been receiving requests from customers that need to implement MFA to their internet facing systems.

Laserfiche currently doesn't support MFA.

Some customers have implemented Microsoft MFA but they can't use it with Laserfiche and Laserfiche should be built to support this, or have their own MFA login interface.

MFA should be available as an option in each LF module configuration page.  Products that should have this feature are WebLink, WebAccess, Forms and Mobile as these modules are likely to be facing the internet in some Customer specific deployment scenarios.

We will need to have additional talk about this. 

3 0

Replies

replied on March 17, 2017

That's on our to-do list for a future version of the Laserfiche Directory Service (LFDS). In the short term, we'll be adding support for Active Directory Federated Services for authentication in the next version of LFDS. AD FS supports MFA.

4 0
replied on February 8, 2019

Hi Miruna,

 

Can you update this post when the future version of LFDS is released with built in MFA?  (Like in the LF Cloud)

 

Thanks,

1 0
replied on March 17, 2017

Some of my existing users and prospects have asked about multi-factor authentication also... I would love to know when this will be available in Laserfiche...

2 0
replied on June 23, 2017 Show version history

I would like to "bump" this thread as I have been in touch with a prospective client. I suggested that ADFS might be a useful stopgap for them, but they do not believe it will work for them. Bringing in another company's domain in any way is not an acceptable methodology for them and they need to rely on Laserfiche trustees for non-domain users, so standalone multi-factor service is necessary.

The Cloud implementation of this, made available for on-premise, seems like a logical next step. Could this be on the LFDS 10.3 or 11 roadmap?

0 0
replied on July 18, 2017

Laserfiche Directory Service 10.2 was released and does now support ADFS.

Some customers may fear opening Laserfiche AD login out on the internet side as there may be subject to account lockout. So implementing MFA with Laserfiche should (I think) prevent this.

The way I see MFA login behaviour is... There is a request to login through one of the Laserfiche products, once the login request is made through that Laserfiche page, the login request is sent to the ADFS service. Then, the ADFS is sending a code to the user (SMS or email) and that user will enter that code in (ADFS/LF Login interface) to confirm his login...  Is this the behaviour?

Can Laserfiche provide some useful links to any documentation about implementing MFA with ADFS for many of the Laserfiche products like (Web Client, Forms, Mobile, Weblink)?

0 0
View 5 previous replies
replied on July 18, 2017

Whether you use MFA or not in your AD FS setup is transparent to the Laserfiche products using single sign-on through LFDS. They just redirect to the LFDS sign-in page, which, in turn, redirects to AD FS. The AD FS handles requesting and verifying the MFA code. AD FS then generates a user token which is passed back to LFDS which, in turn, passes claims back to the calling application.

So their configuration has not changed, all you need to set up is the same LFDS information as before.

 

 

1 0
replied on February 6, 2019

Hi Miruna

 

Does LFDS only support MFA in LF 10.3 version?

Can you update about Laserfiche Mobile App and Laserfiche Web Access?

0 0
replied on February 20, 2019 Show version history

AD FS support came out in 10.2, so if you have AD FS configured to use MFA, you need LFDS 10.2 or higher.

Web Access supports SSO through LFDS. Once you have configured AD FS in LFDS, it will apply to all applications using SSO.

 

If you want MFA without setting up AD FS, that feature is on the roadmap for LFDS but not yet available.

1 0
replied on July 9, 2019 Show version history

This is definitely a high-priority request for the South Dakota Office of the Attorney General. We have external users that retrieve sensitive information through WebLink. We need to implement some type of MFA for external users. 

0 0
replied on July 9, 2019

Hi Zack,

Are these external users going to be using Laserfiche accounts through LFDS?

Thank you for sharing your use case!

0 0
replied on July 10, 2019 Show version history

Hey Brianna,

 

That is correct. We have external users who are non-Active Directory users, but are set up with Laserfiche Accounts. Those users authenticate through WebLink to access documents or through Forms. All the user needs is the password we set up for them, and there is no extra layer of security.

 

As for our Active Directory users, currently they also can log into WebLink and Forms from outside of our network with only their AD password. How can we go about setting up ADFS multi-factor authentication for those users? This may be something we need to go through our VAR, OPG-3, on. 

1 0
replied on July 10, 2019

MFA for Laserfiche users within LFDS is slated for an upcoming major release, tentatively the end of this year (2019).

For the directory users: since you are setting up MFA within AD FS (or SAML), not within Laserfiche the best resource for configuration is your intended MFA provider (such as Duo) or AD FS documentation.

Make sure to turn on AD FS:

3 0
replied on July 11, 2019

Thank you Brianna! The State of South Dakota does use Duo Mobile for MFA with Citrix. I have sent in a request to South Dakota BIT to set up Duo Mobile with Laserfiche for MFA for our Windows accounts. I appreciate the help. 

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...