How to Enforce MFA for All Odoo Users

  • هذا الموضوع فارغ.
  • Post
    • ديسمبر 15, 2024 الساعة 5:53 م
    Weekend Wiki
    مدير عام
    To enforce Multi-Factor Authentication (MFA) for all Odoo users, you can use Azure Active Directory (AAD) integration or third-party authentication providers. Here’s a step-by-step guide:

    1. Use OAuth2 with a Single Sign-On (SSO) Provider

    The easiest and most secure way to enforce MFA for all users is to require them to log in through an identity provider (e.g., Azure AD, Google, or Okta) that has MFA enabled.

    Steps:

    1. Enable OAuth2 Authentication in Odoo:
      • Go to Settings > General Settings.
      • Under OAuth Authentication, enable one or more providers, such as:
        • Microsoft (Azure AD)
        • Google
        • Okta
      • Configure the relevant provider with your client ID, client secret, and callback/redirect URLs.
    2. Disable Local Authentication:
      • Navigate to Settings > Users & Companies > Users.
      • For each user, uncheck the “Internal User” and “Portal” login options unless you’re using SSO.

    2. Enforce MFA via Azure Active Directory (AAD)

    If you’re using Azure AD for authentication:

    1. Set up OAuth2 integration with Azure AD (as described here).
    2. Configure an Azure Conditional Access Policy:
      • Go to Azure Active Directory > Security > Conditional Access.
      • Create a new policy:
        • Assign to all users or a specific group.
        • Target the Odoo app (registered in Azure).
        • Set the condition to require MFA for app access.
      • Enable and save the policy.
    3. Ensure all Odoo users log in through Azure AD:
      • Disable non-Azure login options for users in Odoo.
      • Enable Microsoft login for all users.

    3. Enforce MFA with Third-Party Authentication Tools

    If you use other identity providers or MFA solutions:

    1. Integrate the provider with Odoo via OAuth2 or SAML.
    2. Configure MFA policies within the provider’s platform (e.g., Okta or Auth0).
    3. Restrict local login in Odoo to ensure all users authenticate via the third-party provider.

    4. Restrict Local Login in Odoo

    To enforce OAuth2-based MFA and prevent users from bypassing it with local credentials:

    1. Disable Password Authentication:
      • Use Odoo’s Developer Mode:
        • Navigate to Settings > Technical > Parameters > System Parameters.
        • Search for auth_signup_uninvited and set it to False (optional, if needed).
    2. Update User Records:
      • Ensure that users are only allowed to authenticate via the external provider.
      • Disable passwords for users who shouldn’t use local authentication.

    5. (Optional) Enforce MFA for Internal Odoo Users (Admins)

    For system administrators or superusers:

    • Ensure admin users are registered in the Azure AD or third-party provider.
    • Apply MFA policies specifically to their accounts in Azure AD or the provider’s settings.

    6. Test and Monitor MFA Enforcement

    1. Test the login process by:
      • Logging out of Odoo.
      • Attempting to log in with a test user account.
      • Verifying the MFA prompt during the login process.
    2. Regularly monitor login activities in Odoo Logs or in the identity provider’s security dashboard to detect unauthorized access attempts.

    This approach ensures all Odoo users are secured with MFA through enforced SSO policies, removing the need for local password-based authentication. Let me know if you’d like help with a specific step!

    For consulting email us at [email protected]

  • يجب تسجيل الدخول للرد على هذا الموضوع.
arArabic
en_USEnglish arArabic