As per the Bosch Regulations, any SC3 classified application needs 2FA authentication mandatory if Single Sign On doesn’t exists for the login. As we are hosting an SC3 classified app through external hosting option via Pantaris, we would like to request this feature as a must to be productive with Pantaris.
We would like to have the 2FA enabled at the Pantatis login for the customers or atleast in our application GUI. What is the possible solution here?
Hello Pantaris Team, Could you provide any update here?
PANTARIS itself does not perform any login at all. We just use federated accounts from Bosch ADFS and SingleKeyId. First one already supports MFA. If you feel the need to restrict it, you can filter by identityProvider: "bosch-ngw-adfs" on the users ressource.
Thanks for your response. For Bosch Users since SSO is enabled, its still fine without the need for MFA (In Managed Internet Clients, MFA would be taken care automatically by Bosch).
However for our external customers who will be Onboarded to the Marketplace, for example, external OEMs the login to our application should happen over mandated 2FA. As Pantaris Manages the users in their own keycloak for users outside of Bosch, then we except these are mandated 2FA for our application login.
If I have some misunderstanding on the expectations, I would like to discuss on this topic, Kindly let me know if I should schedule a call to discuss this request further.
OEM are likely to bring their own Identity Provider and can enforce their MFA policies for their accounts. However until now we didn’t onboard any, but it was considered in the concepts. Still some work left on the first one.
If Pantaris enables the customers to bring in their own Identity Provider then its a different topic that the customer takes care of these things.
But at the moment, this is not a possibility from my understanding and rather a planned topic in Pantaris and there can be customers who state they do not need this as a first step. In such situations, User Management will be on Pantaris ? Is my understanding correct ? In this situation, how to we handle the 2FA? From our application PoV, since Pantaris handles the users, they should also do the needful to enable 2FA
Like mentioned earlier, we don’t “handle the users”. The Identity Providers (bosch adfs, SingleKeyId) do. As far as I know, SingleKeyId does not support 2FA/MFA, while adfs already enforces MFA. So right now, that’s nothing that we can just enable or add. Feel free to create a feature request
OK, Understood the setup now. I came across this from SingleKeyID team - https://inside-docupedia.bosch.com/confluence/x/0uu7jg.