77 lines
3.1 KiB
Markdown
77 lines
3.1 KiB
Markdown
# Features in details
|
|
|
|
## 1-Factor (1FA) using a LDAP server
|
|
|
|
**Authelia** uses an LDAP server as the backend for storing credentials.
|
|
When authentication is needed, the user is redirected to the login page which
|
|
corresponds to the first factor. **Authelia** tries to bind the username and
|
|
password against the configured LDAP backend.
|
|
|
|
You can find an example of the configuration of the LDAP backend in
|
|
[config.template.yml].
|
|
|
|
<p align="center">
|
|
<img src="../docs/images/1FA.png" width="400">
|
|
</p>
|
|
|
|
|
|
## 2-Factor (2FA)
|
|
|
|
**Authelia** comes with three kind of second factor.
|
|
|
|
* Security keys like [Yubikey]. More info [here](./2factor/security-key.md).
|
|
* One-Time Passwords generated by [Google Authenticator]. More info [here](./2factor/time-based-one-time-password.md).
|
|
* Duo Push Notifications to use with [Duo mobile application](https://play.google.com/store/apps/details?id=com.duosecurity.duomobile&hl=en) available on Android, iOS and Windows. More info [here](./2factor/duo-push-notifications.md).
|
|
|
|
<p align="center">
|
|
<img src="../docs/images/2FA-METHODS.png" width="400">
|
|
</p>
|
|
|
|
## Password reset
|
|
|
|
With **Authelia**, you can also reset your password in no time. Click on the
|
|
**Forgot password?** link in the login page, provide the username of the user
|
|
requiring a password reset and **Authelia** will send an email a confirmation
|
|
email to the user email address.
|
|
|
|
Proceed with the password reset form and validate to reset your password.
|
|
|
|
<p align="center">
|
|
<img src="../docs/images/RESET-PASSWORD-STEP1.png" width="400">
|
|
</p>
|
|
|
|
## Access Control
|
|
|
|
With **Authelia**, you can define your own access control rules for finely
|
|
restricting user access to some resources and subdomains. Those rules are
|
|
defined and fully documented in the configuration file. They can apply to
|
|
users, groups or everyone.
|
|
|
|
Check out [config.template.yml] to see how they are defined.
|
|
|
|
## Single factor authentication
|
|
|
|
**Authelia** allows you to customize the authentication method to use for each
|
|
subdomain. The supported methods are either "single_factor" or "two_factor".
|
|
Please check [config.template.yml] to see an example of configuration.
|
|
|
|
It is also possible to use [basic authentication] to access a resource
|
|
protected by a single factor.
|
|
|
|
Please note that Authelia uses the *Proxy-Authorization* header and not
|
|
*Authorization* since one might be willing to authenticate against both
|
|
Authelia and the proxy. For instance you can use the following command to
|
|
access your service:
|
|
|
|
$ curl -H "Proxy-Authorization: Basic am9objpwYXNzd29yZA==" https://myservice.example.com"
|
|
|
|
## Session management with Redis
|
|
|
|
When your users authenticate against Authelia, sessions are stored in a
|
|
Redis key/value store. You can specify your own Redis instance in
|
|
[config.template.yml].
|
|
|
|
[basic authentication]: https://en.wikipedia.org/wiki/Basic_access_authentication
|
|
[config.template.yml]: https://github.com/clems4ever/authelia/blob/master/config.template.yml
|
|
[Yubikey]: https://www.yubico.com/products/yubikey-hardware/yubikey4/
|
|
[Google Authenticator]: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en |