Allow Bypassing Password Confirmation for 2FA Setup for SSO-Authenticated Users

Open on Drupal.org →

Created on 6 February 2025, about 2 months ago

Problem/Motivation

We have configured the TFA (Two-Factor Authentication) module to enable 2FA setup for specific roles. Additionally, we offer an SSO (Single Sign-On) login option for users authenticating through an external identity provider. The current implementation presents a challenge:

SSO-authenticated users are not required to set up a password in Drupal, as their authentication is managed externally.
We need to restrict access to local Drupal accounts for users authenticated via SSO.

This creates a difficulty when setting up 2FA, as the TFA module currently requires users to confirm their password to proceed with 2FA configuration. This step is not possible for SSO-authenticated users who do not have a local Drupal password.

Proposed resolution

We can add a new permission called "Bypass the password confirmation prompt". This permission would allow roles with this capability to skip the password confirmation step when setting up 2FA for their accounts. This solution would:

Enable SSO-authenticated users, who do not have a local Drupal password, to configure 2FA seamlessly.
Provide administrators with greater flexibility by allowing them to manage this functionality through role-based permissions.

Remaining tasks

Patch needs review

✨ Feature request

Status

Needs work

Version

1.9

Component

Code

Created by

🇮🇳India Hardik_Patel_12 India

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Comments & Activities

Issue created by @Hardik_Patel_12
Comment about 2 months ago →
🇮🇳India Hardik_Patel_12 India
Comment about 2 months ago →
🇮🇳India Hardik_Patel_12 India
I'm not certain if this is the right approach, however, it solves an immediate problem for me.
Comment about 2 months ago →
🇮🇳India Hardik_Patel_12 India
Updating the comments.
Comment about 2 months ago →
🇺🇸United States cmlara
This appears to be a duplicate of ✨ Confirmation forms should not require passwords Needs review .
Closing in favor of the existing open issue to centralize discussion.

We need to restrict access to local Drupal accounts for users authenticated via SSO.

The view/policy established in #2855394-8: Support TFA on sites with LDAP authentication → is generally that an external identity provider should provide the MFA and related login protections.

Addtionaly:
D.O. has migrated away from patch files.

In order for tests to run we require all submissions to be in the form of a Merge Request.

More details may be found at: https://www.drupal.org/docs/develop/git/using-gitlab-to-contribute-to-dr... →

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024