authelia/docs/features.md
2019-03-22 15:34:42 +01:00

3.8 KiB

Features in details

First factor using a LDAP server

Authelia uses an LDAP server as the backend for storing credentials. When authentication is needed, the user is redirected to the login page which corresponds to the first factor. Authelia tries to bind the username and password against the configured LDAP backend.

You can find an example of the configuration of the LDAP backend in config.template.yml.

Second factor with TOTP

In Authelia, you can register a per user TOTP (Time-Based One Time Password) secret before being being able to authenticate. Click on the register button and check the email Authelia sent to your email address to validate your identity.

Confirm your identity by clicking on Continue and you'll get redirected on a page where your secret will be displayed in QRCode and Base32 formats. You can use Google Authenticator to store it and get the generated tokens.

Second factor with U2F security keys

Authelia also offers authentication using U2F (Universal 2-Factor) devices like Yubikey USB security keys. U2F is one of the most secure authentication protocol and is already available for Google, Facebook, Github accounts and more.

Like TOTP, U2F requires you register your security key before authenticating. To do so, click on the register button. This will send a link to the user email address. Confirm your identity by clicking on Continue and you'll be asked to touch the token of your device to register. Upon successful registration, you can authenticate using your U2F device by simply touching the token.

Easy, right?!

Password reset

With Authelia, you can also reset your password in no time. Click on the Forgot password? link in the login page, provide the username of the user requiring a password reset and Authelia will send an email a confirmation email to the user email address.

Proceed with the password reset form and validate to reset your password.

Access Control

With Authelia, you can define your own access control rules for finely restricting user access to some resources and subdomains. Those rules are defined and fully documented in the configuration file. They can apply to users, groups or everyone.

Check out config.template.yml to see how they are defined.

Single factor authentication

Authelia allows you to customize the authentication method to use for each subdomain. The supported methods are either "single_factor" or "two_factor". Please check config.template.yml to see an example of configuration.

It is also possible to use basic authentication to access a resource protected by a single factor.

Please note that Authelia uses the Proxy-Authorization header and not Authorization since one might be willing to authenticate against both Authelia and the proxy. For instance you can use the following command to access your service:

curl -H "Proxy-Authorization: Basic am9objpwYXNzd29yZA==" https://myservice.example.com"

Session management with Redis

When your users authenticate against Authelia, sessions are stored in a Redis key/value store. You can specify your own Redis instance in config.template.yml.