Finally, i am able to setup self-hosted boundary, worker and desktop client in air-gapped environment as a containerized apps in our k8 cluster.
i am using keycloak as a authentication service and trying to implement authorization service at the target level.
in my case, user gets authenicated against keycloak and can view the lists of targets in his desktop client web browser. now I am looking to force the user to enter the credentials while connecting to the target. once the credentials are successful then he can connect to the target resource. I am trying to use vault as static credential or dynamic secret injection with time bound.
Which credentials are you wanting the user to enter? If it’s the credentials for the remote machine, unless you are using Enterprise with credential injection, authentication is performed by the remote service anyways…so the user will be prompted if their environment does not contain a necessary credential already. Credential brokering could be used to pull a cred from Vault and give it to the user at session authorization time to enter.
I am wondering if we can enforce the remote user to enter username and password to see the targets available to him or should I enforce the user to enter username & password at target level.
I am looking to enforce the user to enter their username and password as 2nd form of authentication. in my case, first authentication will be performed via keycloak against LDAP. I am looking to explore 2nd form of authentication which I think it can be done at boundary application level.