I would agree with OAuth(2), SAML and OpenID for SSO.
Old-school would prefer Kerberos 
SCIM would be something regarding provisioning.
In general it’s preferred to have good SSO with MFA. I can do this alreaby for example by using mod_auth_openidc in apache.
The biggest problem in general with adding MFA is always the API and/or third party apps using that. DevOps engineers sometimes have an app on their phone to quickky view / get alerts on criticals.
Looking at other tools, the possiblity of API tokens often allows for the rollout of SSO and/or MFA.
I just found oauth_proxy which seems to be usable as external backend in icingaweb2
Unfortunately the documentation to integrate with AzureAD is not that up to date…does anybody has any experience with this?
I found this solution that I’m testing to secure icingaweb with 2fa.
1 Like