[jira] [Resolved] (GUACAMOLE-136) Add support for TFA - initially Duo

Sat, 21 Jan 2017 12:38:01 -0800 

     [ 
https://issues.apache.org/jira/browse/GUACAMOLE-136?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Michael Jumper resolved GUACAMOLE-136.
--------------------------------------
    Resolution: Done

> Add support for TFA - initially Duo
> -----------------------------------
>
>                 Key: GUACAMOLE-136
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-136
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole-client
>            Reporter: Michael Jumper
>            Assignee: Michael Jumper
>             Fix For: 0.9.11-incubating
>
>
> Copied from downstream 
> [GUAC-1574|https://glyptodon.org/jira/browse/GUAC-1574]:
> {quote}
> Add support for two-factor authentication to Guacamole, initially providing 
> an implementation supporting [Duo|https://duo.com/], but keeping in mind that 
> future implementations will likely be made for other TFA providers (similar 
> to the MySQL and PostgreSQL authentication backends sharing a common core).
> The Duo API makes things considerably simple, and is nicely in line with the 
> authentication system already present in Guacamole. The auth process would be 
> as follows:
> # The user attempts to sign into Guacamole as usual.
> # The authentication attempt succeeds.
> # The Duo authentication extension vetoes the authentication attempt, 
> requesting additional information. This request is part of the Guacamole 
> extension API, and in this case would trigger the Duo prompt to appear.
> # The user submits the additional information. This data is forwarded by the 
> Duo API to Guacamole's authentication system, which then issues a new 
> authentication request on behalf of the user with the additional data.
> # The Duo authentication extension validates the additional data, allows the 
> authentication attempt to succeed, and the user is in.
> The specifics of this would require defining a new field type which contains 
> the Duo <iframe>, and properly calling Duo's Java equivalent to their 
> verify_response() function when the TFA response is received. Though their 
> API is aimed at performing a POST to some arbitrary URL on the user's behalf, 
> they also provide a JavaScript callback which will be invoked instead, 
> allowing us to assign the field value and invoke form submit.
> {quote}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to