On Sun, May 13, 2018 at 7:35 AM, Suncatcher16 <suncatche...@outlook.com> wrote:
> New release brought us the new cool authentication protocol OpenID Connect, > but also new question I am going to touch. > What is the most efficient (not redundant) strategy of authentication now? > This depends on your environment, and what works in it. The point is that there are options, so if you like or already use OpenID for authentication, you have that option with Guacamole. > OpenID Connect allows connecting with Google/Facebook/Live.com accounts, > which, in turn provide 2FA ability. So is there any sense in combining Duo > + > OpenID authentication methods? Isn't double 2FA redundant here? > It certainly could be redundant, but it doesn't have to be. If your OpenID provider implements 2FA/MFA, then it probably does not make any sense to have Duo enabled. If your OpenID provider does not implement 2FA/MFA, then you may still want Duo. You have choices. > The same question can be asked about DB-authentication: can we get rid of > it > in favor of OpenID? > What is the most efficient scheme: > 1. OpenID > 2. OpenID + DB > 3. OpenID + Duo > 4. OpenID + Duo + DB > Again, it depends on your configuration. One thing that is important to note is that the OpenID and Duo modules do *not* provide any access to connections, so if you want connections in Guacamole (kind of useless without them), you'll have to layer in a module that supports those. LDAP is an option and works well, but the JDBC module is probably the most robust for managing connections. "Most efficient" is very subjective and specific to each use case, site, network, etc. Choose the one that is best for you, that best secures your installation, and that offers your users the best experience. > > Some elements seem redundant to me, no? > Maybe. It depends. It's up to you. > > We are not speaking here about the environments where OpenID is > inaccessible > (corporate stuff) but considering the case of pure security where all > authentication methods are available. > > Even in corporate environments OpenID may be either accessible (for public OpenID providers, like Google, Yahoo!, etc.) or implemented within the network via an Intranet server of some sort, as there are plenty of products available to provide OpenID within a private network. -Nick
