Hi Nick, is it possible to use user-mapping.xml with radius auth? just for configuring and mapping connections to the AD users?
On Wed, Jul 28, 2021 at 3:22 PM Nick Couchman <[email protected]> wrote: > On Wed, Jul 28, 2021 at 3:19 AM Chris Thompson <[email protected]> wrote: > >> Hello...first time posting here. Looking for any information regarding a >> 2FA option for Guacamole based on email. Has anyone implemented such a >> solution with Guacamole that would require receipt of an email with >> confirmation before the Guacamole user is authenticated? I'm in a situation >> where other 2FA options (i.e. Duo or app based solutions such as Google >> Authenticator) won't work. It has to be email. >> >> > The current methods of 2FA supported by Guacamole are: > * Duo > * TOTP extension (Google Authenticator) > * RADIUS > * SSO (SAML, OIDC, CAS) > > Duo and TOTP are pretty self-explanatory. For RADIUS, if you have a RADIUS > server that is configured to required 2FA, Guacamole integrates fine with > this, including asking the user for additional credentials. I've > implemented this with LinOTP and FreeRADIUS in a couple of different places > with good success. In my experience with LinOTP I've done both Google > Authenticator style authentication, as well as SMS/e-mail based tokens, so > I believe that would work to accomplish what you're trying to do. > > The various SSO modules should support something like this without issue, > as well - Guacamole will redirect to the SSO IdP, which will perform > authentication steps (Username/Password, OTP, SMS/e-mail, etc.) and then > redirect the user back to Guacamole. The details of how that second factor > is requested/provided are up to the SSO provider, and as long as the > provider redirects back to Guacamole correctly there isn't anything else > required for Guacamole. > > Certainly post back if you have more detailed questions. > > -Nick >
