guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <>
Subject Re: OpenID Connect authentication in 0.9.14 and 2FA
Date Tue, 15 May 2018 16:29:52 GMT
On Sun, May 13, 2018 at 7:35 AM, Suncatcher16 <>

> New release brought us the new cool authentication protocol OpenID Connect,
> but also new question I am going to touch.
> What is the most efficient (not redundant) strategy of authentication now?

This depends on your environment, and what works in it.  The point is that
there are options, so if you like or already use OpenID for authentication,
you have that option with Guacamole.

> OpenID Connect allows connecting with Google/Facebook/ accounts,
> which, in turn provide 2FA ability. So is there any sense in combining Duo
> +
> OpenID authentication methods? Isn't double 2FA redundant here?

It certainly could be redundant, but it doesn't have to be.  If your OpenID
provider implements 2FA/MFA, then it probably does not make any sense to
have Duo enabled.  If your OpenID provider does not implement 2FA/MFA, then
you may still want Duo.  You have choices.

> The same question can be asked about DB-authentication: can we get rid of
> it
> in favor of OpenID?
> What is the most efficient scheme:
> 1. OpenID
> 2. OpenID + DB
> 3. OpenID + Duo
> 4. OpenID + Duo + DB

Again, it depends on your configuration.  One thing that is important to
note is that the OpenID and Duo modules do *not* provide any access to
connections, so if you want connections in Guacamole (kind of useless
without them), you'll have to layer in a module that supports those.  LDAP
is an option and works well, but the JDBC module is probably the most
robust for managing connections.

"Most efficient" is very subjective and specific to each use case, site,
network, etc.  Choose the one that is best for you, that best secures your
installation, and that offers your users the best experience.

> Some elements seem redundant to me, no?

Maybe.  It depends.  It's up to you.

> We are not speaking here about the environments where OpenID is
> inaccessible
> (corporate stuff) but considering the case of pure security where all
> authentication methods are available.
Even in corporate environments OpenID may be either accessible (for public
OpenID providers, like Google, Yahoo!, etc.) or implemented within the
network via an Intranet server of some sort, as there are plenty of
products available to provide OpenID within a private network.


View raw message