RE: [EXT] Re: 1.4.0 Feature: Support for 2ndary SSO Provider includes MFA?

["Khoe, Yonathan" <Yo...@unt.edu>]

The scenario you’re getting is pretty close! Yes, “internal accounts” as in the ones stored on the JDBC (ex. guacadmin).  We don’t use TOTP or any MFA for this one, we just want it to go straight in.  Secondly, we want to use LDAP with the Duo MFA as extra auth method.  So essentially:
If (Account found in JDBC) then
     Validate authentication
End if

If (account found in LDAP) then
     Validate authentication
     Validate Duo MFA
End if

I tried setting ‘extension-priority: ldap, duo, jdbc’, as well as ‘jdbc, ldap, duo’, unfortunately those didn’t seem to work.  So perhaps you’re right that the current workflow doesn’t take into account this sort of scenario.  Our API work  has to be through a piggyback server that doesn’t have Duo MFA installed.

Yonathan Khoe
Senior Systems Administrator
CVAD IT

University of North Texas
940.565.4793
yonathan@unt.edu<ma...@unt.edu>
https://itservices.cvad.unt.edu/

From: Nick Couchman <vn...@apache.org>
Sent: Sunday, January 9, 2022 3:46 PM
To: user@guacamole.apache.org
Subject: [EXT] Re: 1.4.0 Feature: Support for 2ndary SSO Provider includes MFA?

On Thu, Jan 6, 2022 at 5:13 PM Khoe, Yonathan <Yo...@unt.edu>> wrote:
Hi,
We’re testing the 1.4.0 version upgrade.  Does this feature to be able to prioritize the providers include tackling the issue of MFA being requested even for internal accounts?  We’ve been trying to tackle how to allow only providers such as LDAP to multi-authenticate with Duo MFA, while internal ones should be bypassed.

Is this a scenario that anyone else have within their environment?


Probably not, but it may be worth clarifying a few things. First, when you talk about "Internal Accounts", my guess is that you're talking about users authenticated through the JDBC module and stored in a MySQL, PostgreSQL, or SQL Server database? My guess is that what you're looking for is two different authentication "workflows":
1) JDBC -> TOTP -> Success!
2) LDAP -> Duo -> Success!

So, you can store one set of users in JDBC and have only those users do 2FA through TOTP, while users in LDAP go through Duo. I don't quite think this is possible, but it may depend upon how those services handle users not existing. What you could try is setting the order to:

ldap, duo, jdbc, totp

If the user exists in LDAP and is successfully authenticated, they would go to Duo, and complete authentication. What I'm unsure of is if, after completing the Duo authentication, TOTP would kick in or not - I haven't tried that out. If the user didn't exist in LDAP or Duo, JDBC would be used, and then TOTP would kick in. Might work, but quite probably not, because the TOTP module might still try to enforce an additional authentication on users already authenticated through Duo.

-Nick