7895 – support authentication via Okta

Bug 7895 - support authentication via Okta

Summary: support authentication via Okta

Status:	NEW

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Client (show other bugs)
Version:	trunk
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	LowPrio
Assignee:	Bugzilla mail exporter

URL:
Keywords:

Depends on:	7641 4358
Blocks:
	Show dependency tree / graph

Reported:	2022-04-20 08:47 CEST by Pierre Ossman
Modified:	2023-10-31 12:46 CET (History)
CC List:	0 users

See Also:	7896 2545 8247
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman cendio

2022-04-20 08:47:19 CEST

Okta ASA (Advanced Server Access) is an identity management software that provides single sign-on and a lot of detailed access control in order to improve security. There has been interest in making ThinLinc work with Okta to improve security.

Okta has existing support for improving security with SSH. It uses certificates to get rid of TOFU, and it also uses short-lived certificates that are fetched for each connection to make sure authentication and access control is fresh.

Unfortunately, this is handled in a magical way, so it doesn't work directly with ThinLinc. Users should either configure a ProxyCommand, or execute ssh via a wrapper.

Comment 1 Pierre Ossman cendio

2022-04-20 09:02:44 CEST

Also note that Okta also has an OTP solution that can be integrated with SSH using RADIUS. In that case, it is the double authentication (bug 2545) in ThinLinc that is in the way.

Comment 3 Pierre Ossman cendio

2023-10-31 12:46:57 CET

Okta supports both SAML and OIDC, so bug 8247 might be a way to resolve this for Web Access at least.

Note You need to log in before you can comment on or make changes to this bug.