On Wed, Jul 28, 2021 at 3:19 AM Chris Thompson <[email protected]> wrote:
> Hello...first time posting here. Looking for any information regarding a > 2FA option for Guacamole based on email. Has anyone implemented such a > solution with Guacamole that would require receipt of an email with > confirmation before the Guacamole user is authenticated? I'm in a situation > where other 2FA options (i.e. Duo or app based solutions such as Google > Authenticator) won't work. It has to be email. > > The current methods of 2FA supported by Guacamole are: * Duo * TOTP extension (Google Authenticator) * RADIUS * SSO (SAML, OIDC, CAS) Duo and TOTP are pretty self-explanatory. For RADIUS, if you have a RADIUS server that is configured to required 2FA, Guacamole integrates fine with this, including asking the user for additional credentials. I've implemented this with LinOTP and FreeRADIUS in a couple of different places with good success. In my experience with LinOTP I've done both Google Authenticator style authentication, as well as SMS/e-mail based tokens, so I believe that would work to accomplish what you're trying to do. The various SSO modules should support something like this without issue, as well - Guacamole will redirect to the SSO IdP, which will perform authentication steps (Username/Password, OTP, SMS/e-mail, etc.) and then redirect the user back to Guacamole. The details of how that second factor is requested/provided are up to the SSO provider, and as long as the provider redirects back to Guacamole correctly there isn't anything else required for Guacamole. Certainly post back if you have more detailed questions. -Nick
