OAUTH TOTP as 3rd prompt
Curtis Shimamoto
curtiskshimamoto at gmail.com
Wed Jan 31 23:12:27 PST 2018
Hello Openconnect folks,
Before addressing the actual intent of this message, first I'd like
you all to know how much I appreciate the effort put forth to maintain
Openconnect. An open-source tool for a not so open Cisco protocol,
that also manages to surpass the quality of their native client, is
nothing short of impressive! So many thanks!
My employer uses on-prem AD with O365, but has also implemented Okta
SSO as the sync point between the two. Additionally, Okta offers
multi-factor authentication which is required for VPN logins
primarily. Because of this, I decided to look into automating that
process since I already use Openconnect over Anyconnect anyway.
But in addition to TOTP, one can also configure the service to provide
one time passwords via text message or actual phone call. If multiple
options are enabled and configured, there is an additional prompt
between the LDAP credentials and the OTP that asks for a selection of
the preferred OTP option to use.*
Searching for an answer, I found myself on the Openconnect One Time
Password Support page. Here is explains that and OAUTH token type
code will be fed to the second prompt, followed by this sentence:
"This behaviour is empirically determined by the requirements of the
servers that we have tested with; if you find a configuration in which
it is not appropriate, please let us know."
So in an effort to provide you all with an additional data point, and
the possibility of helping others in asking about my own problem, I'm
reporting this scenario as you've requested.
Thanks again for making such a great alternative to AnyConnect. If
there is anything else I can provide to anyone interested in
addressing this, I am more than happy to do so.
* I'm not sure if the prompt will be removed if only one option is
enabled. I haven't gotten that far just yet.
--
Curtis Shimamoto
More information about the openconnect-devel
mailing list