My company has been using Guacamole as our Remote Access solutions the past few years and it has been very reliable. We would like to strengthen our security posture by adding a second-factor authentication to our Guacamole stack. I am looking to develop and integrate Okta as another Guacamole auth extension.
Thinking this extension would behave very similar to the Duo auth extension. The authentication steps should follow:
1. User login Guacamole as usual.
2. Guacamole attempts to authenticate the user with the first authenticator (LDAP, MySQL or ...)
3. Once the first authentication attempt is succeeded, Okta auth extension rejects the authentication attempt and starts asking for the second-factor authentication.
4. Presents the Okta MFA flow and have them navigate through it (enrollment, activation, authentication)
5. Once the user has successfully satisfied the MFA challenge, Guacamole receives a signed response.
6. Okta auth extension validates the response. If valid, allow the user to proceed, otherwise, reject.
I believe this extension would add more value to the product. Please let me know if I am on the right thinking track.