Bug 7895 - support authentication via Okta
Summary: support authentication via Okta
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Client (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Bugzilla mail exporter
Depends on: 7641 4358
  Show dependency treegraph
Reported: 2022-04-20 08:47 CEST by Pierre Ossman
Modified: 2023-10-31 12:46 CET (History)
0 users

See Also:
Acceptance Criteria:


Description Pierre Ossman cendio 2022-04-20 08:47:19 CEST
Okta ASA (Advanced Server Access) is an identity management software that provides single sign-on and a lot of detailed access control in order to improve security. There has been interest in making ThinLinc work with Okta to improve security.

Okta has existing support for improving security with SSH. It uses certificates to get rid of TOFU, and it also uses short-lived certificates that are fetched for each connection to make sure authentication and access control is fresh.

Unfortunately, this is handled in a magical way, so it doesn't work directly with ThinLinc. Users should either configure a ProxyCommand, or execute ssh via a wrapper.
Comment 1 Pierre Ossman cendio 2022-04-20 09:02:44 CEST
Also note that Okta also has an OTP solution that can be integrated with SSH using RADIUS. In that case, it is the double authentication (bug 2545) in ThinLinc that is in the way.
Comment 3 Pierre Ossman cendio 2023-10-31 12:46:57 CET
Okta supports both SAML and OIDC, so bug 8247 might be a way to resolve this for Web Access at least.

Note You need to log in before you can comment on or make changes to this bug.