I ran into an issue with Okta and the Remote Desktop Gateway/Network Policy Server not working correctly. This program overcomes the issues and allows for you to enforce multi-factor authentication on connections made through the RD Gateway.
Some assumptions were made when designing this program. This program only supports the Okta Push verification method. A user must already be setup/enrolled with a push factor. Second, no group enforcement is currently done on the Okta side. You must control access to your Remote Desktop services through the NPS.
You will need the following information:
- Your Okta tenant url (e.g. planet-express.okta.com)
- An API key from your tenant
- The shared RADIUS secret the calling station
To run the program standalone:
Ensure Python >=3.9 is installed. Edit the environment variables in the run.sh script.
pip3 install -r requirements.txt
/bin/sh run.sh
To run the program using Docker:
Edit the environment variables in the docker-compose.yml file. Then run:
docker-compose up -d
To follow security best practices, I recommend using the least privileged account permissions possible. To make this program work with Okta, a Help Desk Administrator level account is required. It is not recommended that you use an API key tied to a superadmin or org admin.
By default, the server will use the Okta username to locate the user record, however some systems use samAccountName as the username identifier. To locate user records in Okta by the samAccountName attribute, add the following to your run.sh:
export OKTA_USE_SAMACCOUNTNAME=trueTo reduce the likelihood that a user is prompted multiple times for a single authentication request, requests to the Okta verify endpoint are threaded. Internally, state is kept for each user_id that is authenticating. If multiple requests are received before the user has responded to the push challenge and the OKTA_POLL_TIMEOUT window has not expired yet, the subsequent requests will wait for the first request to complete and return the same result.
To customize the timeout period for the verification request, set the OKTA_POLL_TIMEOUT environment variable. Default setting is 60 seconds.
export OKTA_POLL_TIMEOUT=60export LOG_LEVEL=DEBUGYou can enable more verbose logging by setting the environment variable LOG_LEVEL to the required setting. The allowed values can be found in the Python Logging documentation. Upper or lowercase values are permitted as they will be automatically transformed to uppercase.