Okta MFA/OpenVPN Connect support

Got a problem with Viscosity or need help? Ask here!

tgarons

Posts: 3
Joined: Sun Dec 27, 2009 3:06 am

Post by tgarons » Fri Jun 11, 2021 2:28 am
Does Viscosity support Okta MFA? I am trying to import an OpenVPN Connect configuration that uses Okta. The import succeeds, but the client goes into what looks like loop in the log file: The connection is established, but then there's a "Server poll timeout" followed by a SIGUSR1, process restarting.

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Jun 11, 2021 4:47 pm
Hi tgarons,

It sounds like the setup you're connecting to is likely using SAML for authentication, which Viscosity doesn't currently support. However, we plan on adding SSO/SAML support alongside OpenVPN 2.5 support in a future update, which shouldn't be far off.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

skywise

Posts: 1
Joined: Sat Jul 31, 2021 1:19 am

Post by skywise » Sat Jul 31, 2021 1:22 am
Any update for SAML support?
Our company is using AWS VPN and will be switching to SAML to authentication.
I'm using viscosity for it's flexible DNS support and I'll have to go through quite a few hoops if I have to switch back to the AWS client in order to get the DNS working.

Please say soon. :)

Greg

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Thu Aug 19, 2021 7:02 pm
Hi Greg,

The latest beta version of Viscosity includes SSO/SAML support:
https://www.sparklabs.com/support/kb/ar ... -versions/

However one thing to keep in mind is that Viscosity supports OpenVPN's offical SSO and SAML authentication protocol. In the past Amazon made their own custom changes to the OpenVPN protocol to support SAML, however this implementation was flawed (and isn’t compatible with the offical support).

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

theeyeofsauron

Posts: 1
Joined: Wed Sep 29, 2021 12:50 pm

Post by theeyeofsauron » Wed Sep 29, 2021 12:53 pm
Hi Folks,

Can someone be a bit more specific on this?

"Amazon made their own custom changes to the OpenVPN protocol to support SAML, however this implementation was flawed (and isn’t compatible with the official support). "

What exactly is the issue?

Thanks,

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed Sep 29, 2021 9:15 pm
Hi theeyeofsauron,

I've pulled a snippet from a support email with some more details:
To support the larger SAML authentication messages they appear to have patched OpenVPN to significantly expand OpenVPN’s control channel message size.

The reason why OpenVPN uses such a small size limit in the first place is to avoid potential MTU issues. By simply increasing the size like Amazon have (assuming the patch file and my reading of it is accurate), they’re relying on the packets to be correctly fragmented. However on setups with broken PMTUD (roughly 10% of internet connections) this approach will likely result in a hung connection attempt that eventually times out.

The good news is that OpenVPN 2.5 adds offical SSO/SAML support, which is something that Viscosity will support in version 1.10. My recommendation would be to suggest to Amazon to adopt OpenVPN’s offical support for SSO/SAML so Viscosity (and other OpenVPN clients) will be able to work with their service.
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
6 posts Page 1 of 1