Page 1 of 1

Okta MFA/OpenVPN Connect support

Posted: Fri Jun 11, 2021 2:28 am
by tgarons
Does Viscosity support Okta MFA? I am trying to import an OpenVPN Connect configuration that uses Okta. The import succeeds, but the client goes into what looks like loop in the log file: The connection is established, but then there's a "Server poll timeout" followed by a SIGUSR1, process restarting.

Re: Okta MFA/OpenVPN Connect support

Posted: Fri Jun 11, 2021 4:47 pm
by James
Hi tgarons,

It sounds like the setup you're connecting to is likely using SAML for authentication, which Viscosity doesn't currently support. However, we plan on adding SSO/SAML support alongside OpenVPN 2.5 support in a future update, which shouldn't be far off.

Cheers,
James

Re: Okta MFA/OpenVPN Connect support

Posted: Sat Jul 31, 2021 1:22 am
by skywise
Any update for SAML support?
Our company is using AWS VPN and will be switching to SAML to authentication.
I'm using viscosity for it's flexible DNS support and I'll have to go through quite a few hoops if I have to switch back to the AWS client in order to get the DNS working.

Please say soon. :)

Greg

Re: Okta MFA/OpenVPN Connect support

Posted: Thu Aug 19, 2021 7:02 pm
by James
Hi Greg,

The latest beta version of Viscosity includes SSO/SAML support:
https://www.sparklabs.com/support/kb/ar ... -versions/

However one thing to keep in mind is that Viscosity supports OpenVPN's offical SSO and SAML authentication protocol. In the past Amazon made their own custom changes to the OpenVPN protocol to support SAML, however this implementation was flawed (and isn’t compatible with the offical support).

Cheers,
James

Re: Okta MFA/OpenVPN Connect support

Posted: Wed Sep 29, 2021 12:53 pm
by theeyeofsauron
Hi Folks,

Can someone be a bit more specific on this?

"Amazon made their own custom changes to the OpenVPN protocol to support SAML, however this implementation was flawed (and isn’t compatible with the official support). "

What exactly is the issue?

Thanks,

Re: Okta MFA/OpenVPN Connect support

Posted: Wed Sep 29, 2021 9:15 pm
by James
Hi theeyeofsauron,

I've pulled a snippet from a support email with some more details:
To support the larger SAML authentication messages they appear to have patched OpenVPN to significantly expand OpenVPN’s control channel message size.

The reason why OpenVPN uses such a small size limit in the first place is to avoid potential MTU issues. By simply increasing the size like Amazon have (assuming the patch file and my reading of it is accurate), they’re relying on the packets to be correctly fragmented. However on setups with broken PMTUD (roughly 10% of internet connections) this approach will likely result in a hung connection attempt that eventually times out.

The good news is that OpenVPN 2.5 adds offical SSO/SAML support, which is something that Viscosity will support in version 1.10. My recommendation would be to suggest to Amazon to adopt OpenVPN’s offical support for SSO/SAML so Viscosity (and other OpenVPN clients) will be able to work with their service.
Cheers,
James