I ran into an issue with Okta and the Remote Desktop Gateway/Network Policy Server not working correctly. This program overcomes the issues and allows for you to enforce multi-factor authentication on connections made through the RD Gateway.
Some assumptions were made when designing this program. This program only supports the Okta Push verification method. A user must already be setup/enrolled with a push factor. Second, no group enforcement is currently done on the Okta side. You must control access to your Remote Desktop services through the NPS.
You will need the following information:
- Your Okta tenant url (e.g. planet-express.okta.com)
- An API key from your tenant
- The shared RADIUS secret the calling station
To run the program standalone:
Ensure Python >3.6 is installed. Edit the environment variables in the run.sh script.
pip3 install -r requirements.txt
/bin/sh run.sh
To run the program using Docker:
Edit the environment variables in the docker-compose.yml file. Then run:
docker-compose up -d
To follow security best practices, I recommend using the least privileged account permissions possible. To make this program work with Okta, a Help Desk Administrator level account is required. It is not recommended that you use an API key tied to a superadmin or org admin.
By default, the server will use the Okta username to locate the user record, however some systems use samAccountName as the username identifier. To locate user records in Okta by the samAccountName attribute, add the following to your run.sh:
export OKTA_USE_SAMACCOUNTNAME=true