Hi, Today I would like to configure Multifactor Authentication for Horizon8 through Keycloak.
What is MFA?
Multifactor authentication (MFA) is a multistep account login process that requires users to enter more information than just a password. For example, along with the password, users might be asked to enter a code sent to their email, answer a secret question, or scan a fingerprint.
Which MFA Protocol Supports Horizon?
You can enable a Connection Server instance for RSA SecurID authentication or RADIUS authentication by modifying Connection Server settings in Horizon Administrator.
Prerequisites
Install and configure the two-factor authentication software, such as the RSA SecurID software or the RADIUS software, on an authentication manager server.
1- For RSA SecurID authentication, export the sdconf.rec file for the Connection Server instance from RSA Authentication Manager. See the RSA Authentication Manager documentation.
2- For RADIUS authentication, follow the vendor’s configuration documentation. Make a note of the RADIUS server’s hostname or IP address, the port number on which it is listening for RADIUS authentication (usually 1812), the authentication type (PAP, CHAP, MS-CHAPv1, or MS-CHAPv2), and the shared secret. You will enter these values in Horizon Administrator. You can enter values for a primary and a secondary RADIUS authenticator.
Procedure
6. Click Add
Give a name for the Authenticator name field. This name is displayed when users want to log in. You can customize username and passcode labels.
Hostname/Address: keycloak.khoshraftar.com\
Authentication Port: 1812
Accounting Port: 0
Set the Accounting port to 0 unless you want to enable RADIUS accounting. Set this port to a non-zero number only if your RADIUS server supports collecting accounting data. If the RADIUS server does not support accounting messages, and you set this port to a nonzero number, the messages will be sent and ignored and retried a number of times, resulting in a delay in the authentication.
Accounting data can be used in order to bill users based on usage time and data. Accounting data can also be used for statistical purposes and for general network monitoring.
Authentication Type: PAP-CHAP-MSCAHP1-MSCHAP2
Shared Secret: ***********
Must same with your radius shared secret
If you specify a realm prefix string, the string is placed at the beginning of the username when it is sent to the RADIUS server. For example, if the username entered in Horizon Client is Mohammad and the realm prefix Khoshraftar\ is specified, the username khoshraftar\Mohammad is sent to the RADIUS server. Similarly, if you use the realm suffix, or postfix, string @khoshraftar.com, the username mohammad@khoshraftar.com is sent to the RADIUS server.
Click Next
8. Click OK to save your changes.
What is Keycloak?
Keycloak is an open-source identity and access management solution.
How to install Keycloak?
You can download Keyclock from here. But for this project, I need to Radius, radius is not on Keycloak default. So, you can config a manual radius from this link.
But, I want to write a simple configuration about keycloak radius in my blog.
- I download a java base keycloak application from here.
- I installed an Ubuntu server and install an openjdk 11 on it.
- Copy the keycloak files on the Ubuntu server.
-
unzip keycloak-radius.zip -d keycloak-radius
-
cd keycloak-radius/
-
export KEYCLOAK_ADMIN=admin
-
export KEYCLOAK_ADMIN_PASSWORD=admin
-
bin/kc.sh start-dev
- Open http://Server-IP-Address:8080
10. Username: admin
11. Password: admin
12. Under Manage–> Select Clients and Create client
13. Choice radius protocol from the drop-down menu and Fill in a Client ID
Note: This name must be the same as the authenticator name in the Horizon config in the previous section.
14. Click Next
15. Click Save
16. Click on the Users section and click Add Users
Note: If you want to log in with a password, leave the required user actions, Blank.
Click on Create and then click on the user that you created.
17. Click on the Set password button. Type your password and If you turn on Temporary you must change your password in the first login. I turn off it. And Save it.
Note: If you want to use an OTP, select Configure OTP from the menu
You go to step 17 and create a password for your user and then go to this page.
18. http://your-ip-address:8080/realms/master/account/#/
Enter the username and password that you created.
19. Install one of the following applications on your mobile:
Google Authenticator
Microsoft Authenticator
FreeOTP
20. Open the application and scan the barcode.
21. Enter the one-time code provided by the application and submit it to finish the setup.
22. Open Horizon client
For the first Scenario with password only, Enter the user and password that you create in step 16.
For the second Scenario with password + OTP password, Enter the user and password and OTP password that you create in steps 16 and 18.
23. We can need active directory users, You must go to Configure section and click on the User Federation.
24. Click on the Add new provider
25. Enter a UI display name and Connection URL: ldap://dc1.khoshraftar.com
Select Bind DN, where your active directory user exists, to connect to the domain controller.
Enter the password in the Bind credential and other parameters.
26. Click on the Save button.
27. Import your users from the Users section and config them like a local user in the 16 section.
Finish 🙂