2FA with TOTP

Keeper Connection Manager provides support for TOTP as a second authentication factor, verifying the identities of enrolled users using authentication codes generated with the TOTP standard.

Docker Environmental Variables

To enable TOTP add the following lines to the "environment" section of the "guacamole" service in the docker-compose.yml file. Only the EXTENSIONS: totp line is required, the rest are optional.

TOTP_ISSUER: "KCM"
TOTP_DIGITS: "6"
TOTP_PERIOD: "30"
TOTP_MODE: "sha1"
EXTENSIONS: "totp"

For example:

        environment:
            ACCEPT_EULA: "Y"
            GUACD_HOSTNAME: "guacd"
            MYSQL_HOSTNAME: "db"
            MYSQL_DATABASE: "guacamole_db"
            MYSQL_USERNAME: "guacamole_user"
            MYSQL_PASSWORD: "XXXXXXXXX"
            KSM_CONFIG: ""
            TOTP_ISSUER: "KCM"
            TOTP_DIGITS: "6"
            TOTP_PERIOD: "30"
            TOTP_MODE: "sha1"
            EXTENSIONS: "totp"

The image keeper/guacamole can be modified to support TOTP using environmental variables. See the TOTP_* variables defined in the documentation.

TOTP with SAML / OIDC

Keeper Connection Manager supports the use of 2FA with TOTP in addition to supporting SAML or OIDC authentication. If TOTP is configured along with SAML, the user will be prompted for 2FA after successfully authenticating with the identity provider.