You can use Groove.id as an LDAP server. In this model, whenever a user tries to log in, they’ll receive a notification on their phone when they acknowledge it, the signin continue.
When a user tries to sign in to the VPN, they will enter their email address and anything for the password. (1)
The VPN concentrator (or other network device) passes the request to Groove.id via LDAP. (2)
Groove.id sends a signin request to the user’s mobile phone. (3)
The user approves the signin request. (4)
The request is passed back to the VPN concentrator (5 and 6).
The VPN concentrator allows the connection to proceed. (7)
In the Groove.id console, create an API key. Add the scopes sync and user to the key. This authorizes your device to retrieve information about users.
On the VPN concentrator (or other network device), create an LDAP server group.
You can add properties to the login DN to change the behavior of the signin request in the mobile app, for example:
cn=vpn,headline=Sign to VPN,subhead=vpn.example.com,level=medium,dc=example,dc=com
The headline and subhead are displayed in the app. The level is low or medium (“high” is not recommended because the mobile app only achieves medium, high is reserved for provisioning.)
Note: If you use
uid as the naming attribute instead.