You can use Groove.id as an LDAP server. In this model, whenever a user tries to log in, they’ll receive a notification on their phone when they acknowledge it, the signin continue.
LDAP flow diagram
When a user tries to sign in to the VPN, they will enter their email address and anything for the password. (1)
The VPN concentrator (or other network device) passes the request to Groove.id via LDAP. (2)
Groove.id sends a signin request to the user’s mobile phone. (3)
The user approves the signin request. (4)
The request is passed back to the VPN concentrator (5 and 6).
The VPN concentrator allows the connection to proceed. (7)
In the Groove.id console, create an API key. Add the scopes sync and user to the key. This authorizes your device to retrieve information about users.
On the VPN concentrator (or other network device), create an LDAP server group.
- Server Name or IP Address: signin.example.com (or whatever your Groove.id hostname)
- Timeout: 60 seconds (allows time for the user to respond to a push)
- Enable LDAP over SSL: checked
- Port: 636
- Server Type: Generic
- Base DN:
- Scope: All levels beneath the Base DN
- Naming Attribute(s):
- Login DN:
- Login Password: (use the api key from above)
You can add properties to the login DN to change the behavior of the signin request in the mobile app, for example:
- Login DN:
cn=vpn,headline=Sign to VPN,subhead=vpn.example.com,level=medium,dc=example,dc=com
The headline and subhead are displayed in the app. The level is low or medium (“high” is not recommended because the mobile app only achieves medium, high is reserved for provisioning.)
Note: If you use
uid as the naming attribute instead.