Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:2.1:applications:guacamole [2019/04/16 18:30] (current)
maxbes created
Line 1: Line 1:
 +====== Guacamole ======
 +
 +{{ :​applications:​guacamole.png?​nolink |}}
 +
 +===== Presentation =====
 +
 +[[https://​guacamole.apache.org/​|Apache Guacamole]] is a web-based remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.
 +
 +As of version 0.9.14, Guacamole can use [[.:​..:​idpopenidconnect|OpenID Connect]] , [[.:​..:​idpcas|CAS]] or [[.:​..:​writingrulesand_headers|HTTP Headers]] as authentication sources through plug-ins.
 +
 +This document explains how to implement OpenID Connect
 +
 +===== Pre-requisites =====
 +
 +==== Guacamole ====
 +
 +Refer to [[http://​guacamole.apache.org/​doc/​gug/​|the official Guacamole documentation]] to install Guacamole, either manually or through Docker images
 +
 +You need to be able to enable extensions. If you are using docker, you need to [[http://​guacamole.apache.org/​doc/​gug/​guacamole-docker.html#​guacamole-docker-guacamole-home| follow these instructions in order to provide your own extensions directory and Guacamole configuration file]]
 +
 +Your Guacamole configuration directory will look something like this.
 +
 +<​code>​
 +├── extensions
 +│   ​└── 00-guacamole-auth-openid-1.0.0.jar
 +└── guacamole.properties
 +</​code>​
 +
 +
 +<note warning>​Make sure to rename the JAR in a way that [[https://​lists.apache.org/​thread.html/​b781a5c4e4d14f7ce297200ba6886d888df4333f83836220ac8b69f1@%3Cuser.guacamole.apache.org%3E|ensures that it will be loaded first]]</​note>​
 +
 +And ''​guacamole.properties''​ should contain at least
 +
 +<​code>​
 +openid-authorization-endpoint:​ http://​auth.example.com/​oauth2/​authorize
 +openid-jwks-endpoint:​ http://​auth.example.com/​oauth2/​jwks
 +openid-issuer:​ http://​auth.example.com
 +openid-client-id:​ guacamole
 +openid-redirect-uri:​ http://​guacamole.example.com/​guacamole/​
 +openid-username-claim-type:​ sub
 +</​code>​
 +
 +<note tip>​Remplace the ''​redirect uri''​ with your Guacamole server'​s URL </​note>​
 +
 +==== LL:NG ====
 +
 +Make sure you have already [[.:​..:​idpopenidconnect|enabled OpenID Connect]] on your LemonLDAP::​NG server
 +
 +You also need to allow the ''​Implicit Flow''​ under ''​OpenID Connect Service''​ » ''​Security''​
 +
 +Then, add a Relaying Party with the following configuration
 +
 +  * Options » Authentification » Client ID : same as ''​openid-client-id''​ in ''​guacamole.properties''​
 +  * Options » Allowed redirection address : same as ''​openid-redirect-uri''​ in ''​guacamole.properties''​
 +  * Options » ID Token Signature Algorithm : ''​RS512''​