Differences
This shows you the differences between two versions of the page.
| — |
documentation:2.1:applications:guacamole [2019/04/16 18:30] (current) maxbes created |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== Guacamole ====== | ||
| + | |||
| + | {{ :applications:guacamole.png?nolink |}} | ||
| + | |||
| + | ===== Presentation ===== | ||
| + | |||
| + | [[https://guacamole.apache.org/|Apache Guacamole]] is a web-based remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH. | ||
| + | |||
| + | As of version 0.9.14, Guacamole can use [[.:..:idpopenidconnect|OpenID Connect]] , [[.:..:idpcas|CAS]] or [[.:..:writingrulesand_headers|HTTP Headers]] as authentication sources through plug-ins. | ||
| + | |||
| + | This document explains how to implement OpenID Connect | ||
| + | |||
| + | ===== Pre-requisites ===== | ||
| + | |||
| + | ==== Guacamole ==== | ||
| + | |||
| + | Refer to [[http://guacamole.apache.org/doc/gug/|the official Guacamole documentation]] to install Guacamole, either manually or through Docker images | ||
| + | |||
| + | You need to be able to enable extensions. If you are using docker, you need to [[http://guacamole.apache.org/doc/gug/guacamole-docker.html#guacamole-docker-guacamole-home| follow these instructions in order to provide your own extensions directory and Guacamole configuration file]] | ||
| + | |||
| + | Your Guacamole configuration directory will look something like this. | ||
| + | |||
| + | <code> | ||
| + | ├── extensions | ||
| + | │ └── 00-guacamole-auth-openid-1.0.0.jar | ||
| + | └── guacamole.properties | ||
| + | </code> | ||
| + | |||
| + | |||
| + | <note warning>Make sure to rename the JAR in a way that [[https://lists.apache.org/thread.html/b781a5c4e4d14f7ce297200ba6886d888df4333f83836220ac8b69f1@%3Cuser.guacamole.apache.org%3E|ensures that it will be loaded first]]</note> | ||
| + | |||
| + | And ''guacamole.properties'' should contain at least | ||
| + | |||
| + | <code> | ||
| + | openid-authorization-endpoint: http://auth.example.com/oauth2/authorize | ||
| + | openid-jwks-endpoint: http://auth.example.com/oauth2/jwks | ||
| + | openid-issuer: http://auth.example.com | ||
| + | openid-client-id: guacamole | ||
| + | openid-redirect-uri: http://guacamole.example.com/guacamole/ | ||
| + | openid-username-claim-type: sub | ||
| + | </code> | ||
| + | |||
| + | <note tip>Remplace the ''redirect uri'' with your Guacamole server's URL </note> | ||
| + | |||
| + | ==== LL:NG ==== | ||
| + | |||
| + | Make sure you have already [[.:..:idpopenidconnect|enabled OpenID Connect]] on your LemonLDAP::NG server | ||
| + | |||
| + | You also need to allow the ''Implicit Flow'' under ''OpenID Connect Service'' » ''Security'' | ||
| + | |||
| + | Then, add a Relaying Party with the following configuration | ||
| + | |||
| + | * Options » Authentification » Client ID : same as ''openid-client-id'' in ''guacamole.properties'' | ||
| + | * Options » Allowed redirection address : same as ''openid-redirect-uri'' in ''guacamole.properties'' | ||
| + | * Options » ID Token Signature Algorithm : ''RS512'' | ||