documentation:2.1:applications:guacamole

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:2.1:applications:guacamole [2019/04/16 18:30] (current)
Line 1: Line 1:
 +====== Guacamole ======
 +
 +{{ :applications:guacamole.png?nolink |}}
 +
 +===== Presentation =====
 +
 +[[https://guacamole.apache.org/|Apache Guacamole]] is a web-based remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.
 +
 +As of version 0.9.14, Guacamole can use [[.:..:idpopenidconnect|OpenID Connect]] , [[.:..:idpcas|CAS]] or [[.:..:writingrulesand_headers|HTTP Headers]] as authentication sources through plug-ins.
 +
 +This document explains how to implement OpenID Connect
 +
 +===== Pre-requisites =====
 +
 +==== Guacamole ====
 +
 +Refer to [[http://guacamole.apache.org/doc/gug/|the official Guacamole documentation]] to install Guacamole, either manually or through Docker images
 +
 +You need to be able to enable extensions. If you are using docker, you need to [[http://guacamole.apache.org/doc/gug/guacamole-docker.html#guacamole-docker-guacamole-home| follow these instructions in order to provide your own extensions directory and Guacamole configuration file]]
 +
 +Your Guacamole configuration directory will look something like this.
 +
 +<code>
 +├── extensions
 +│   └── 00-guacamole-auth-openid-1.0.0.jar
 +└── guacamole.properties
 +</code>
 +
 +
 +<note warning>Make sure to rename the JAR in a way that [[https://lists.apache.org/thread.html/b781a5c4e4d14f7ce297200ba6886d888df4333f83836220ac8b69f1@%3Cuser.guacamole.apache.org%3E|ensures that it will be loaded first]]</note>
 +
 +And ''guacamole.properties'' should contain at least
 +
 +<code>
 +openid-authorization-endpoint: http://auth.example.com/oauth2/authorize
 +openid-jwks-endpoint: http://auth.example.com/oauth2/jwks
 +openid-issuer: http://auth.example.com
 +openid-client-id: guacamole
 +openid-redirect-uri: http://guacamole.example.com/guacamole/
 +openid-username-claim-type: sub
 +</code>
 +
 +<note tip>Remplace the ''redirect uri'' with your Guacamole server's URL </note>
 +
 +==== LL:NG ====
 +
 +Make sure you have already [[.:..:idpopenidconnect|enabled OpenID Connect]] on your LemonLDAP::NG server
 +
 +You also need to allow the ''Implicit Flow'' under ''OpenID Connect Service'' » ''Security''
 +
 +Then, add a Relaying Party with the following configuration
 +
 +  * Options » Authentification » Client ID : same as ''openid-client-id'' in ''guacamole.properties''
 +  * Options » Allowed redirection address : same as ''openid-redirect-uri'' in ''guacamole.properties''
 +  * Options » ID Token Signature Algorithm : ''RS512''