Guacamole

Presentation

Apache Guacamole is a web-based remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.

As of version 0.9.14, Guacamole can use OpenID Connect , CAS or HTTP Headers as authentication sources through plug-ins.

This document explains how to implement OpenID Connect

Pre-requisites

Guacamole

Refer to the official Guacamole documentation to install Guacamole, either manually or through Docker images

You need to be able to enable extensions. If you are using docker, you need to follow these instructions in order to provide your own extensions directory and Guacamole configuration file

Your Guacamole configuration directory will look something like this.

├── extensions
│   └── 00-guacamole-auth-openid-1.0.0.jar
└── guacamole.properties
Make sure to rename the JAR in a way that ensures that it will be loaded first

And guacamole.properties should contain at least

openid-authorization-endpoint: http://auth.example.com/oauth2/authorize
openid-jwks-endpoint: http://auth.example.com/oauth2/jwks
openid-issuer: http://auth.example.com
openid-client-id: guacamole
openid-redirect-uri: http://guacamole.example.com/guacamole/
openid-username-claim-type: sub
Remplace the redirect uri with your Guacamole server's URL

LL:NG

Make sure you have already enabled OpenID Connect on your LemonLDAP::NG server

You also need to allow the Implicit Flow under OpenID Connect Service » Security

Then, add a Relaying Party with the following configuration

  • Options » Authentification » Client ID : same as openid-client-id in guacamole.properties
  • Options » Allowed redirection address : same as openid-redirect-uri in guacamole.properties
  • Options » ID Token Signature Algorithm : RS512