Guacamole¶
Presentation¶
Apache Guacamole is a web-based remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.
As of version 0.9.14, Guacamole can use OpenID Connect , CAS or HTTP Headers as authentication sources through plug-ins.
This document explains how to implement OpenID Connect
Pre-requisites¶
Guacamole¶
Refer to the official Guacamole documentation to install Guacamole, either manually or through Docker images
You need to be able to enable extensions. If you are using docker, you need to follow these instructions in order to provide your own extensions directory and Guacamole configuration file
Your Guacamole configuration directory will look something like this.
├── extensions
│ └── 00-guacamole-auth-openid-1.0.0.jar
└── guacamole.properties
Danger
Make sure to rename the JAR in a way that ensures that it will be loaded first
And guacamole.properties
should contain at least
openid-authorization-endpoint: http://auth.example.com/oauth2/authorize
openid-jwks-endpoint: http://auth.example.com/oauth2/jwks
openid-issuer: http://auth.example.com
openid-client-id: guacamole
openid-redirect-uri: http://guacamole.example.com/guacamole/
openid-username-claim-type: sub
Tip
Remplace the redirect uri
with your Guacamole server’s URL
LL:NG¶
Make sure you have already enabled OpenID Connect on your LemonLDAP::NG server
You also need to allow the Implicit Flow
under
OpenID Connect Service
» Security
Then, add a Relying Party with the following configuration
Options » Authentification » Client ID : same as
openid-client-id
inguacamole.properties
Options » Allowed redirection address : same as
openid-redirect-uri
inguacamole.properties
Options » ID Token Signature Algorithm :
RS512