SAML 2.0 Authentication Configuration Properties

Advanced configuration properties for SAML 2.0 SSO

The properties listed here are only applicable if SAML 2.0 authentication is being used. Support for SAML 2.0 authentication is installed using the kcm-guacamole-auth-saml package or enabled with the Docker installation. If using the keeper/guacamole Docker image, support for SAML 2.0 authentication is configured using environment variables.

SAML 2.0 Configuration Properties

Controlling Login Behavior

Keeper Connection Manager loads authentication extensions in order of priority, and evaluates authentication attempts in this same order. This has implications for how the login process behaves when an SSO extension is present:

If the SSO extension has priority:

Users that are not yet authenticated will be immediately redirected to the configured identity provider. They will not see a Keeper Connection Manager login screen.

If a non-SSO extension has priority:

Users that are not yet authenticated will be presented with a Keeper Connection Manager login screen. Additionally, links to the configured identity provider(s) will be available for users that wish to log in using SSO.

The default priority of extensions is dictated by their filenames, with extensions that sort earlier alphabetically having higher priority than others. This can be overridden by setting the extension-priority property within guacamole.properties.

Automatically redirecting all unauthenticated users

To ensure users are redirected to the SAML identity provider immediately (without a Keeper Connection Manager login screen), ensure the SAML extension has priority over all others:

extension-priority: saml

Presenting unauthenticated users with a login screen

To ensure users are given a normal Keeper Connection Manager login screen and have the option to log in with traditional credentials or with SAML, ensure the SAML extension does not have priority:

extension-priority: *, saml

Last updated