Credential Pass-Through

Dynamic pass-through tokens

The values of connection parameters can contain "tokens" which will be dynamically replaced by Keeper Connection Manager when used. These tokens allow the values of connection parameters to vary dynamically by the user using the connection, and provide a simple means of forwarding authentication information without storing that information in the connection configuration itself, so long as the remote desktop connection uses the same credentials as Keeper Connection Manager.

Common uses for these tokens include:

Each token is of the form ${TOKEN_NAME}, where TOKEN_NAME is some descriptive name for the value the token represents. Tokens with no corresponding value will never be replaced, but should you need such text within your connection parameters, and wish to guarantee that this text will not be replaced with a token value, you can escape the token by adding an additional leading "$", as in "$${TOKEN_NAME}".

These tokens are replaced dynamically each time a connection is used. If two different users access the same connection at the same time, both users will be connected independently of each other using different sets of connection parameters.

Username/password pass-through

When a user authenticates with Keeper Connection Manager, the credentials that they used may be automatically passed through to their connections using the "${GUAC_USERNAME}" and "${GUAC_PASSWORD}" tokens. These may be specified within any connection parameters, including the parameters which specify the username and password to be used to connect to the remote desktop, thus allowing the administrator to explicitly define how and whether user credentials are passed through. Unless these tokens are specified by the administrator, no such pass-through will take place.

Parameter tokenDescription

${GUAC_USERNAME}

The username provided by the current user when they successfully authenticated for their current Guacamole session.

${GUAC_PASSWORD}

The password provided by the current user when they successfully authenticated for their current Keeper session.

Client hostname/address information

The hostname (if known) or IP address of the machine that the current Keeper user is connecting from may be included within connection parameters using the "${GUAC_CLIENT_HOSTNAME}" and "${GUAC_CLIENT_ADDRESS}" tokens respectively. Note that the client address may not be the true address of the user if they are connecting through one or more proxies, or if they are connecting through a VPN, and there may be no associated hostname for that address.

Parameter tokenDescription

${GUAC_CLIENT_ADDRESS}

The IPv4 or IPv6 address of the current Guacamole user. This will be the address of the client side of the HTTP connection to the Guacamole server at the time the current user logged in.

${GUAC_CLIENT_HOSTNAME}

The hostname of the current logged-in user. This will be the hostname of the client side of the HTTP connection to the Guacamole server at the time the current user logged in. If no such hostname can be determined, the IPv4 or IPv6 address will be used instead, and this token will be equivalent to ${GUAC_CLIENT_ADDRESS}.

Current date and time

Timestamps representing when the user started the connection may be included within connection parameters using the "${GUAC_DATE}" and "${GUAC_TIME}" tokens. Each of these tokens are replaced by values that consist only of digits. It is common to use these tokens within the parameter specifying the name of the session recording to be created, perhaps together with the "${GUAC_USERNAME}" token, to allow recordings to be given reasonably unique names and to be organized automatically.

For example, if connection were configured to record sessions to files names "${GUAC_USERNAME}-${GUAC_DATE}-${GUAC_TIME}.guac", and a user named "someuser" connected to that connection on January 1st, 2020, at exactly midnight, the session recording created would be named "someuser-20200101-000000.guac".

Parameter tokenDescription

${GUAC_DATE}

The current date in the local time zone of the Guacamole server. This will be written in "YYYYMMDD" format, where "YYYY" is the year, "MM" is the month number, and "DD" is the day of the month, all zero-padded. When a user accesses a connection, this token will be dynamically replaced with the date that the connection began.

${GUAC_TIME}

The current time in the local time zone of the Guacamole server. This will be written in "HHMMSS" format, where "HH" is hours in 24-hour time, "MM" is minutes, and "SS" is seconds, all zero-padded. When a user accesses a connection, this token will be dynamically replaced with the time that the connection began.

Last updated