Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Configuration of Keeper Connection Manager Authentication methods
Instructions for authenticating users with a SAML 2.0 / SSO Identity Provider
Keeper Connection Manager can be configured to authenticate users with any SAML 2.0 compatible identity provider. Users can be forced to login with SAML, or you can make SAML an optional login link from the login page as shown below.
Run the reconfigure command listed below and press enter to accept all the pre-populated selections until you get to the SAML prompt.
Make sure you have transferred your metadata XML file onto the KCM server first.
Select Local metadata file (option 1). Enter the proper path where the XML file is located.
Remote metadata file (option 2) is easiest if you can get a URL that points to your idP's metadata XML file (Azure provides this).
Instructions for setting up your identity provider and retrieving the XML metadata are found in the guides blow. Any SAML 2.0 identity provider is compatible.
Enter your SAML IdP URL.
When asked about signed requests, if unsure, select no.
Enter your SAML entity ID, and then the group attribute (this must match to your IdP's group attribute).
Next, you're asked if you want SAML as the default login process. If you want SAML login to be an option (link) on the login page, select no. If you want SAML as the only possible method of authentication, select yes.
SSO Configuration is complete!
If you installed Keeper Connection Manager using the Docker Compose Install method, this does not come preconfigured with SAML support. The instructions for activating SAML are below:
(1) On the local instance, stop the containers.
(2) Edit the docker-compose file
Using the custom docker method requires modification of docker-compose.yml file to add SAML support. As root, edit your docker-compose.yml file and find the "guacamole" section.
Create a volume mount for sharing the metadata.xml file with the container. If you already have a shared volume for this purpose, you can use that one. There is also another section needed which needs SAML environmental variables. A sample file is listed below.
Notes:
Replace "/var/lib/guac_home" with the local path to your volume
Replace "https://demo.lurey.com" in 2 spots with your Keeper Connection Manager login URL
Only use this SAML group attribute if you're using Azure. Other identity providers will use a different Group attribute ID.
If you want ALL users to login with SAML, then remove the ADDITIONAL_GUACAMOLE_PROPERTIES line. As written, it will give users the choice of password or SAML login.
(3) Create the local folder volume if it doesn't exist yet
(4) Copy the metadata.xml file from your local computer (downloaded from step 8 above) into the location of the volume mount referenced in the guacamole section of the docker-compose file.
(5) Restart the containers
Configuration is complete.
Once you have activated the SAML module, there will be a new "Sign in with SAML" link on the login screen of the application as seen below:
Keeper Connection Manager SAML configuration with Microsoft Azure
Answer yes when asked if you want user accounts created automatically. If you select no, you'll need to create each account manually within KCM.
sudo ./kcm-setup.run reconfigurecd /path/to/docker-compose.yml
docker-compose stop guacamole:
image: keeper/guacamole:2
restart: unless-stopped
environment:
ACCEPT_EULA: "Y"
GUACD_HOSTNAME: "guacd"
MYSQL_HOSTNAME: "db"
MYSQL_DATABASE: "guacamole_db"
MYSQL_USERNAME: "guacamole_user"
MYSQL_PASSWORD: "xxxxxxxx"
SAML_CALLBACK_URL: "https://demo.lurey.com"
SAML_IDP_METADATA_URL: "file:///etc/guacamole/metadata.xml"
SAML_ENTITY_ID: "https://demo.lurey.com"
SAML_GROUP_ATTRIBUTE: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
ADDITIONAL_GUACAMOLE_PROPERTIES: "extension-priority: *, saml"
volumes:
- common-storage:/var/lib/guacamole
- "/etc/kcm-setup/metadata.xml:/etc/guacamole/metadata.xml:ro"sudo su
docker-compose up -d(3) Set up Single Sign On with SAML.
(4) Configure for SAML
(5) Set up the SAML properties to point Azure to your Keeper Connection Manager installation URL:
(6) To support Azure Group to Keeper Connection Manager User Group mappings, you can add a Group claim by editing the Attributes & Claims then adding a Group Claim.
When prompted, you can decide whether the group claim is always sent, or only for specific groups or assigned users. If unsure, choose all groups.
If you would like to automatically map group assignments in the identity provider to Keeper Connection Manager Groups, ensure that the saml-group-attribute parameter is defined to match the Identity Provider Group Attribute. The name of the Group in Keeper Connection Manager needs to match this identifier exactly in order for the mapping to work.
(7) Assign users and/or groups to the Keeper Connection Manager application, as you would normally do with any SAML connected app.
(8) Copy the URL of the App Federation Metadata and paste it into the prompt on your KCM server.
(9) Add the KCM Logo
From the "Properties" screen of the Enterprise Application, upload the KCM logo. The file can be downloaded below.
Here's how the logo will look:
Keeper Connection Manager SAML configuration with Okta
The first step regardless of installation method is to configure your SAML 2.0 identity provider using Okta.
(1) In Okta, go to Admin > Applications > Create App Integration and select SAML 2.0. Click Next.
(2) Give the Enterprise Application a name and upload the logo file linked below then click Next.
The image logo is here:
(3) Configure the SAML Settings
The SAML configuration should match the format as seen below:
Replace demo3.lurey.com with the URL of your Keeper Connection Manager domain.
Ensure the full path appears, e.g. https://DOMAIN/api/ext/saml/callback
For the Audience URI, use the path to the Login screen (remove the trailing slash). For example, https://demo3.lurey.com
Scroll down to the Group Attribute Statements. To send the group attribute, set the name to "groups", and the name format to "Basic". If you would like ALL groups assigned to the user to be sent to Keeper Connection Manager, select the "Matches regex" with a value of ".*"
Click Next.
(4) In the Feedback section, make the selections as appears below.
(5) Assign users and/or groups to the Keeper Connection Manager application, as you would normally do with any SAML connected app.
(6) Download the Okta Metadata file and save to your local machine as metadata.xml
The location of the metadata file depends on your version of the Okta interface. In this example there is a link called "Identity Provider metadata" on the application page. There may also be a text box that contains the metadata which you can copy and paste into a local file on your computer.
The metadata XML file could also be linked in the Sign On tab > SAML Signing Certificate section under "Actions".
Save the resulting metadata.xml file by selecting "Save page as..." in your browser.
The Okta side of the setup is complete. Note if you change anything, you need to re-download a new metadata.xml file. Transfer this metadata.xml file to your KCM server machine.
Keeper Connection Manager SAML configuration with OneLogin
The first step regardless of installation method is to configure your SAML 2.0 identity provider.
You must have OneLogin developer account.
Configure OneLogin
Log in to the Dashboard, and click Administration. Then Applications > Add App.
Search for SAML, and select SAML Test Connector (IdP).
When prompted, change the Display Name of your app. Enter an application name and description. You can also upload a Keeper Connection Manager logo. Click save.
Go to the Configuration tab, Update 3 fields: Recipient, ACS (Consumer) URL Validator, and ACS (Consumer) URL with your KCM server URL and /api/ext/saml/callback on the end as shown below.
Click on the More Actions dropped-down menu. Select SAML Metadata to download and save the .XML file.
Under the Users tab on the top, find the users that need to log in using SSO, click into them and on the applications tab on the left, add the new SAML application to them.
This page documents the process of integrating PingIdentity with Keeper Connection Manager, which is also known as KCM. We will be adding SAML 2.0 application connectors between the two platforms.
Integrating Duo with Keeper Connection Manager for MFA
Integrating TOTP based authentication for 2FA
Keeper Connection Manager provides support for TOTP as a second authentication factor, verifying the identities of enrolled users using authentication codes generated with the TOTP standard.
To enable TOTP add the following lines to the "environment" section of the "guacamole" service in the docker-compose.yml file. Only the EXTENSIONS: totp line is required, the rest are optional.
For example:
Multiple LDAP Servers with KCM
Search for "Web SDK" (Do NOT select Keeper Security - this is for the Vault only)
Select Web SDK and click "Protect"
Capture the Client ID, Client Secret, and API Hostname
Provide these 3 configuration options as DUO_* environment variables in the keeper/guacamole Docker image.
The image keeper/guacamole section in the docker-compose.yaml file can be modified to support Duo using environment variables.
DUO_API_HOSTNAME
REQUIRED. The hostname of the Duo API endpoint that will be used to verify user identities, assigned by Duo when Guacamole was added as a "Web SDK" application. This value can be found within the application details in Duo's "Admin" panel.
DUO_AUTH_TIMEOUT
The timeout, in minutes, for in-progress Duo authentication attempts. Authentication attempts exceeding this duration will be invalidated. By default, Duo authentication attempts will time out after 5 minutes.
DUO_CLIENT_ID
REQUIRED. The client ID provided for you by Duo when KCM was added as a "Web SDK" application. This value can be found within the application details in Duo's "Admin" panel.
DUO_CLIENT_SECRET
REQUIRED. The client secret provided for you by Duo when KCM was added as a "Web SDK" application. This value can be found within the application details in Duo's "Admin" panel.
DUO_REDIRECT_URI
REQUIRED. The user-facing URI that the Duo service can use to redirect an authenticated user's browser back to KCM. This is the URI that you use for the KCM deployment, e.g. https://kcm.company.com
Instructions for authenticating users with OpenID Connect
Keeper Connection Manager provides support for OpenID Connect for authentication.
The image keeper/guacamole can be modified to support OpenID using environmental variables. See the OPENID_* variables defined in the documentation.
keeper/guacamole can be modified to support TOTP using environmental variables. See the TOTP_* variables defined in the documentation.Keeper Connection Manager supports the use of 2FA with TOTP in addition to supporting SAML or OIDC authentication. If TOTP is configured along with SAML, the user will be prompted for 2FA after successfully authenticating with the identity provider.
TOTP_ISSUER: "KCM"
TOTP_DIGITS: "6"
TOTP_PERIOD: "30"
TOTP_MODE: "sha1"
EXTENSIONS: "totp" environment:
ACCEPT_EULA: "Y"
GUACD_HOSTNAME: "guacd"
MYSQL_HOSTNAME: "db"
MYSQL_DATABASE: "guacamole_db"
MYSQL_USERNAME: "guacamole_user"
MYSQL_PASSWORD: "XXXXXXXXX"
KSM_CONFIG: ""
TOTP_ISSUER: "KCM"
TOTP_DIGITS: "6"
TOTP_PERIOD: "30"
TOTP_MODE: "sha1"
EXTENSIONS: "totp"Give the Application a name such as "KCM," select SAML and Save.
Next, you'll encounter the SAML configuration. Select Manually Enter, then add the URL of your KCM server to the ACS URLs box as follows: https://<YOUR DOMAIN>/api/ext/saml/callback
Then add the URL of your KCM server to the Entity ID box as follows: https://<YOUR DOMAIN> and press Save.
Next, Edit Attribute Mappings. Since saml_subject is immutable, leave it as is. Add an attribute named EMAIL that has a Mapping of Username, and an attribute named groups that has a Mapping of Group Names.
Then Edit Configuration and scroll down to SUBJECT NAMEID FORMAT and select the option urn:oasis:names:to:SAML:1.1:nameid-format:emailAddress. And hit Save.
On the Overview section, verify that Access is for All Users (or the group you specified). Leave the Signon URL as the Default Signon Page. And Enable the Application by clicking the slider at the top of the application.
Download the Metadata file from the Configuration tab, and ensure that it is named to metadata.xml.
Ensure that all users are added with a Username that matches the email address of a user in your Keeper Connection Manager. **When you add users to Keeper Connection Manager use the matching email address, but leave the password blank.
LDAP_SERVERS will automatically create /etc/guacamole/ldap-servers.yml within the guacamole container.When using LDAP_SERVERS in your docker-compose.yml, don't volume mount the ldap-servers.yml file (since this will be handled automatically). For advanced or non-docker installations, .
version: "3"
services:
guacamole:
image: keeper/guacamole:2
restart: unless-stopped
depends_on:
- guacd
- db
environment:
ACCEPT_EULA: "Y"
GUACD_HOSTNAME: "guacd"
LDAP_SERVERS: |
- hostname: server1.example.net
user-base-dn: OU=Users,DC=example,DC=net
username-attribute: sAMAccountName
search-bind-dn: CN=Guacamole,OU=Services,DC=example,DC=net
search-bind-password: SomePassword!
- hostname: server2.example.net
user-base-dn: OU=Users,DC=example,DC=net
username-attribute: sAMAccountName
search-bind-dn: CN=Guacamole,OU=Services,DC=example,DC=net
search-bind-password: SomePassword!
The keeper/guacamole-ssl-nginx image is specifically intended to provide SSL termination for the Guacamole image provided by Keeper for KCM. Historically, this image supported only a single hostname and configuration:
ssl:
image: keeper/guacamole-ssl-nginx:2
restart: unless-stopped
ports:
- "80:80"
- "443:443"
environment:
SELF_SIGNED: "Y"
ACCEPT_EULA: "Y"
CONTENT_TYPE_OPTIONS: "Y"
CONTENT_SECURITY_POLICY: "Y"
GUACAMOLE_HOSTNAME: "guacamole"
SSL_HOSTNAME: "example.net"As of KCM 2.12.0, the keeper/guacamole-ssl-nginx image can be used with multiple hostnames and configurations via a special SERVERS environment variable that accepts YAML (or JSON).
The SERVERS variable must contain a YAML (or JSON) array of objects, where each object contains the name/value pairs of environment variables that should apply to that additional configuration. Any variable that is not specified is inherited from the top-level environment. For example:
The above configuration would result in an NGINX instance that handles both example.net and *.example.net hostnames equivalently. Both will get their own self-signed certificates because SELF_SIGNED is set to Y.
A more complex example:
The above configuration would result in an NGINX instance that generates and uses a self-signed certificate for *.example.net, but obtains a certificate for example.net from Let’s Encrypt.
IMPORTANT: The value of SERVERS must be a string, hence the | symbol within the above examples. If this symbol is omitted, then the YAML that follows is parsed as an object, and validation of the docker-compose.yml will fail, as all Docker environment variables must be strings.
NOTE: NGINX will use the first server as the default for any request that does not match any configured hostname. If any server declared in SERVERS should have this behavior, it must be the first server listed.
This documentation will detail how to connect your Oracle Cloud environment to Keeper Security Connection Manager for the purpose of Single Sign-On.
Go to your Oracle Admin Console and navigate to the Identity Domains Overview page, then select Applications as depicted above.
Click on Add Application.
Select SAML as the application type.
Apply the appropriate settings to the Application Information as needed for your security posture. Click on Edit SSO Configuration. Download the Metadata and rename the file to metadata.xml. Set the Entity ID to the URL of your Connection Manager server. For example: https://kcm.somedomain.com. For the Assertion Consumer URL, add /api/ext/saml/callback to the end of the domain URL. For example: https://kcm.somedomain.com/api/ext/saml/callback. Next, set the Name ID Format to Email Address and the Name ID Value to Primary Email. Leave the Signed SSO setting as Assertion. Uncheck the box to Include Signing Certificate in Signature, and leave the Signature Hashing Algorithm as SHA-256.
Assign attributes for email as listed above mapped to the value User Name. Add another attribute for groups with the settings of Type Value Group Membership and a Condition of All groups.
Assign users and groups as appropriate to your SAML application. You'll need to assign at least one user for testing purposes.
Connection Manager Server Configuration
Upload the metadata.xml file to your KCM server and move it into the directory /etc/kcm-setup.
Run the reconfigure command after production hours on your Connection Manager server.
Say Y to the option when presented to setup SAML support.
Select 1 for Local Metadata file. Then input the path of your metadata file as /etc/kcm-setup/metadata.xml and press enter. Answer N to Does your SAML IDP require signed requests? Input your SAML entity ID as the URL of your Connection Manager instance. For example: https://kcm.somedomain.com. Then enter groups as the SAML group attribute.
Choose which setting best applies to your security posture with regard to the default authentication method. If you want Just-In-Time provisioning of users, then answer Y to Would you like user accounts to be automatically created for each successful login?
Click the SAML link to authenticate to the main sign on page.
Your user email address should display in the top right corner after authenticating.
If multiple authentication methods are installed, Keeper Connection Manager will poll each method as it attempts to authenticate users, and will retrieve connection data from each method once a user has successfully authenticated. This behavior is designed to allow authentication methods to work together, and can be leveraged to authenticate Keeper Connection Manager users against LDAP while storing the connection data for those users within MySQL, PostgreSQL, or SQL Server.
When reading data from multiple authentication methods, Keeper compares the unique identifiers of users (usernames) and groups to determine identity. This means that user accounts from different authentication systems will be automatically combined by Keeper upon successful authentication as long as those user accounts have the same username, and group memberships will take effect across authentication systems so long as the unique names of those groups match.
If both LDAP and a database authentication method have been configured, Keeper will automatically attempt to authenticate against both systems whenever a user attempts to log in. The LDAP account will be considered equivalent to the database user if the username is identical, and that user will have access to any data associated with them via the database, as well as any visible objects within the LDAP directory. If that user has permission to query their group memberships within LDAP, and Keeper then the user's group membership will also be retrieved upon authentication, and the user will have access to any data associated with those groups via the database.
Rather than having to manually look up users or groups within the LDAP directory, and then manually create those same users and groups within Keeper Connection Manager, it is possible to set up administrative user accounts which can already see and manage available LDAP objects. This streamlines the administrative process, reducing the number of users which must be manually created to one.
To see LDAP objects within Keeper Connection Manager's administrative interface, one of the following tasks must be performed:
An administrative user within the Keeper Connection Manager database, such as the default “guacadmin” user, must be manually created within LDAP with the same username and with sufficient privileges to query all Guacamole users and groups defined within LDAP.
An administrative user must be manually created within Keeper Connection Manager having the same username as an LDAP user with sufficient privileges to query all Guacamole users and groups defined within LDAP.
Because a Keeper Connection Manager user created as defined above would have access to LDAP users and groups, database users and groups, and database connections, all of this data will be unified within the same administrative interface within Keeper Connection Manager. The user will be able to grant LDAP users and groups access to connections within the database to just as they would if only the database were in use.
Keeper Connection Manager SAML configuration with Google Workspace
Approve or Deny User's ability to authenticate with KSM using SSO
In an environment where KCM users may be automatically created from an SSO system, such as SAML or OpenID or PIV/CAC, administrators may wish to more tightly control whether those users are allows to use KCM. To facilitate this, KCM provides administrators an approve/deny workflow to decide whether an individual user should be allowed to authenticate with KCM using that SSO method.
To require approval for users signing in with a particular authentication method, use the require-account-approval property (or, for Docker, the REQUIRE_ACCOUNT_APPROVAL environment variable). This property accepts a comma-separated list of the names of all authentication methods that should require administrator approval. KCM supports the following authentication types:
Applying user-based account restrictions
ssl:
image: keeper/guacamole-ssl-nginx:2
restart: unless-stopped
ports:
- "80:80"
- "443:443"
environment:
SELF_SIGNED: "Y"
ACCEPT_EULA: "Y"
CONTENT_TYPE_OPTIONS: "Y"
CONTENT_SECURITY_POLICY: "Y"
GUACAMOLE_HOSTNAME: "guacamole"
SERVERS: |
- SSL_HOSTNAME: "example.net"
- SSL_HOSTNAME: "*.example.net" ssl:
image: keeper/guacamole-ssl-nginx:2
restart: unless-stopped
ports:
- "80:80"
- "443:443"
environment:
ACCEPT_EULA: "Y"
CONTENT_TYPE_OPTIONS: "Y"
CONTENT_SECURITY_POLICY: "Y"
GUACAMOLE_HOSTNAME: "guacamole"
SERVERS: |
- SSL_HOSTNAME: "example.net"
LETSENCRYPT_ACCEPT_TOS: "Y"
[email protected]
- SSL_HOSTNAME: "*.example.net"
SELF_SIGNED: "Y"Enter an application name and description. You can also upload a Keeper Connection Manager logo. The image logo is here:
Click Continue.
(3) Download the metadata.xml file
...and then click Continue
(4) Configure the SAML Settings
Update 3 fields: ACS URL, Entity ID and Name ID format.
The ACS URL needs to start with your Keeper Connection Manager domain followed by "/api/ext/saml/callback".
The Entity ID is just the Keeper Connection Manager domain.
The Name ID format must be EMAIL
Click Continue.
(5) Assign group membership (Optional)
You can now assign Group Membership to the Keeper Connection Manager application, which is optional. If you would like to assign a group, make sure that the "App Attribute" is groups (lowercase). Then click FINISH.
(6) Enable Access
After creating the SAML app, it is not yet active for all users. To enable access, click on View details and turn the application ON.
The Google Workspace side of the setup is complete. Note if you change anything, you need to re-download a new metadata.xml file.
Authentication Method
Name
Encrypted JSON
json
LDAP
ldap
OpenID
openid
SAML
saml
SSL/TLS Client Authentication (PIV/CAC)
ssl
For example, to require administrator approval for SAML and LDAP, you would specify:
The following examples shows a docker.yaml file with the SAML Authentication method enabled:
Once you have successfully configured and setup the authentication method, the corresponding SSO login method will be displayed on the login screen of the application. In the following image, the instance has been configured to use the saml authentication method:
Users with at least one authentication method that needs to be approved or denied will be shown in the user list with a “Pending Login Request” badge next to their username:
Administrators can approve/deny access for that user via that authentication method by editing the user account in KCM:
To manage user accounts:
Log in to your Keeper Connection Manager instance as an administrator.
Navigate to the Settings tab.
From here, you can create new users or edit existing ones.
When configuring a user account, the following restrictions can be applied:
Login Disabled: Prevents the user from logging in to the system.
Password Expired: Forces the user to reset their password at next login.
Allow Access After: Grants access starting at a specific date and time.
Do Not Allow Access After: Prevents access after a specific date and time.
Enable Account After: Activates the user account at a scheduled time.
Disable Account After: Deactivates the account after a scheduled time.
Individual users can be assigned a specific Keeper Secrets Manager configuration, allowing the user to use credentials from their vault for establishing privileged sessions to any target. See the Multiple Vaults Integration page for more info.
Permissions can be granted at the individual user level or inherited from a user group. Available permissions include:
Administer System: Full administrative rights over the instance.
Create New Users: Ability to create and manage user accounts.
Create New User Groups: Ability to create and assign user groups.
Create New Connections: Permission to define new connection entries.
Create New Connection Groups: Ability to group related connections.
Create New Sharing Profiles: Manage sharing templates and permissions.
Change Own Password: Allows users to update their own credentials.
Users can be assigned to one or more groups, inheriting the group’s permissions and restrictions.
In addition, administrators can assign:
Specific Connections: Restrict the user to a defined set of connections.
All Connections: Grant access to all available connections in the environment.
Keeper Connection Manager provides flexible user management options that include account restrictions, administrative permissions and connection targets.
guacConfigGroup object classWhen connection data is stored within your LDAP directory, each connection is represented by a special type of LDAP group, and permissions related to Keeper Connection Manager's connections can be managed directly with LDAP based on user membership of these groups. Doing this requires schema modifications which add a new object class called guacConfigGroup.
An LDIF file defining the schema changes in a manner compatible with OpenLDAP is provided by the kcm-guacamole-auth-ldap
require-account-approval: saml, ldap guacamole:
image: keeper/guacamole:2
restart: unless-stopped
environment:
ACCEPT_EULA: "Y"
GUACD_HOSTNAME: "guacd"
SSL_PRIMARY_URI: "https://kcm.example.net"
SSL_CLIENT_AUTH_URI: "https://*.kcm.example.net"
SSL_SUBJECT_BASE_DN: "ou=test department,o=u.s. government,c=us"
POSTGRESQL_AUTO_CREATE_ACCOUNTS: "true"
REQUIRE_ACCOUNT_APPROVAL: "saml"
/opt/keeper/share/guacamole-auth-ldap/schema/guacConfigGroup.ldifOnce this is done, connections can be defined by creating new guacConfigGroup objects within the LDAP directory. Each guacConfigGroup accepts a single guacConfigProtocol attribute, defining the protocol associated with the connection, and any number of guacConfigParameter attributes, each defining a connection parameter name/value pair. Users that should have access to the connection must be added as members of the guacConfigGroup using the member attribute.
For example, a connection accessible to two users which uses VNC to connect to localhost at port 5900 with the password “secret” could be defined with the following LDIF file:
To read connection data from LDAP, modify the /etc/kcm-setup/docker-compose.yml file.
The base DN of all connections defined within LDAP must be specified using the LDAP_CONFIG_BASE_DN property. This base DN should be the DN of the portion of the LDAP directory whose subtree contains all Keeper connections accessible via LDAP. Only connections defined within the subtree of this base DN will be visible.
The EXTENSION_PRIORITY property specifies the order that extensions should be loaded relative to each other. In the following example, all other extensions take priority over LDAP:
To control group membership using LDAP, modify the /etc/kcm-setup/docker-compose.yml file.
It is also possible grant entire groups access to connections using the seeAlso attribute. This attribute is a standard LDAP attribute, and will be taken into account by Keeper if the LDAP_GROUP_BASE_DN property is defined. This property defines the root of the subtree containing all groups which may apply to Keeper Connection Manager users authenticated using LDAP:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /opt/keeper/share/guacamole-auth-ldap/schema/guacConfigGroup.ldifdn: cn=Example Connection,ou=groups,dc=example,dc=net
objectClass: guacConfigGroup
objectClass: groupOfNames
cn: Example Connection
guacConfigProtocol: vnc
guacConfigParameter: hostname=localhost
guacConfigParameter: port=5900
guacConfigParameter: password=secret
member: cn=user1,ou=people,dc=example,dc=net
member: cn=user2,ou=people,dc=example,dc=net guacamole:
image: keeper/guacamole:2
environment:
ACCEPT_EULA: "Y"
GUACD_HOSTNAME: "guacd"
MYSQL_HOSTNAME: "db"
MYSQL_DATABASE: "guacamole_db"
MYSQL_USERNAME: "guacamole_user"
MYSQL_PASSWORD: "xxxxxxx"
# LDAP Connection
LDAP_HOSTNAME: "localhost"
LDAP_PORT: 389
LDAP_ENCRYPTION_METHOD: "none"
## Optional Settings ##
# Read Connections from LDAP
LDAP_CONFIG_BASE_DN: "ou=connections,dc=example,dc=net"
# Force all other extensions to take priority over LDAP
EXTENSION_PRIORITY: "*, ldap" guacamole:
image: keeper/guacamole:2
environment:
ACCEPT_EULA: "Y"
GUACD_HOSTNAME: "guacd"
MYSQL_HOSTNAME: "db"
MYSQL_DATABASE: "guacamole_db"
MYSQL_USERNAME: "guacamole_user"
MYSQL_PASSWORD: "xxxxxxx"
# LDAP Connection
LDAP_HOSTNAME: "localhost"
LDAP_PORT: 389
LDAP_ENCRYPTION_METHOD: "none"
## Optional Settings ##
# Mapping Guacamole groups to LDAP DN's
LDAP_GROUP_BASE_DN: "ou=groups,dc=example,dc=net"
LDAP_GROUP_NAME_ATTRIBUTE: "cn"sudo ./kcm-setup.run stop
sudo ./kcm-setup.run upgradedocker-compose stop
docker-compose up -d
If you installed Keeper Connection Manager using the Docker Install method, this does not come preconfigured with LDAP support. The instructions for activating LDAP are below:
(1) On the local instance, stop the containers.
Auto Docker Install:
Docker Compose Install:
(2) Edit the docker-compose file
Using the simple or custom docker method requires modification of docker-compose.yml file to add LDAP support. As root, edit your docker-compose.yml file and find the "guacamole" section.
(3) Restart the containers
Simple Install:
The containers should restart after the upgrade. If not run:
Custom Install:
Configuration is complete.
If you require the use of a custom Root Certificate for your LDAP server, you can volume mount the file /etc/pki/ca-trust/extracted/java/cacerts in your Docker Compose to override this certificate in the guacamole docker container.
Import the certificate into a Java truststore using "keytool".
Volume mount the cacerts file to your target guacamole docker container
Requiring SSL/TLS Client Authentication with KCM
Keeper Connection Manager can be configured to require SSL/TLS client authentication.
To implement device-based access security with Keeper Connection Manager, this can be accomplished using NGINX client certificates. A client certificate is installed into the web browser of your user's approved devices, and the server will only accept communication from a device with the client certificate installed.
The steps to activate this advanced level of protection is described in the steps below.
(1) Create a Certificate Authority (CA) Key
# Mapping Guacamole usernames to LDAP DN’s
LDAP_USER_BASE_DN: "ou=people,dc=example,dc=net"
LDAP_USERNAME_ATTRIBUTE: "sAMAccountName"sudo ./kcm-setup.run stopcd /path/to/docker-compose.yml
docker-compose stop guacamole:
image: keeper/guacamole:2
environment:
ACCEPT_EULA: "Y"
GUACD_HOSTNAME: "guacd"
MYSQL_HOSTNAME: "db"
MYSQL_DATABASE: "guacamole_db"
MYSQL_USERNAME: "guacamole_user"
MYSQL_PASSWORD: "xxxxxxx"
# LDAP Connection
LDAP_HOSTNAME: "localhost"
LDAP_PORT: 389
LDAP_ENCRYPTION_METHOD: "none"
# Mapping Guacamole usernames to LDAP DN’s
LDAP_USER_BASE_DN: "ou=people,dc=example,dc=net"
## Optional Settings ##
LDAP_USERNAME_ATTRIBUTE: "sAMAccountName"
# Indirect Username Mapping
LDAP_SEARCH_BIND_DN: "cn=someUser,ou=people,dc=example,dc=net"
LDAP_SEARCH_BIND_PASSWORD: "some_password"
# Mapping Guacamole groups to LDAP DN's
LDAP_GROUP_BASE_DN: "ou=groups,dc=example,dc=net"
LDAP_GROUP_NAME_ATTRIBUTE: "cn"sudo ./kcm-setup.run upgradesudo ./kcm-setup.run startsudo su
docker-compose up -d # Indirect Username Mapping
LDAP_SEARCH_BIND_DN: "cn=someUser,ou=people,dc=example,dc=net"
LDAP_SEARCH_BIND_PASSWORD: "some_password" # Mapping Guacamole groups to LDAP DN's
LDAP_GROUP_BASE_DN: "ou=groups,dc=example,dc=net"
LDAP_GROUP_NAME_ATTRIBUTE: "cn"Generate a CA Key with a strong auto-generated passphrase. Make sure to store the passphrase in your Keeper vault.
(2) Create a CA Certificate
A certificate is created with the CA Key. When answering the questions, you can leave the Common Name and Email empty. Save the information that you entered for Country, State, Locality, and Organization, because you may need these later when renewing the certificate.
Side Note: to analyze the certificate parameters, you can run the below command.
(3) Create a Client Key
For the end-user devices, a client key must be generated. You can decide if you would like to generate one key for all devices, or each user can generate their own key and request a certificate. The process is up to you. Generate a client key with a strong auto-generated passphrase. Make sure to store the passphrase in your Keeper vault.
(4) Create a CSR
For each Client Key, generate a CSR to create a signed certificate.
(5) Sign the CSR with the CA Key
You'll need to enter the CA passphrase from Step 1 to sign the request.
At this point, you now have a signed Client Certificate (client.crt).
(6) Convert the Client Certificate to PKCS#12
To import the certificate into a web browser, a pfx file in PKCS#12 is typically required. Generate the client.pfx file using the command below. A passphrase will be required. This passphrase will be provided to each of the users who need to install the certificate, so it should be used specifically for this purpose.
(7) Add to NGINX Config
The keeper/guacamole-ssl-nginx image can be configured to require SSL/TLS client authentication by specifying the CLIENT_CERTIFICATE_FILE environment variable. A user will only be able to connect to the KCM instance of NGINX using their browser if their browser has access to a private key that is signed by this certificate.
This variable is similar to the CERTIFICATE_FILE environment variable in that it points to a file within the container, but in this case it controls the certificate used to authenticate the client’s private key.
Example:
After updating the configuration, restart the containers.
(8) Test the configuration
Before installing the client certificate on the user's machine, load up the Keeper Connection Manager login screen to ensure that a 403 error is sent:
(9) Install the Client Certificate
For each end-user client device that will need access to Keeper Connection Manager, you will need to install the client certificate into the user's browser or machine. The installation of client certificates varies by platform.
On Windows
Double-click or right-click the client certificate (client.pfx) from Step 6 and enter the client certificate passphrase.
Restart the browser.
The next time Keeper Connection Manager is loaded, you can approve the certificate.
On Mac OS - Chrome
Import the client.pfx file by double-clicking or loading into the Keychain login Certificates section. In the "Trust" section of the certificate, mark as Always Trust.
Restart the browser and load the Keeper Connection Manager login screen to select the certificate.
On Mac OS - Firefox
Open Firefox > Preferences > search for Certificates and select Your Certificates tab. Click "Import" and select the client.pfx certificate file. Complete the import.
After successful import, the Keeper Connection Manager login screen will load.
Additional environment variables are also available to modify SSL/TLS auth behavior further:
Variable
Description
Default
ADDITIONAL_PROXY_CONFIG
Arbitrary, additional NGINX configuration statements that should be included within the location block that configures NGINX to proxy Guacamole.
SSL_VERIFY_CLIENT
Controls how and whether NGINX requires and verifies the certificate presented by the client (browser), as provided by the NGINX ssl_verify_client directive.
on
SSL_VERIFY_DEPTH
Controls how deep NGINX will follow through the client’s certificate chain when attempting to validate their certificate, as provided by the NGINX ssl_verify_depth directive.
1
openssl genrsa -des3 -out ca.key 4096openssl req -new -x509 -days 365 -key ca.key -out ca.crtopenssl x509 -in ca.crt -noout -textopenssl genrsa -des3 -out client.key 4096openssl req -new -key client.key -out client.csropenssl x509 -req -days 365 -in client.csr \
-CA ca.crt -CAkey ca.key \
-set_serial 01 -out client.crtopenssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx ssl:
image: keeper/guacamole-ssl-nginx:2
restart: unless-stopped
ports:
- "80:80"
- "443:443"
environment:
ACCEPT_EULA: "Y"
GUACAMOLE_HOSTNAME: guacamole
SSL_HOSTNAME: keeper.mycompany.com
CLIENT_CERTIFICATE_FILE: "/path/in/container/ca.crt"
volumes:
- "/local/path/to/keys:/path/in/container/"
Login to Keeper Connection Manager with a PIV/CAC device
KCM allows authentication with the web application using the DoD's Common Access Cards (CAC), as well as with any smart card supported by the browser for SSL client auth such as Personal Identity Verification (PIV).
This support depends on an SSL termination instance providing SSL/TLS authentication, a capability that was added to KCM version 2.12.0.
A typical configuration for PIV/CAC would be the following:
An SSL termination instance configured with : one for normal access (such as kcm.example.net) and another just for handling , which should ideally be a wildcard domain (such as *.login.kcm.example.net). The SSL client auth configuration would include the certificate of the CA providing the PIV/CAC cards.
PIV/CAC support installed and configured to authenticate users against *.login.kcm.example.net and redirect them back to kcm.example.net once ready.
Database backend configured to automatically create user accounts for users coming from SSO.
to require approval for users that SSO from PIV/CAC.
Support for PIV/CAC is configured using Keeper's new support for SSL/TLS client authentication. This support is provided by the “guacamole-auth-sso-ssl” extension, which we package as kcm-guacamole-auth-sso-ssl. Setting any SSL_* variable will implicitly include the kcm-guacamole-auth-sso-ssl package.
The following options will need to be set in the Docker container definition (or in guacamole.properties for linux distributions):
The following options are also available, though it would be unusual to need to set them:
Authenticating with PIV/CAC (or any smart card) via the browser is using . This capability was further enhanced for PIV/CAC by adding convenient configuration options for testing whether certificates have been revoked via OCSP or a CRL. For reference, the following are all options related to SSL/TLS client authentication currently supported by the Docker image:
The example docker-compose.yml below uses the following placeholders:
In practice, these values will vary, as will whether the user chooses to use MySQL or PostgreSQL. The example below was written using PostgreSQL.
Prior to configuring the user workflow, make sure to set the REQUIRE_ACCOUNT_APPROVAL key to the appropriate authentication method.
For PIV/CAC, you would set it to ssl:
Once you have successfully configured, there will be a new "Use Certificate or Smart Card" link on the login screen of the application as seen below:
For additional details on user creation workflow, visit this .
For each end-user client device that will need access to Keeper Connection Manager, you may need to install the internal CA as a trusted authority into the user's browser. The installation of CA trusted authority varies by platform.
SSL_SUBJECT_USERNAME_ATTRIBUTE
The LDAP attribute or attributes that may be used to represent a username within the subject DN of a user's X.509 certificate. If the least-significant attribute of the subject DN is not one of these attributes, the certificate will be rejected.
By default, any attribute is accepted.
The amount of time that the temporary, unique subdomain generated for SSL/TLS authentication may remain valid, in minutes.
This subdomain is used to ensure each SSL/TLS authentication attempt is fresh and does not potentially reuse a previous authentication attempt that was cached by the browser or OS. This interval must be long enough to allow for network delays in authenticating the user with the SSL termination service that enforces SSL/TLS client authentication, but short enough that an unused domain does not consume unnecessary server resources and cannot potentially be guessed while that subdomain is still valid. These subdomains are 128-bit secure random values.
This should not normally need to be set, though it’s conceivable that an administrator may wish to reduce this value.
5
ssl-max-token-validity
SSL_MAX_TOKEN_VALIDITY
The amount of time that a temporary authentication token for SSL/TLS authentication may remain valid, in minutes.
This token is used to represent the user's asserted identity after it has been verified by the SSL termination service. This interval must be long enough to allow for network delays in receiving the token, but short enough that unused tokens do not consume unnecessary server resources and cannot potentially be guessed while the token is still valid. These tokens are 256-bit secure random values.
This should not normally need to be set, though it’s conceivable that an administrator may wish to reduce this value.
5
Controls whether NGINX will use OCSP to check whether a client’s certificate has been revoked, as provided by NGINX ssl_ocsp directive. Setting this variable to on will use OCSP to check client certificates.
This variable will be ignored unless CLIENT_CERTIFICATE_FILE is specified.
If enabled, RESOLVER must also be specified.
off
RESOLVER
The DNS server that NGINX should use to resolve domain names. This is only required if OCSP is enabled.
SSL_VERIFY_CLIENT
Controls how and whether NGINX requires and verifies the certificate presented by the client (browser), as provided by NGINX ssl_verify_client directive.
on
SSL_VERIFY_DEPTH
Controls how deep NGINX will follow through the client’s certificate chain when attempting to validate their certificate, as provided by NGINX ssl_verify_depth directive.
1
The domain that users will visit with their browsers to use KCM.
/path/to/pki
The path on the Docker host containing the certificates and private keys used for SSL, including for client authentication.
/pki
The path within the Docker container that /path/to/pki should be mounted to, so that its files may be accessed by NGINX.
cac-certificate.pem
The filename of the PEM-format certificate that NGINX should use to validate the certificates it receives from users when they attempt to authenticate with smart cards.
ssl-client-auth-uri
SSL_CLIENT_AUTH_URI
REQUIRED. A wildcard URI that points to this Guacamole instance and requests SSL/TLS client authentication.
ssl-primary-uri
SSL_PRIMARY_URI
REQUIRED. A non-wildcard URI that points to this Guacamole instance and DOES NOT request SSL/TLS client authentication.
ssl-subject-base-dn
SSL_SUBJECT_BASE_DN
The base DN containing all valid subject DNs. If specified, only certificates asserting subject DNs beneath this base DN will be accepted.
By default, all DNs are accepted.
ssl-client-certificate-header
SSL_CLIENT_CERTIFICATE_HEADER
The name of the header to use to retrieve the URL-encoded client certificate from an HTTP request received from an SSL termination service providing SSL/TLS client authentication.
This should not normally need to be set, as the defaults of the keeper/guacamole-ssl-nginx image match the default value of this option.
X-Client-Certificate
ssl-client-verified-header
SSL_CLIENT_VERIFIED_HEADER
The name of the header to use to retrieve the verification status of the certificate an HTTP request received from an SSL termination service providing SSL/TLS client authentication. This value of this header must be "SUCCESS" (all uppercase) if the certificate was successfully verified.
This should not normally need to be set, as the defaults of the keeper/guacamole-ssl-nginx image match the default value of this option.
X-Client-Verified
ssl-max-domain-validity
ADDITIONAL_PROXY_CONFIG
Arbitrary, additional NGINX configuration statements that should be included within the location block that configures NGINX to proxy Guacamole.
CLIENT_CERTIFICATE_FILE
The certificate that NGINX should use to verify the certificate presented by the SSL/TLS client.
CLIENT_CRL_FILE
Controls the certificate revocation list (CRL) file that NGINX should use to check whether a client’s certificate has been revoked, as provided by NGINX ssl_crl directive. This file must be in PEM format and may contain multiple CRLs. If omitted, no CRL file will be used.
This variable will be ignored unless CLIENT_CERTIFICATE_FILE is specified.
If available, OCSP is often preferable to using a CRL file.
Placeholder
Description
PasswordForPostgresAdmin
Some reasonable password to assign to PostgreSQL’s postgres user - the typical root user of a PostgreSQL database. This account is used only if an administrator needs to manually connect to the database using a tool like psql.
guacamole_db
The name of the Guacamole database within PostgreSQL. This value is used automatically by kcm-setup.run and is documented as a reasonable value both within Keeper’s docs and upstream, so it is uncommon to use any other value here.
guacamole_user
The limited-privilege PostgreSQL user that Guacamole should use to execute queries against its database. This value is used automatically by kcm-setup.run and is documented as a reasonable value both within Keeper’s docs and upstream, so it is uncommon to use any other value here.
PasswordForGuacamole
Some reasonable password to assign to the PostgreSQL user that Guacamole will use to authenticate with the database as the limited-privilege account guacamole_user and execute queries.
ou=test department,o=u.s. government,c=us
The base DN of the subject DNs that should be accepted when presented via SSL/TLS client authentication (smart card authentication via browser).
ssl-subject-username-attribute
SSL_MAX_DOMAIN_VALIDITY
CLIENT_OCSP
kcm.example.net
version: "3"
services:
guacamole:
image: keeper/guacamole:2
restart: unless-stopped
environment:
ACCEPT_EULA: "Y"
GUACD_HOSTNAME: "guacd"
POSTGRES_HOSTNAME: "db"
POSTGRES_DATABASE: "guacamole_db"
POSTGRES_USERNAME: "guacamole_user"
POSTGRES_PASSWORD: "PasswordForGuacamole"
SSL_PRIMARY_URI: "https://kcm.example.net"
SSL_CLIENT_AUTH_URI: "https://*.kcm.example.net"
SSL_SUBJECT_BASE_DN: "ou=test department,o=u.s. government,c=us"
POSTGRESQL_AUTO_CREATE_ACCOUNTS: "true"
REQUIRE_ACCOUNT_APPROVAL: "ssl"
volumes:
- "common-storage:/var/lib/guacamole:rw"
db:
image: keeper/guacamole-db-postgres:2
restart: unless-stopped
environment:
ACCEPT_EULA: "Y"
GUACAMOLE_DATABASE: "guacamole_db"
GUACAMOLE_USERNAME: "guacamole_user"
GUACAMOLE_PASSWORD: "PasswordForGuacamole"
GUACAMOLE_ADMIN_PASSWORD: "guacadmin"
POSTGRES_PASSWORD: "PasswordForPostgresAdmin"
guacd:
image: keeper/guacd:2
restart: unless-stopped
environment:
ACCEPT_EULA: "Y"
volumes:
- "common-storage:/var/lib/guacamole:rw"
ssl:
image: keeper/guacamole-ssl-nginx:2
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- "/path/to/pki:/pki:ro"
environment:
ACCEPT_EULA: "Y"
GUACAMOLE_HOSTNAME: "guacamole"
SERVERS: |
# Main hostname, referenced by SSL_PRIMARY_URI
- SSL_HOSTNAME: "kcm.example.net"
CERTIFICATE_FILE: "/pki/kcm.example.net.crt"
PRIVATE_KEY_FILE: "/pki/kcm.example.net.key"
# The default CSP must be overridden for the main URI to allow
# it to issue requests to its SSL/TLS-authenticating
# counterpart. The only change from the default CSP here is to
# add an the wildcard URI (including https://) to connect-src.
CONTENT_SECURITY_POLICY: "default-src 'none'; script-src 'self' 'unsafe-eval'; connect-src 'self' wss://kcm.example.net https://*.kcm.example.net; object-src 'self'; frame-src 'self' https:; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; form-action 'self'; base-uri 'self'; frame-ancestors 'self';"
# Hostname requiring client auth, referenced by SSL_CLIENT_AUTH_URI
- SSL_HOSTNAME: "*.kcm.example.net"
CERTIFICATE_FILE: "/pki/_.kcm.example.net.crt"
PRIVATE_KEY_FILE: "/pki/_.kcm.example.net.key"
CLIENT_CERTIFICATE_FILE: "/pki/cac-certificate.pem"
SSL_VERIFY_CLIENT: "optional" # This is necessary to allow the webapp to receive
# verification failures. Without this, Nginx would
# respond directly to any verification failures and
# will not include the CORS headers necessary to
# allow the webapp to actually see that failure. This
# also allows the webapp to see the nature of the
# failure by investigating the headers Nginx sends.
# There are no such headers (and no such request) if
# this is set to "required" and Nginx aborts
# processing due to an invalid certificate.
volumes:
common-storage:
guacamole:
image: keeper/guacamole:2
restart: unless-stopped
environment:
ACCEPT_EULA: "Y"
GUACD_HOSTNAME: "guacd"
SSL_PRIMARY_URI: "https://kcm.example.net"
SSL_CLIENT_AUTH_URI: "https://*.kcm.example.net"
SSL_SUBJECT_BASE_DN: "ou=test department,o=u.s. government,c=us"
POSTGRESQL_AUTO_CREATE_ACCOUNTS: "true"
REQUIRE_ACCOUNT_APPROVAL: "ssl"