OpenID Connect Configuration Properties
Advanced configuration properties for OpenID Connect Auth
The properties listed here are only applicable if OpenID authentication is being used. Support for OpenID authentication is installed using the kcm-guacamole-auth-openid package or enabled with the Docker installation. If using the keeper/guacamole Docker image, support for OpenID authentication is configured using environment variables.
OpenID Connect Configuration Properties
openid-authorization-endpoint
The authorization endpoint (URI) of the OpenID service.
This value should be provided to you by the identity provider. For identity providers that implement OpenID Connect Discovery, this value can be retrieved from the authorization_endpoint
property of the JSON file hosted at https://identity-provider
/.well-known/openid-configuration
, where https://identity-provider
is the base URL of the identity provider.
openid-jwks-endpoint
The endpoint (URI) of the JWKS service which defines how received ID tokens (JSON Web Tokens or JWTs) shall be validated.
This value should be provided to you by the identity provider. For identity providers that implement OpenID Connect Discovery, this value can be retrieved from the jwks_uri
property of the JSON file hosted at https://identity-provider
/.well-known/openid-configuration
, where https://identity-provider
is the base URL of the identity provider.
openid-issuer
The issuer to expect for all received ID tokens.
This value should be provided to you by the identity provider. For identity providers that implement OpenID Connect Discovery, this value can be retrieved from the issuer
property of the JSON file hosted at https://identity-provider
/.well-known/openid-configuration
, where https://identity-provider
is the base URL of the identity provider.
openid-client-id
The OpenID client ID which should be submitted to the OpenID service when necessary. This value is typically provided to you by the OpenID service when OpenID credentials are generated for your application.
openid-redirect-uri
The URI that should be submitted to the OpenID service such that they can redirect the authenticated user back to Keeper Connection Manager after the authentication process is complete. This must be the full URL that a user would enter into their browser to access Guacamole.
Additional optional properties are available to control how claims within received ID tokens are used to derive the user’s Keeper Connection Manager username, any associated groups, the OpenID scopes requested when user identities are confirmed, and to control the maximum amount of time allowed for various aspects of the conversation with the identity provider:
openid-username-claim-type
The claim type within any valid JWT that contains the authenticated user’s username. By default, the “email
” claim type is used.
openid-groups-claim-type
The claim type within any valid JWT that contains the list of groups of which the authenticated user is a member. By default, the “groups
” claim type is used.
openid-scope
The space-separated list of OpenID scopes to request. OpenID scopes determine the information returned within the OpenID token, and thus affect what values can be used as an authenticated user’s username. To be compliant with OpenID, at least “openid profile
” must be requested. By default, “openid email profile
” is used.
openid-allowed-clock-skew
The amount of clock skew tolerated for timestamp comparisons between the Keeper Connection Manger server and OpenID service clocks, in seconds. By default, clock skew of up to 30 seconds is tolerated.
openid-max-token-validity
The maximum amount of time that an OpenID token should remain valid, in minutes. By default, each OpenID token remains valid for 300 minutes (5 hours).
openid-max-nonce-validity
The maximum amount of time that a nonce generated by the Keeper Connection Manager server should remain valid, in minutes. As each OpenID request has a unique nonce value, this imposes an upper limit on the amount of time any particular OpenID request can result in successful authentication within Keeper Connection Manager. By default, each generated nonce expires after 10 minutes.
Controlling Login Behavior
Keeper Connection Manager loads authentication extensions in order of priority, and evaluates authentication attempts in this same order. This has implications for how the login process behaves when an SSO extension is present:
If the SSO extension has priority:
Users that are not yet authenticated will be immediately redirected to the configured identity provider. They will not see a Keeper Connection Manager login screen.
If a non-SSO extension has priority:
Users that are not yet authenticated will be presented with a Keeper Connection Manager login screen. Additionally, links to the configured identity provider(s) will be available for users that wish to log in using SSO.
The default priority of extensions is dictated by their filenames, with extensions that sort earlier alphabetically having higher priority than others. This can be overridden by setting the extension-priority
property within guacamole.properties
.
Automatically redirecting all unauthenticated users
To ensure users are redirected to the OpenID identity provider immediately (without a Keeper Connection Manager login screen), ensure the OpenID extension has priority over all others:
Presenting unauthenticated users with a login screen
To ensure users are given a normal Keeper Connection Manager login screen and have the option to log in with traditional credentials or with OpenID, ensure the OpenID extension does not have priority:
Last updated