OpenID Connect Configuration Properties

Advanced configuration properties for OpenID Connect Auth

The properties listed here are only applicable if OpenID authentication is being used. Support for OpenID authentication is installed using the kcm-guacamole-auth-openid package or enabled with the Docker installation. If using the keeper/guacamole Docker image, support for OpenID authentication is configured using environment variables.

OpenID Connect Configuration Properties

Property name Description

Property name	Description
`openid-authorization-endpoint`	The authorization endpoint (URI) of the OpenID service. This value should be provided to you by the identity provider. For identity providers that implement OpenID Connect Discovery, this value can be retrieved from the `authorization_endpoint` property of the JSON file hosted at `https://identity-provider/.well-known/openid-configuration`, where `https://identity-provider` is the base URL of the identity provider.
`openid-jwks-endpoint`	The endpoint (URI) of the JWKS service which defines how received ID tokens (JSON Web Tokens or JWTs) shall be validated. This value should be provided to you by the identity provider. For identity providers that implement OpenID Connect Discovery, this value can be retrieved from the `jwks_uri` property of the JSON file hosted at `https://identity-provider/.well-known/openid-configuration`, where `https://identity-provider` is the base URL of the identity provider.
`openid-issuer`	The issuer to expect for all received ID tokens. This value should be provided to you by the identity provider. For identity providers that implement OpenID Connect Discovery, this value can be retrieved from the `issuer` property of the JSON file hosted at `https://identity-provider/.well-known/openid-configuration`, where `https://identity-provider` is the base URL of the identity provider.
`openid-client-id`	The OpenID client ID which should be submitted to the OpenID service when necessary. This value is typically provided to you by the OpenID service when OpenID credentials are generated for your application.
`openid-redirect-uri`	The URI that should be submitted to the OpenID service such that they can redirect the authenticated user back to Keeper Connection Manager after the authentication process is complete. This must be the full URL that a user would enter into their browser to access Guacamole.

openid-authorization-endpoint

The authorization endpoint (URI) of the OpenID service.

This value should be provided to you by the identity provider. For identity providers that implement OpenID Connect Discovery, this value can be retrieved from the authorization_endpoint property of the JSON file hosted at https://identity-provider/.well-known/openid-configuration, where https://identity-provider is the base URL of the identity provider.

openid-jwks-endpoint

The endpoint (URI) of the JWKS service which defines how received ID tokens (JSON Web Tokens or JWTs) shall be validated.

This value should be provided to you by the identity provider. For identity providers that implement OpenID Connect Discovery, this value can be retrieved from the jwks_uri property of the JSON file hosted at https://identity-provider/.well-known/openid-configuration, where https://identity-provider is the base URL of the identity provider.

openid-issuer

The issuer to expect for all received ID tokens.

This value should be provided to you by the identity provider. For identity providers that implement OpenID Connect Discovery, this value can be retrieved from the issuer property of the JSON file hosted at https://identity-provider/.well-known/openid-configuration, where https://identity-provider is the base URL of the identity provider.

openid-client-id

The OpenID client ID which should be submitted to the OpenID service when necessary. This value is typically provided to you by the OpenID service when OpenID credentials are generated for your application.

openid-redirect-uri

The URI that should be submitted to the OpenID service such that they can redirect the authenticated user back to Keeper Connection Manager after the authentication process is complete. This must be the full URL that a user would enter into their browser to access Guacamole.

Additional optional properties are available to control how claims within received ID tokens are used to derive the user’s Keeper Connection Manager username, any associated groups, the OpenID scopes requested when user identities are confirmed, and to control the maximum amount of time allowed for various aspects of the conversation with the identity provider:

Property name Description

Property name	Description
`openid-username-claim-type`	The claim type within any valid JWT that contains the authenticated user’s username. By default, the “`email`” claim type is used.
`openid-groups-claim-type`	The claim type within any valid JWT that contains the list of groups of which the authenticated user is a member. By default, the “`groups`” claim type is used.
`openid-scope`	The space-separated list of OpenID scopes to request. OpenID scopes determine the information returned within the OpenID token, and thus affect what values can be used as an authenticated user’s username. To be compliant with OpenID, at least “`openid profile`” must be requested. By default, “`openid email profile`” is used.
`openid-allowed-clock-skew`	The amount of clock skew tolerated for timestamp comparisons between the Keeper Connection Manger server and OpenID service clocks, in seconds. By default, clock skew of up to 30 seconds is tolerated.
`openid-max-token-validity`	The maximum amount of time that an OpenID token should remain valid, in minutes. By default, each OpenID token remains valid for 300 minutes (5 hours).
`openid-max-nonce-validity`	The maximum amount of time that a nonce generated by the Keeper Connection Manager server should remain valid, in minutes. As each OpenID request has a unique nonce value, this imposes an upper limit on the amount of time any particular OpenID request can result in successful authentication within Keeper Connection Manager. By default, each generated nonce expires after 10 minutes.

openid-username-claim-type

The claim type within any valid JWT that contains the authenticated user’s username. By default, the “email” claim type is used.

openid-groups-claim-type

The claim type within any valid JWT that contains the list of groups of which the authenticated user is a member. By default, the “groups” claim type is used.

openid-scope

The space-separated list of OpenID scopes to request. OpenID scopes determine the information returned within the OpenID token, and thus affect what values can be used as an authenticated user’s username. To be compliant with OpenID, at least “openid profile” must be requested. By default, “openid email profile” is used.

openid-allowed-clock-skew

The amount of clock skew tolerated for timestamp comparisons between the Keeper Connection Manger server and OpenID service clocks, in seconds. By default, clock skew of up to 30 seconds is tolerated.

openid-max-token-validity

The maximum amount of time that an OpenID token should remain valid, in minutes. By default, each OpenID token remains valid for 300 minutes (5 hours).

openid-max-nonce-validity

The maximum amount of time that a nonce generated by the Keeper Connection Manager server should remain valid, in minutes. As each OpenID request has a unique nonce value, this imposes an upper limit on the amount of time any particular OpenID request can result in successful authentication within Keeper Connection Manager. By default, each generated nonce expires after 10 minutes.

Keeper Connection Manager loads authentication extensions in order of priority, and evaluates authentication attempts in this same order. This has implications for how the login process behaves when an SSO extension is present:

If the SSO extension has priority:

Users that are not yet authenticated will be immediately redirected to the configured identity provider. They will not see a Keeper Connection Manager login screen.

If a non-SSO extension has priority:

Users that are not yet authenticated will be presented with a Keeper Connection Manager login screen. Additionally, links to the configured identity provider(s) will be available for users that wish to log in using SSO.

The default priority of extensions is dictated by their filenames, with extensions that sort earlier alphabetically having higher priority than others. This can be overridden by setting the extension-priority property within guacamole.properties.

Automatically redirecting all unauthenticated users

To ensure users are redirected to the OpenID identity provider immediately (without a Keeper Connection Manager login screen), ensure the OpenID extension has priority over all others:

extension-priority: openid

Presenting unauthenticated users with a login screen

To ensure users are given a normal Keeper Connection Manager login screen and have the option to log in with traditional credentials or with OpenID, ensure the OpenID extension does not have priority:

extension-priority: *, openid

PreviousSAML 2.0 Authentication Configuration Properties NextDuo Two-Factor Authentication Configuration Properties

Last updated 1 year ago

OpenID Connect Configuration Properties

Controlling Login Behavior