Dynamic Tokens
Using the integration between Connection Manager and Vault with dynamic field lookups
Dynamic Tokens
When using the vault integration, specific tokens are replaced by the corresponding value from a Keeper record.
There are dynamic and static tokens. Dynamic tokens will search the Keeper vault for a matching hostname to extract the necessary fields. Static tokens can be created that explicitly reference a particular Keeper record and field.
Hostname Matching
Keeper Records can be assigned to connections by the "Hostname" field in the connection and the "Hostname or IP Address" field in the vault record.
If these two values match, Connection Manager will fetch and replace tokens in other connection fields with values from the record, such as Username, Password, Domain, etc...
User Matching
Keeper Records can be assigned to connections by the "Username" field in the connection and the "Login" field in the vault record.
If these two values match, Connection Manager will fetch and replace tokens in other connection fields with values from the record.
As one example, this is useful for mapping a single SSH key to multiple servers. This way, you don't need to store one record per host in the vault. A single Keeper vault record can be used to authenticate any number of connections. Below is a Connection that is set up to match on Username.
The corresponding vault record is seen below. No hostname is specified in the vault record, so the match will occur based on the login field.
For user-based matching, ensure that the Keeper record does not have a Hostname/Port. It should simply contain the username and password (or private key).
Available Tokens
The built-in tokens each correspond to a record field. The table below lists each token and its corresponding record field. These tokens are applicable to all connection types.
Standard Tokens
Domain and Username Splitting
Parameter Token
Description
${KEEPER_SERVER_USERNAME}
Retrieves: “Login” field of single matched record
Matches: Record with hostname / IP address matching the value of the “hostname” connection parameter.
${KEEPER_SERVER_KEY}
Retrieves: “Private Key” field (or single .pem file attachment) of single matched record
Matches: Record with hostname / IP address matching the value of the “hostname” connection parameter.
${KEEPER_SERVER_PASSPHRASE}
Retrieves: “Passphrase” field (or “password” if no passphrase) of single matched record
Matches: Record with hostname / IP address matching the value of the “hostname” connection parameter.
${KEEPER_SERVER_PASSWORD}
Retrieves: “Password” field of single matched record
Matches: Record with hostname / IP address matching the value of the “hostname” connection parameter.
${KEEPER_SERVER_DOMAIN}
Retrieves: “Domain” custom field of single matched record
Matches: Record with hostname / IP address matching the value of the “hostname” connection parameter.
${KEEPER_USER_KEY}
Retrieves: “Private Key” field (or single .pem file attachment) of single matched record
Matches: Record with login matching the “username” connection parameter.
${KEEPER_USER_PASSPHRASE}
Retrieves: “Passphrase” field (or “password” if no passphrase) of single matched record
Matches: Record with login matching the “username” connection parameter
${KEEPER_USER_PASSWORD}
Retrieves: “Password” field of single matched record
Matches: Record with login matching the “username” connection parameter
${KEEPER_USER_DOMAIN}
Retrieves: “Domain” custom field of single matched record
Matches: Record with login matching the “username” connection parameter
Some username fields are of the format: Domain\Username
or Username@Domain
but the connection details need only the domain or username. Use these tokens to automatically split these fields and use the corresponding field:
${KEEPER_*_DOMAIN}
Retrieves: “Domain” part of the "Login" field of single matched record
Matches: Record with hostname / IP address matching the value of the “hostname” connection parameter.
${KEEPER_*_USERNAME}
Retrieves: “Username” part of the "Login" field of single matched record
Matches: Record with hostname / IP address matching the value of the “hostname” connection parameter.
Alternatively you can set KSM_STRIP_WINDOWS_DOMAINS
to true
in guacamole.properties to automatically strip all login fields into separate 'USERNAME' and 'DOMAIN' fields accessible by tokens
Gateway Tokens
The tokens below are applicable only to connection types that have gateway support (RDP).
Parameter Token
Description
${KEEPER_GATEWAY_USERNAME}
Retrieves: “Login” field of single matched record
Matches: Record with hostname / IP address matching the value of the “gateway-hostname” connection parameter.
${KEEPER_GATEWAY_KEY}
Retrieves: “Private Key” field (or single .pem file attachment) of single matched record
Matches: Record with hostname / IP address matching the value of the “gateway-hostname” connection parameter.
${KEEPER_GATEWAY_PASSPHRASE}
Retrieves: “Passphrase” field (or “password” if no passphrase) of single matched record
Matches: Record with hostname / IP address matching the value of the “gateway-hostname” connection parameter.
${KEEPER_GATEWAY_PASSWORD}
Retrieves: “Password” field of single matched record
Matches: Record with hostname / IP address matching the value of the “gateway-hostname” connection parameter.
${KEEPER_GATEWAY_USER_KEY}
Retrieves: “Private Key” field (or single .pem file attachment) of single matched record
Matches: Record with login matching the “gateway-username” connection parameter.
${KEEPER_GATEWAY_USER_PASSPHRASE}
Retrieves: “Passphrase” field (or “password” if no passphrase) of single matched record
Matches: Record with login matching the “gateway-username” connection parameter
${KEEPER_GATEWAY_USER_PASSWORD}
Retrieves: “Password” field of single matched record
Matches: Record with login matching the “gateway-username” connection parameter
Windows Username/Domain Parsing
KCM will identify the Domain, Username and Password fields from the Keeper Vault record, as long as there is a field with the corresponding name. For example:
Automatic Parsing of Domain from Login Field
The Windows "Domain" and "Username" field can be parsed if the Login value in the Keeper Vault is supplied in the format of DOMAIN\Username
or Domain@Username
.
To activate automatic parsing, the environmental variable KSM_STRIP_WINDOWS_DOMAINS
must be added to the Docker Config file.
For example:
In the record, the Login field can then contain
Last updated