Dynamic Tokens

Using the integration between Connection Manager and Vault with dynamic field lookups

Dynamic Tokens

When using the vault integration, specific tokens are replaced by the corresponding value from a Keeper record.

There are dynamic and static tokens. Dynamic tokens will search the Keeper vault for a matching hostname to extract the necessary fields. Static tokens can be created that explicitly reference a particular Keeper record and field.

Hostname Matching

Keeper Records can be assigned to connections by the "Hostname" field in the connection and the "Hostname or IP Address" field in the vault record.

If these two values match, Connection Manager will fetch and replace tokens in other connection fields with values from the record, such as Username, Password, Domain, etc...

Example of Linux Connection Matching
SSH Connection with Secrets Manager Integration
Example of Windows Login

User Matching

Keeper Records can be assigned to connections by the "Username" field in the connection and the "Login" field in the vault record.

If these two values match, Connection Manager will fetch and replace tokens in other connection fields with values from the record.

As one example, this is useful for mapping a single SSH key to multiple servers. This way, you don't need to store one record per host in the vault. A single Keeper vault record can be used to authenticate any number of connections. Below is a Connection that is set up to match on Username.

Example Connection with User Matching

The corresponding vault record is seen below. No hostname is specified in the vault record, so the match will occur based on the login field.

Vault Record match on User

For user-based matching, ensure that the Keeper record does not have a Hostname/Port. It should simply contain the username and password (or private key).

Available Tokens

The built-in tokens each correspond to a record field. The table below lists each token and its corresponding record field. These tokens are applicable to all connection types.

Standard Tokens

Domain and Username Splitting

Parameter Token

Description

${KEEPER_SERVER_USERNAME}

Retrieves: “Login” field of single matched record

Matches: Record with hostname / IP address matching the value of the “hostname” connection parameter.

${KEEPER_SERVER_KEY}

Retrieves: “Private Key” field (or single .pem file attachment) of single matched record

Matches: Record with hostname / IP address matching the value of the “hostname” connection parameter.

${KEEPER_SERVER_PASSPHRASE}

Retrieves: “Passphrase” field (or “password” if no passphrase) of single matched record

Matches: Record with hostname / IP address matching the value of the “hostname” connection parameter.

${KEEPER_SERVER_PASSWORD}

Retrieves: “Password” field of single matched record

Matches: Record with hostname / IP address matching the value of the “hostname” connection parameter.

${KEEPER_SERVER_DOMAIN}

Retrieves: “Domain” custom field of single matched record

Matches: Record with hostname / IP address matching the value of the “hostname” connection parameter.

${KEEPER_USER_KEY}

Retrieves: “Private Key” field (or single .pem file attachment) of single matched record

Matches: Record with login matching the “username” connection parameter.

${KEEPER_USER_PASSPHRASE}

Retrieves: “Passphrase” field (or “password” if no passphrase) of single matched record

Matches: Record with login matching the “username” connection parameter

${KEEPER_USER_PASSWORD}

Retrieves: “Password” field of single matched record

Matches: Record with login matching the “username” connection parameter

${KEEPER_USER_DOMAIN}

Retrieves: “Domain” custom field of single matched record

Matches: Record with login matching the “username” connection parameter

Some username fields are of the format: Domain\Username or Username@Domain but the connection details need only the domain or username. Use these tokens to automatically split these fields and use the corresponding field:

Parameter Token
Description

${KEEPER_*_DOMAIN}

Retrieves: “Domain” part of the "Login" field of single matched record

Matches: Record with hostname / IP address matching the value of the “hostname” connection parameter.

${KEEPER_*_USERNAME}

Retrieves: “Username” part of the "Login" field of single matched record

Matches: Record with hostname / IP address matching the value of the “hostname” connection parameter.

Alternatively you can set KSM_STRIP_WINDOWS_DOMAINS to true in guacamole.properties to automatically strip all login fields into separate 'USERNAME' and 'DOMAIN' fields accessible by tokens

Gateway Tokens

The tokens below are applicable only to connection types that have gateway support (RDP).

Parameter Token

Description

${KEEPER_GATEWAY_USERNAME}

Retrieves: “Login” field of single matched record

Matches: Record with hostname / IP address matching the value of the “gateway-hostname” connection parameter.

${KEEPER_GATEWAY_KEY}

Retrieves: “Private Key” field (or single .pem file attachment) of single matched record

Matches: Record with hostname / IP address matching the value of the “gateway-hostname” connection parameter.

${KEEPER_GATEWAY_PASSPHRASE}

Retrieves: “Passphrase” field (or “password” if no passphrase) of single matched record

Matches: Record with hostname / IP address matching the value of the “gateway-hostname” connection parameter.

${KEEPER_GATEWAY_PASSWORD}

Retrieves: “Password” field of single matched record

Matches: Record with hostname / IP address matching the value of the “gateway-hostname” connection parameter.

${KEEPER_GATEWAY_USER_KEY}

Retrieves: “Private Key” field (or single .pem file attachment) of single matched record

Matches: Record with login matching the “gateway-username” connection parameter.

${KEEPER_GATEWAY_USER_PASSPHRASE}

Retrieves: “Passphrase” field (or “password” if no passphrase) of single matched record

Matches: Record with login matching the “gateway-username” connection parameter

${KEEPER_GATEWAY_USER_PASSWORD}

Retrieves: “Password” field of single matched record

Matches: Record with login matching the “gateway-username” connection parameter

Windows Username/Domain Parsing

KCM will identify the Domain, Username and Password fields from the Keeper Vault record, as long as there is a field with the corresponding name. For example:

Domain Matching on Custom Field

Automatic Parsing of Domain from Login Field

The Windows "Domain" and "Username" field can be parsed if the Login value in the Keeper Vault is supplied in the format of DOMAIN\Username or Domain@Username.

To activate automatic parsing, the environmental variable KSM_STRIP_WINDOWS_DOMAINS must be added to the Docker Config file.

For example:

docker-compose.yml
            ....
            MYSQL_DATABASE: "guacamole_db"
            MYSQL_USERNAME: "guacamole_user"
            KSM_CONFIG: "XXX"
            ....
            ....
            KSM_STRIP_WINDOWS_DOMAINS: "true"
            ....

In the record, the Login field can then contain

Automatic Parsing of Domain from Login Field

Last updated