SAML 2.0 Authentication Configuration Properties
Advanced configuration properties for SAML 2.0 SSO
The properties listed here are only applicable if SAML 2.0 authentication is being used. Support for SAML 2.0 authentication is installed using the kcm-guacamole-auth-saml package or enabled with the Docker installation. If using the keeper/guacamole Docker image, support for SAML 2.0 authentication is configured using environment variables.
Keeper Connection Manager loads authentication extensions in order of priority, and evaluates authentication attempts in this same order. This has implications for how the login process behaves when an SSO extension is present:
If the SSO extension has priority:
Users that are not yet authenticated will be immediately redirected to the configured identity provider. They will not see a Keeper Connection Manager login screen.
If a non-SSO extension has priority:
Users that are not yet authenticated will be presented with a Keeper Connection Manager login screen. Additionally, links to the configured identity provider(s) will be available for users that wish to log in using SSO.
The default priority of extensions is dictated by their filenames, with extensions that sort earlier alphabetically having higher priority than others. This can be overridden by setting the
Automatically redirecting all unauthenticated users
To ensure users are redirected to the SAML identity provider immediately (without a Keeper Connection Manager login screen), ensure the SAML extension has priority over all others:
Presenting unauthenticated users with a login screen
To ensure users are given a normal Keeper Connection Manager login screen and have the option to log in with traditional credentials or with SAML, ensure the SAML extension does not have priority:
extension-priority: *, saml