Authenticating Users with OpenID Connect
Instructions for authenticating users with OpenID Connect
This documentation assumes that you already have access to an OpenID Connect identity provider, such as Google, Okta, Azure, etc. If you do not already have Guacamole installed, please see the installation instructions.

Installing OpenID Connect support for Guacamole

Keeper Connection Manager packages Guacamole’s OpenId Connect support within the kcm-guacamole-auth-sso-openid package:
1
$ sudo yum install kcm-guacamole-auth-sso-openid
Copied!

Connecting Guacamole to OpenID Connect

Guacamole’s main configuration file, /etc/guacamole/guacamole.properties, must be modified to point the OpenID Connect installation:
1
$ sudo vi /etc/guacamole/guacamole.properties
Copied!
The guacamole.properties file provided with Keeper Connection Manager is organized into sections documented with blocks of comments and example properties. The first section which must be modified is marked “OPENID-1” and defines the IdP configuration. Uncomment the properties in this section and edit them according to your identity provider setup.
1
##
2
## [OPENID-1] Identity provider details
3
##
4
## The details of the identity provider (IdP) that Guacamole should use for
5
## authentication. These properties dictate how Guacamole should communicate
6
## with the IdP, including the how users should be redirected for
7
## authentication by the IdP. THIS INFORMATION IS REQUIRED if the OpenID
8
## extension will be used.
9
##
10
## If your IdP implements "OpenID Connect Discovery", these values can be
11
## found within the JSON file hosted at:
12
##
13
## https://identity-provider/.well-known/openid-configuration
14
##
15
## where "https://identity-provider" is the base URL of the IdP.
16
##
17
18
#openid-authorization-endpoint: https://myprovider.example.net/sso/openid/auth
19
#openid-jwks-endpoint: https://myprovider.example.net/sso/openid/certs
20
#openid-issuer: https://myprovider.example.net
21
Copied!
The second section contains the Keeper Connection Manager server information that is used by the IdP.
1
##
2
## [OPENID-2] Guacamole server details
3
##
4
## The details of the Guacamole server that should be provided to the OpenID
5
## Connect IdP when authenticating the user. This information defines how the
6
## OpenID Connect IdP should send identity assertions back to the Guacamole
7
## server if their identity is confirmed. THESE PROPERTIES ARE REQUIRED if
8
## the OpenID extension will be used.
9
##
10
11
#openid-client-id: abcd1234-xyz.apps.myprovider.example.net
12
#openid-redirect-uri: https://myserver.example.net
Copied!
The 3rd section contains the OpenID Connect identity mappings.
1
##
2
## [OPENID-3] Identity mapping
3
##
4
## How identity assertions received form the OpenID Connect IdP should be
5
## mapped back to user and group identities. Mapping users and groups is
6
## flexible within OpenID, with the definition of user/group identity left
7
## to the application to determine from the various assertions ("claims")
8
## returned by the OpenID IdP in response to successful authentication.
9
##
10
## By default, Guacamole will use the "email" claim as the username and the
11
## content of the "groups" claim (if present) as the set of associated user
12
## groups. OpenID IdP implementations may support additional claims that may
13
## be more appropriate for your use case. If using different claims from the
14
## defaults, the "openid-scope" property must be adjusted so that Guacamole
15
## knows to request those claims from the IdP.
16
##
17
18
#openid-scope: openid email profile
19
#openid-username-claim-type: email
20
#openid-groups-claim-type: groups
Copied!
The 4th section contains optional parameters that can be set.
1
##
2
## [OPENID-4] Clock skew and timeouts
3
##
4
## By default, clock skew between the Guacamole server and the OpenID IdP of up
5
## to 30 seconds is tolerated, tokens generated by the OpenID IdP are valid for
6
## no longer than 5 hours, and the "nonce" generated for each OpenID request by
7
## Guacamole will remain valid for no longer than 10 minutes.
8
##
9
## If necessary, these values can be overridden. Clock skew is specified in
10
## seconds, and token/nonce validity is specified in minutes.
11
##
12
13
#openid-allowed-clock-skew: 30
14
#openid-max-token-validity: 300
15
#openid-max-nonce-validity: 10
16
#saml-compress-response: true
17
Copied!

Completing installation

Guacamole will generally only load new extensions and reread guacamole.properties during the startup process. To apply the configuration changes, Guacamole must be restarted:
1
$ sudo systemctl restart guacamole
Copied!