On Fri, Nov 22, 2024 at 9:18 AM viktor_krumm <viktor_kr...@proton.me.invalid> wrote:
> > Thanks for the breakdown. I suspected the issue was between the > interaction of the LDAP module and the SSO component, so that is not > surprising. I am not married to LDAP as a source of AAA, so I can trim > that from the flow. > > I did get Keycloak/SSO working easy with Guacamole connections in JBDC. > It seems like I need to manage the two "components", Authentication and > Authorization in different modules then. Outside of trying to do custom > crafted JWKS tokens/Encrypted JSON - I don't have the knowledge to try and > do that kind of custom setup. > > My understanding of SSO/JBDC together is that you need 2 accounts in 2 > databases. 1 account on the SSO side, 1 account on the JBDC side, with the > email field used as the link. Is that the case? > > You don't necessarily need an account on the JDBC side - you can manage access with group membership, only, if you want, but you can create an account on the JDBC side, as well, if you like, particularly if you want to assign permissions at a user-level. The matching of SSO account to JDBC account is done by the username - if the username returned by SSO matches one in JDBC, those accounts will be considered the same, and the permissions from JDBC will apply to the user who is logging in. In the current release (1.5.5), the matching of usernames is done in a case-sensitive fashion, so just something to be aware of. The good news is that SSO systems are usually pretty consistent about returning usernames in the same case, so you shouldn't run into much issue with SSO + JDBC in that regard. In version 1.6.0 we're introducing the ability to treat usernames case-insensitively, which will alleviate issues with systems like LDAP where users might enter their username in different cases. Finally, there's an option you can enable in the guacamole.properties file for the JDBC module that will auto-create JDBC accounts for any user that is logged in successfully from another module. If you enable this, you'll get JDBC accounts to match any of your SSO accounts, which you can then use to assign permissions or group membership. See: https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users . > Either way, how do you assign connections in SSO then? Some form of group > memberships? I do not see in the documentation where that sort of setup is > described, though I could have missed it. > > You have several options for this: * Create matching users in JDBC (either manually or auto-created) and assign them connections and system permissions individually. * Create matching users in JDBC (either manually or auto-created), create groups in the JDBC module, and then add the users to the groups and assign permissions to the groups. * Configure your SSO module to return user groups, and then create matching groups in the JDBC module, and assign the permissions to those groups. SSO users who log in and have one of the groups configured in the JDBC module will get the permissions of those groups. In this way, you can avoid having to create JDBC users at all for your SSO users. -Nick
