Thanks for the assistance.
Sent with Proton Mail secure email. On Friday, November 22nd, 2024 at 10:49 AM, Nick Couchman <vn...@apache.org> wrote: > On Fri, Nov 22, 2024 at 9:18 AM viktor_krumm viktor_kr...@proton.me.invalid > > wrote: > > > Thanks for the breakdown. I suspected the issue was between the > > interaction of the LDAP module and the SSO component, so that is not > > surprising. I am not married to LDAP as a source of AAA, so I can trim > > that from the flow. > > > > I did get Keycloak/SSO working easy with Guacamole connections in JBDC. > > It seems like I need to manage the two "components", Authentication and > > Authorization in different modules then. Outside of trying to do custom > > crafted JWKS tokens/Encrypted JSON - I don't have the knowledge to try and > > do that kind of custom setup. > > > > My understanding of SSO/JBDC together is that you need 2 accounts in 2 > > databases. 1 account on the SSO side, 1 account on the JBDC side, with the > > email field used as the link. Is that the case? > > You don't necessarily need an account on the JDBC side - you can manage > access with group membership, only, if you want, but you can create an > account on the JDBC side, as well, if you like, particularly if you want to > assign permissions at a user-level. The matching of SSO account to JDBC > account is done by the username - if the username returned by SSO matches > one in JDBC, those accounts will be considered the same, and the > permissions from JDBC will apply to the user who is logging in. > > In the current release (1.5.5), the matching of usernames is done in a > case-sensitive fashion, so just something to be aware of. The good news is > that SSO systems are usually pretty consistent about returning usernames in > the same case, so you shouldn't run into much issue with SSO + JDBC in that > regard. In version 1.6.0 we're introducing the ability to treat usernames > case-insensitively, which will alleviate issues with systems like LDAP > where users might enter their username in different cases. > > Finally, there's an option you can enable in the guacamole.properties file > for the JDBC module that will auto-create JDBC accounts for any user that > is logged in successfully from another module. If you enable this, you'll > get JDBC accounts to match any of your SSO accounts, which you can then use > to assign permissions or group membership. See: > https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users > . > > > Either way, how do you assign connections in SSO then? Some form of group > > memberships? I do not see in the documentation where that sort of setup is > > described, though I could have missed it. > > You have several options for this: > * Create matching users in JDBC (either manually or auto-created) and > assign them connections and system permissions individually. > * Create matching users in JDBC (either manually or auto-created), create > groups in the JDBC module, and then add the users to the groups and assign > permissions to the groups. > * Configure your SSO module to return user groups, and then create matching > groups in the JDBC module, and assign the permissions to those groups. SSO > users who log in and have one of the groups configured in the JDBC module > will get the permissions of those groups. In this way, you can avoid having > to create JDBC users at all for your SSO users. > > -Nick
