Unscribe

[Abner, Michael (SAMHSA/OMTO)]

Michael Abner
IT Specialist - Cloud Admin
Division of Technology Management
Office of Management, Technology and Operations
Substance Abuse & Mental Health Services Administration
5600 Fishers Lane, Room 12E81D
Rockville, MD 20852
(240) 276-1104
michael.ab...@samhsa.hhs.gov
For technical assistance from DTM Support, please send email to 
dtmoperati...@samhsa.hhs.gov

We are listening!
For SAMHSA Employees Only: Please take a moment to let us how we are doing
by completing OMTO's brief and confidential Customer Satisfaction Survey by
clicking  here
Your feedback will help us improve our work. Thank you!

unscribe

[Abner, Michael (SAMHSA/OMTO)]

Michael Abner
IT Specialist - Cloud Admin
Division of Technology Management
Office of Management, Technology and Operations
Substance Abuse & Mental Health Services Administration
5600 Fishers Lane, Room 12E81D
Rockville, MD 20852
(240) 276-1104
michael.ab...@samhsa.hhs.gov
For technical assistance from DTM Support, please send email to 
dtmoperati...@samhsa.hhs.gov

We are listening!
For SAMHSA Employees Only: Please take a moment to let us how we are doing
by completing OMTO's brief and confidential Customer Satisfaction Survey by
clicking  here
Your feedback will help us improve our work. Thank you!

RE: OpenID / KeyCloak

[Ryan Underwood]

A few thoughts:
- Are you sure that the asterisk(s) in your URL is what you intended? I know 
that keycloak will let you specify the valid redirect URLs with wildcards so 
wasn't sure if that was a failed configuration. The Guacamole angular app 
rewrites URLs and it's possible this is affecting the hook for that.
- IIRC keycloak uses preferred_username for what you are likely calling the 
username claim. If you're testing with "guacadmin" and using email you'll need 
to add one because it doesn't exist by default in the database.
- Pasting some logs from keycloak, any reverse proxy, and the guacamole client 
would help debugging. 
- Openid/guacamole works fine for logging in to guacamole but it's like the 
Hotel California if you want to sign out.


-Original Message-
From: Justin Gauthier  
Sent: Tuesday, April 16, 2019 8:02 AM
To: user@guacamole.apache.org; user@guacamole.apache.org
Subject: Re: OpenID / KeyCloak

I have Guacamole 1.0 working with an older version of Keycloak, below are my 
settings:

Keycloak settings:




and the guacamole settings:


openid-authorization-endpoint: 
https://auth.[REDACTED]/auth/realms/[REDACTED]/protocol/openid-connect/auth
openid-jwks-endpoint: 
https://auth.[REDACTED]/auth/realms/[REDACTED]/protocol/openid-connect/certs
openid-issuer: https://auth.[REDACTED]/auth/realms/[REDACTED]
openid-client-id: guacamole
openid-redirect-uri: https://guacamole.[REDACTED]/guacamole/
openid-username-claim-type: username
openid-scope: openid email profile
openid-allowed-clock-skew: 500

The other tabs in keycloak are standard, just have to add the mapper(s) for the 
email and username, like below.




Hopefully that helps.

Regards,

Justin

 


From: kmartin 
Sent: Tuesday, April 16, 2019 7:55 AM
To: user@guacamole.apache.org
Subject: OpenID / KeyCloak 
 
Hello All, 

I set up Guacamole 1.0 + Keycloak 5.0 . Everything goes right until the login. 

i'm log in (on keycloak), i return back to guacamole and then I have loops 
between 2 URLs 

https://services.xxx.fr:8081/guacamole*/#/*session_state=93ec82e2-2c19-4978-9347-5df101da3189_token=
 

and 

https://services.xxx.fr:8081/guacamole*/#*session_state=93ec82e2-2c19-4978-9347-5df101da3189_token=
 

Someone has already had the problem ? 

Here is my config: 

openid-authorization-endpoint: 
https://sso.xxx.fr:8443/auth/realms/xxx/protocol/openid-connect/auth
openid-jwks-endpoint: 
https://sso.xxx.fr:8443/auth/realms/xxx/protocol/openid-connect/certs
openid-issuer: https://sso.xxx.fr:8443/auth/realms/xxx
openid-client-id: gua
openid-redirect-uri: http://services.xxx.fr:8081/guacamole
openid-username-claim-type: username
openid-scope: openid email profile
openid-allowed-clock-skew: 500 

Thanks for your help ! 





--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ 

Re: OpenID / KeyCloak

[kmartin]

That's nice of you. 
Thanks Justin.




--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: OpenID / KeyCloak

[Justin Gauthier]

I believe mine are both in VMs, but I have a test implementation with both 
containerized that I can try to get working.

Give me a few hours to try that out and I’ll get back to you.



From: kmartin 
Sent: Tuesday, April 16, 2019 8:45 AM
To: user@guacamole.apache.org
Subject: Re: OpenID / KeyCloak

Thanks a lot Justin.

Unfortunately i have similar keycloak config.

My Guacamole and Keycloack are containers . You too ?







--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: OpenID / KeyCloak

[kmartin]

Thanks a lot Justin.

Unfortunately i have similar keycloak config. 

My Guacamole and Keycloack are containers . You too ?







--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

OpenID / KeyCloak

[kmartin]

Hello All,

I set up Guacamole 1.0 + Keycloak 5.0 . Everything goes right until the
login.

i'm log in (on keycloak), i return back to guacamole and then I have loops
between 2 URLs

https://services.xxx.fr:8081/guacamole*/#/*session_state=93ec82e2-2c19-4978-9347-5df101da3189_token=

and

https://services.xxx.fr:8081/guacamole*/#*session_state=93ec82e2-2c19-4978-9347-5df101da3189_token=

Someone has already had the problem ?

Here is my config:

openid-authorization-endpoint:
https://sso.xxx.fr:8443/auth/realms/xxx/protocol/openid-connect/auth
openid-jwks-endpoint:
https://sso.xxx.fr:8443/auth/realms/xxx/protocol/openid-connect/certs
openid-issuer: https://sso.xxx.fr:8443/auth/realms/xxx
openid-client-id: gua
openid-redirect-uri: http://services.xxx.fr:8081/guacamole
openid-username-claim-type: username
openid-scope: openid email profile
openid-allowed-clock-skew: 500

Thanks for your help !





--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/