Hi Mike, Thank you very much for reminding the security issue!
An SSO solution can handle the authentication, but the real challenge I had thought about was authorization. Rather than manually mapping users to servers, I was thinking about introducing role-based or attribute-based policies to grant access to users. Comparing with placing a policy enforcement engine before all-to-all setting with guacamole, it would be much difficult, if even possible, to get the policy engine to timely update user-server mapping in guacamole. Also, while configuring the policy engine, I will always need to update users and servers and the mapping. How do you think about it? Thanks, Yang > On Aug 2, 2019, at 10:37, Mike Jumper <mjum...@apache.org> wrote: > > On Thu, Aug 1, 2019 at 5:59 PM Yang Yang <yy8...@icloud.com.invalid> wrote: > Thank you very much for the information, Adam! > > This makes me think, is it possible to make all connections available to > everyone, even those not authenticated? I mean to skip the user > authentication and authorization. > > Please do not do this. See: http://guacamole.apache.org/faq/#disable-auth > <http://guacamole.apache.org/faq/#disable-auth> > > Where can I start? > > Authentication and authorization are critical for security and should not be > bypassed. If there is some other system in place which provides > authentication in your case, you should instead look toward integrating that > system. > > - Mike >
