Hi Mike,

Thank you very much for reminding the security issue!

An SSO solution can handle the authentication, but the real challenge I had 
thought about was authorization. 

Rather than manually mapping users to servers, I was thinking about introducing 
role-based or attribute-based policies to grant access to users. Comparing with 
placing a policy enforcement engine before all-to-all setting with guacamole, 
it would be much difficult, if even possible, to get the policy engine to 
timely update user-server mapping in guacamole. 

Also, while configuring the policy engine, I will always need to update users 
and servers and the mapping. 

How do you think about it?

Thanks,
Yang

> On Aug 2, 2019, at 10:37, Mike Jumper <mjum...@apache.org> wrote:
> 
> On Thu, Aug 1, 2019 at 5:59 PM Yang Yang <yy8...@icloud.com.invalid> wrote:
> Thank you very much for the information, Adam!
> 
> This makes me think, is it possible to make all connections available to 
> everyone, even those not authenticated? I mean to skip the user 
> authentication and authorization. 
> 
> Please do not do this. See: http://guacamole.apache.org/faq/#disable-auth 
> <http://guacamole.apache.org/faq/#disable-auth>
> 
> Where can I start?
> 
> Authentication and authorization are critical for security and should not be 
> bypassed. If there is some other system in place which provides 
> authentication in your case, you should instead look toward integrating that 
> system.
> 
> - Mike
> 

Reply via email to