Hi Stephan, I use valid certificate, issued by Let's Encrypt.
When you try to access after configuring Keycloak, do you get a message? Could you share catalina.log during the test? Em qui, 12 de set de 2019 às 14:17, Stephan Leruth <sha...@gmx.com> escreveu: > Hello, > > Could you confirm or not that you are using self-signed certificates or > not? I am using self-signed certificates on my Keycloak server and my > Guacamole server and I suspect this is causing the problem. > > Thank you > > > > sur 12/09/2019 le 14:45, Ryan Underwood écrivit: > > > You can debug the flow easily directly in your browser using dev tools. > If you're using Chrome you'll need to check "preserve log" under the > network tab or it will disappear before you can see what happened; Firefox > has this defaulted. > > Also make sure your scope preferred_username is actually available. I > forget what keycloak calls a username. I think I added an email to get it > working originally using default settings. > > -Ryan > > > > -----Original Message----- > > From: Stephan Leruth <sha...@gmx.com> > > Sent: Thursday, September 12, 2019 3:58 AM > > To: user@guacamole.apache.org > > Subject: Re: Guacamole 1.0.0 - Keycloak OpenID Information > > > > Hello, > > > > Unfortunately it still does not work. > > To summarize my installation, I use 2 servers : > > - Keycloak 4.3.0 on CentOS 7 > > - Guacamole 1.0.0 on CentOS 7 > > By checking the URL, I can confirm that the patch described here ( > https://github.com/apache/guacamole-client/commit/0344ef30e45954d1252d44b9826c7eedad8b02f3) > is correctly applied. > > Looking at your nginx configuration, I understand that you access > Guacamole via the URL https://guacamole.com.br/. Is it correct ? For my > part, I access it via the URL https: //dom.domain.local/guacamole. I do > not think that's the source of the problem ? > > I can not find a log that allows me to trace the error. The script I > used for the installation of Guacamole is this one : > https://github.com/Zer0CoolX/guacamole-install-rhel > > > > Thank you very much for your help. > > > > sur 11/09/2019 le 23:41, Rafael Ramos écrivit: > > > > > Hi Stephan, > > > > > > My nginx configuration is: > > > location / { > > > proxy_pass http://localhost:8080/guacamole/; > > > proxy_buffering off; > > > proxy_http_version 1.1; > > > proxy_set_header X-Forwarded-For > > > $proxy_add_x_forwarded_for; > > > proxy_set_header Upgrade $http_upgrade; > > > proxy_set_header Connection $http_connection; > > > proxy_cookie_path /guacamole/ /; > > > } > > > > > > And my guacamole.properties: > > > openid-authorization-endpoint: > > > https://keycloak/auth/realms/master/protocol/openid-connect/auth > > > openid-jwks-endpoint: > > > https://keycloak/auth/realms/master/protocol/openid-connect/certs > > > openid-issuer: https://keycloak/auth/realms/master > > > openid-client-id: guacamole > > > openid-redirect-uri: https://guacamole.com.br/ > > > openid-scope: openid email profile > > > openid-username-claim-type: preferred_username > > > > > > > > > > > > Em qua, 11 de set de 2019 às 18:36, Stephan Leruth <sha...@gmx.com> > > > escreveu: > > > > > > > > > > > Hello, > > > > > > > > I applied the same settings as you but the problem is not solved. > > > > > > > > Could you tell me your NGINX configuration ? > > > > > > > > Thank you > > > > > > > > > > > > sur 11/09/2019 le 23:26, Rafael Ramos écrivit: > > > > > > > > > Hello, > > > > > > > > > > I am using Keycloak on Guacamole and I have no problems. > > > > > > > > > > The only difference is that I have the following settings: > > > > > Standard Flow Enabled: Off > > > > > Direct Access Grants Enabled: Off > > > > > > > > > > And in extensions I have only: > > > > > guacamole-auth-0-openid-1.0.0.jar > > > > > guacamole-auth-jdbc-mysql-1.0.0.jar > > > > > > > > > > Em qua, 11 de set de 2019 às 13:56, Stephan Leruth > > > > > <sha...@gmx.com> > > > > > escreveu: > > > > > > > > > > > Hello, > > > > > > > > > > > > I use Guacamole in version 1.0.0 and it works perfectly. > > > > > > I configured the connection via LDAP (Active Directory) and this > > > > allows me > > > > > > to give access rights to certain users. However, I receive many > > > > complaints > > > > > > because the users want to implement a single sign-on (SSO). > > > > > > > > > > > > By reading the Apache Guacamole documentation, I read that > > > > authentication > > > > > > by OpenID is supported. I decided to set up a Keycloak server. > > > > > > Once it was correctly configured (SSO functional but no client > > > > > > configured), I tried to configure Guacamole. After several days > > > > > > of > > > > testing, > > > > > > I always have the same error : an infinite loop during > authentication ! > > > > > > > > > > > > I have read different topics on the Internet that indicate that > > > > > > this > > > > is an > > > > > > identified problem and should be corrected in the following > > > > > > versions (1.2.0). Correct ? > > > > > > I also read this guide ( > > > > > > https://blog.exceptionerror.io/2019/06/10/home-lab-2019/) which > > > > indicates > > > > > > that the patch can be done manually. After completing these > > > > > > commands, > > > > it > > > > > > does not work better. > > > > > > > > > > > > I allow myself to add my Keycloak and Guacamole configuration > > > > > > for can > > > > be > > > > > > identify a big mistake on my part ? > > > > > > > > > > > > #OpenID Authentication > > > > > > openid-authorization-endpoint: > > > > > > > > > > https://sso01.dom.domain.local/auth/realms/master/protocol/openid-co > > > > nnect/auth > > > > > > openid-jwks-endpoint: > > > > > > > > > > https://sso01.dom.domain.local/auth/realms/master/protocol/openid-co > > > > nnect/certs > > > > > > openid-issuer: > > > > > > https://sso01.dom.domain.local/auth/realms/master > > > > > > openid-client-id: guacamole > > > > > > openid-redirect-uri: > > > > > > https://guacamole.dom.domain.local/guacamole > > > > > > openid-username-claim-type: username > > > > > > openid-scope: openid email profile > > > > > > openid-allowed-clock-skew: 500 > > > > > > > > > > > > Thank you ! > > > > > > > > > > > > > > > > > > Shaguu > > > > > > > > > > > > ---------------------------------------------------------------- > > > > > > ----- To unsubscribe, e-mail: > > > > > > user-unsubscr...@guacamole.apache.org > > > > > > For additional commands, e-mail: user-h...@guacamole.apache.org > > > > > > > > > > > > -------------------------------------------------------------------- > > > > - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org > > > > For additional commands, e-mail: user-h...@guacamole.apache.org > > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org > > For additional commands, e-mail: user-h...@guacamole.apache.org > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org > > For additional commands, e-mail: user-h...@guacamole.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org > For additional commands, e-mail: user-h...@guacamole.apache.org > >
