On Wed, Mar 9, 2022 at 1:34 PM Mauricio Silveira <[email protected]> wrote:
> Hi. > > > I was wondering if there is any way possible to pass a username to > pre-fill the username field at login page. > > > My usage idea is: I'm using nginx with client certificates as > pre-authentication, and I'd like to use the UserPrincipalName from the > client certificate to present the user, guacamole's login page with its > name already filled and move focus to the password field, so that the > user with a certificate will only need to type the password to enter a > session. > > > Optionally, I'd like to make it possible to "lock" the username field > (Mandatory from username passed from nginx ). > > I would think the better way to go would be to have Guacamole accept the certificate-based (x509) authentication, either by implementing an extension that supports it, or by using a SSO-type system that facilitates it. So, a few options come to mind: * If Nginx is currently doing the certificate-based authentication, you could use the Header authentication extension in Guacamole to accept successful authentication, including the Username, from Nginx. You have to be a bit careful with this, because you want to make sure that there's no way for users to bypass the authentication mechanism by spoofing a header or something like that, but it can be done in a relatively secure fashion. * You could also use a SSO system to do the certificate-based authentication, and then one of the Guacamole SSO modules to accept that authentication. For example, I believe CAS supports x509 authentication, so you could have CAS do the authentication, and then it can pass through the relevant information about the user to Guacamole via the CAS authentication extension. -Nick
