On Wed, Feb 15, 2023 at 3:41 PM hantuo <[email protected]> wrote: > > Hi All, > > I'm trying to import Guacamole into my organization. Currently, I'm > conducting a feasibility study of the authentication process. After > reading through the documentation, I'm not sure how to integrate > Guacamole with the authentication services in the organization. > > In my organization, two services are related to auth. One is the > authentication service. This service adopts Keycloak which uses OpenID > to realize single sign-on. Therefore, it is compatible with the OpenID > extension of Guacamole. I have already integrated Guacamole with > Keycloak, and it works smoothly. > > The other auth service is the authorization service. This service is a > permission management service. It records the roles of the members of > the organization. And which roles have permission to access which > contents. I'm not sure how to integrate this service with Guacamole. > > One of the possible approaches is to adopt both OpenID and database > authentication. In this approach, we have to develop another service to > keep Guacamole database up to date with the authorization service of the > organization. >
You could definitely do this, and it shouldn't be too terribly difficult to write some sort of middleware that would push authorization updates from the system you use into the database. > Another possible approach is to adopt OpenID and custom authentication. > With custom authentication, we can acquire user-mapping data from the > authorization service. Therefore, the permission can be managed. > However, it seems that there are conflicts between the settings of > OpenID and custom authentication. I'm not sure if it works. > A couple of things come to mind, here: * Yes, you could write a custom authentication module that queries your authorization system and provides access to connections and connection groups based on the data from that system. This shouldn't be too terribly difficult particularly since you're probably not concerned with using the Guacamole UX to manage the connection data. You should just be able to pull those details at login. * You could also look at using the JSON authentication module and see if it will do what you want it to do. It may be that, between your OpenID authentication system and your authorization system, you could write something that would do the OpenID authentication and then return the JSON connection data to that module from your authorization system. The bottom line is that it is almost certainly possible to do what you're trying to do in integrating the two systems, and there are multiple tools you can use - you just have to decide what is most sustainable for the organization. -Nick --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
