Hi Nick,
I think the JSON authentication module is what we need. Thank you for
your advice.
Sincerely,
Han-tuo
Nick Couchman 於 2023-02-16 05:01 寫到:
On Wed, Feb 15, 2023 at 3:41 PM hantuo <[email protected]>
wrote:
Hi All,
I'm trying to import Guacamole into my organization. Currently, I'm
conducting a feasibility study of the authentication process. After
reading through the documentation, I'm not sure how to integrate
Guacamole with the authentication services in the organization.
In my organization, two services are related to auth. One is the
authentication service. This service adopts Keycloak which uses OpenID
to realize single sign-on. Therefore, it is compatible with the OpenID
extension of Guacamole. I have already integrated Guacamole with
Keycloak, and it works smoothly.
The other auth service is the authorization service. This service is a
permission management service. It records the roles of the members of
the organization. And which roles have permission to access which
contents. I'm not sure how to integrate this service with Guacamole.
One of the possible approaches is to adopt both OpenID and database
authentication. In this approach, we have to develop another service
to
keep Guacamole database up to date with the authorization service of
the
organization.
You could definitely do this, and it shouldn't be too terribly
difficult to write some sort of middleware that would push
authorization updates from the system you use into the database.
Another possible approach is to adopt OpenID and custom
authentication.
With custom authentication, we can acquire user-mapping data from the
authorization service. Therefore, the permission can be managed.
However, it seems that there are conflicts between the settings of
OpenID and custom authentication. I'm not sure if it works.
A couple of things come to mind, here:
* Yes, you could write a custom authentication module that queries
your authorization system and provides access to connections and
connection groups based on the data from that system. This shouldn't
be too terribly difficult particularly since you're probably not
concerned with using the Guacamole UX to manage the connection data.
You should just be able to pull those details at login.
* You could also look at using the JSON authentication module and see
if it will do what you want it to do. It may be that, between your
OpenID authentication system and your authorization system, you could
write something that would do the OpenID authentication and then
return the JSON connection data to that module from your authorization
system.
The bottom line is that it is almost certainly possible to do what
you're trying to do in integrating the two systems, and there are
multiple tools you can use - you just have to decide what is most
sustainable for the organization.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
