On Mon, Mar 6, 2023 at 9:26 AM hantuo <[email protected]> wrote:
> Hi All, > > I’m working on setting up Guacamole single sign-on. In my organization, > user permission is maintained by a specific team. Therefore, I have to > implement middleware to acquire permission information from the team. > After that, I can assign Guacamole connections to corresponding users. > > I enabled OpenId, encrypted JSON, and database authentication. I thought > that permission can be assigned via encrypted JSON, and users can log in > via OpenId afterward. However, it seems that encrypted JSON is a > one-time password. The connections assigned by encrypted JSON were not > stored in the database. > When you authenticate a user with the encrypted JSON extension, you are providing transient data that they will be able to access within their session. The extension determines the user's identity from that JSON, and the connections you declare within that JSON are independent of any connections you declare within the database. They exist only in memory. Have you considered using group memberships dictated by OpenID to determine connection access? - Mike
