On Wed, Jan 31, 2024 at 4:10 PM Barnhart, Steven <barnhart....@osu.edu> wrote:
> SAML is our main authentication provider, and we wouldn’t mind using it > with Guacamole to simplify things, unfortunately due to the way SAML works > we don’t have access to the credentials to pass through to connections. I > don’t suppose anyone has thought of ways around this? > > > Strictly speaking, no, there is no way around this, at least, not with SAML, and not with things as implemented today in Guacamole. There are some possibilities in the future - for example, SSL SSO (coming out in the Guacamole 1.6.0 version) + Smartcard pass-through (not yet implemented at all) could do the trick. It's also possible that implementing some sort of Kerberos authentication mechanism for Guacamole (not implemented at all), combined with FreeRDP 3.0's support for Kerberos authentication (also not in Guacamole, yet) would, in certain situations, get rid of the double-authentication requirement. It's also worth noting that other remote access/VDI products that I use on a regular basis - for example, Microsoft's Azure Virtual Desktop, and VMware Horizon - behave exactly the same way and have the "double authentication" requirement when accessing systems that require a username and password. -Nick >