On 1/31/24 13:20, Nick Couchman wrote:
On Wed, Jan 31, 2024 at 4:10 PM Barnhart, Steven <[email protected]
<mailto:[email protected]>> wrote:
SAML is our main authentication provider, and we wouldn’t mind using
it with Guacamole to simplify things, unfortunately due to the way
SAML works we don’t have access to the credentials to pass through
to connections. I don’t suppose anyone has thought of ways around
this?____
__
Strictly speaking, no, there is no way around this, at least, not with
SAML, and not with things as implemented today in Guacamole. There are
some possibilities in the future - for example, SSL SSO (coming out in
the Guacamole 1.6.0 version) + Smartcard pass-through (not yet
implemented at all) could do the trick. It's also possible that
implementing some sort of Kerberos authentication mechanism for
Guacamole (not implemented at all), combined with FreeRDP 3.0's support
for Kerberos authentication (also not in Guacamole, yet) would, in
certain situations, get rid of the double-authentication requirement.
It's also worth noting that other remote access/VDI products that I use
on a regular basis - for example, Microsoft's Azure Virtual Desktop, and
VMware Horizon - behave exactly the same way and have the "double
authentication" requirement when accessing systems that require a
username and password.
Retrieving the required credentials dynamically from a vault would also
be a good solution:
https://guacamole.apache.org/doc/gug/vault.html#automatic-injection-of-secrets-based-on-connection-parameters
- Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
