Thank you Mike for clarifying about Guacamole's smart card support
limitations. Based on your response, I understand:
1. Guacamole doesn't currently support direct smart card redirection
2. The properties I tried in guacamole.properties are invalid
3. Smart card SSO will be available in version 1.6.0 (GUACAMOLE-839)
I'll explore using the ${GUAC_USERNAME} token as a workaround for now.
Questions:
1. For version 1.6.0 SSO, will it support specific smart card
types/standards?
2. What's the expected timeline for 1.6.0 release?
Best regards,
Bhupender
On Thu, Jan 23, 2025 at 1:52 PM Michael Jumper <[email protected]> wrote:
> On 1/22/25 11:51 PM, Bhupender wrote:
> > Dear Support Team,
> >
> > I hope this email finds you well. I am encountering issues with smart
> > card integration in our Guacamole deployment and would appreciate your
> > assistance.
> >
> > ...
> >
> > *Current Implementation:*
> >
> > 1. *Guacamole Properties:*
> >
> > properties
> > Copy
> > |rdp.security: nla rdp.enable-smartcard: true rdp.smartcard-readers:
> > ACS ACR39U ICC Reader 00 00 rdp.enable-drive: true rdp.create-drive-
> > path: true rdp.ignore-cert: true|
> >
> > ...
> >
>
> You're in the right place to seek assistance, but please note that this
> is a community of your fellow users and volunteer developers, not a
> support team.
>
> Guacamole does not have smart cart redirection support and none of the
> properties you show for your guacamole.properties are valid properties.
>
> While the FreeRDP library and native "xfreerdp" client do have support
> for smart cards, leveraging that support through JavaScript and the
> browser is whole different problem. Low-level smart card operations are
> not currently exposed by browsers through any standard API, and such an
> API would be a prerequisite for implementing this.
>
> Authenticating to Guacamole itself using smart cards _is_ possible in
> the sense of single sign-on. That's part of the upcoming 1.6.0 release:
>
> https://issues.apache.org/jira/browse/GUACAMOLE-839
>
> This much is possible because it's purely between the browser and
> webapp, and thus can build on the browser's support for SSL/TLS client
> authentication. You can't pass that on to RDP, though, except to perhaps
> pass the username from the card with the "${GUAC_USERNAME}" token:
>
>
> https://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens
>
> - Mike
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
