> Hi Mathieu, > > On 7/7/16 10:38 AM, Mathieu Galliere wrote: >> Hello, >> >> I want to thank you for the huge work done by you and your team. >> Guacamole is just amazing ! >> >> I write this email to you for a simple question : I'm trying to add >> guacamole to the CAS portal >> (https://apereo.github.io/cas/4.2.x/index.html) and to enable the >> single sign on provided by CAS on Guacamole. > > A few weeks ago, we discussed to do the same in our working group, but > we haven't had the manpower resources to start, yet. Having a link to > CAS would be a very interesting feature as we integrated Guacamole into > our institution's e-learning platform (Moodle, ownCloud, Guacamole and > so on) and we would even like to integrate it much more by avoiding the > necessity of additional logins. > >> I have half of the work done, Guacamole is available only for user >> who are logged on CAS but i'm trying to bypass the guacamole auth >> form helped by CAS's cookies. > > That sounds interesting. Is your code available in a public repository?
I'd also be interested in seeing this code. We're in the process of implementing CAS, and I'm looking to CASify as many items as possible. > >> It can be done by the REST API from guacamole but i cannot find some >> documentation which can lead me on "how to do SSO using tokens" and >> I didn't find anything about this in jira and mailing list. > > Good question. Unfortunately, I don't have any solution, yet. We are > still in a very conceptual state. Perhaps one of my students has an idea. > > The problem I had already in our concept was that Guacamole needs to > know the plain text password for logging in to the actual remote desktop > (e.g. the Linux or Windows terminal server). This is not available when > a user logs in into the SSO service CAS. I have just found that working > with CAS' ClearPass module [1] might help in this situation (while, at > the same time, being aware that this feature clearly has its drawbacks > from a security viewpoint). Do you have any idea to tackle this problem? > >> There is of course the way to develop an auth-module but i don't >> have the skill to do this. > > Yes, I think that would be the best idea which also might have the > biggest chance to get the approach accepted into the project. That was > the way we thought about trying it. Definitely - if we can get the code, maybe we can start working on a module and put it up on GitHub somewhere that does this authentication. -Nick == This e-mail may contain SEAKR Engineering (SEAKR) Confidential and Proprietary Information. If this message is not intended for you, you are strictly prohibited from using this message, its contents or attachments in any way. If you have received this message in error, please delete the message from your mailbox. This e-mail may contain export-controlled material and should be handled accordingly.
