Apache Guacamole is a web-based remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.
As of version 0.9.14, Guacamole can use OpenID Connect , CAS or HTTP Headers as authentication sources through plug-ins.
This document explains how to implement OpenID Connect
Refer to the official Guacamole documentation to install Guacamole, either manually or through Docker images
You need to be able to enable extensions. If you are using docker, you need to follow these instructions in order to provide your own extensions directory and Guacamole configuration file
Your Guacamole configuration directory will look something like this.
├── extensions
│ └── 00-guacamole-auth-openid-1.0.0.jar
└── guacamole.properties
Danger
Make sure to rename the JAR in a way that ensures that it will be loaded first
And guacamole.properties should contain at least
openid-authorization-endpoint: http://auth.example.com/oauth2/authorize
openid-jwks-endpoint: http://auth.example.com/oauth2/jwks
openid-issuer: http://auth.example.com
openid-client-id: guacamole
openid-redirect-uri: http://guacamole.example.com/guacamole/
openid-username-claim-type: sub
Tip
Remplace the redirect uri with your Guacamole server’s URL
Make sure you have already enabled OpenID Connect on your LemonLDAP::NG server
You also need to allow the Implicit Flow under OpenID Connect Service » Security
Then, add a Relying Party with the following configuration