e390f5b2d1
* add option to exclude x5* Signed-off-by: Jens Langhammer <jens@goauthentik.io> #4082 * cleanup jwks, add flaky test Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add workaround based on https://github.com/jpadilla/pyjwt/issues/709 Signed-off-by: Jens Langhammer <jens@goauthentik.io> * don't rstrip hashes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * keycloak seems to strip equals Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens Langhammer <jens@goauthentik.io>
73 lines
2.8 KiB
Plaintext
73 lines
2.8 KiB
Plaintext
---
|
|
title: Apache Guacamole™
|
|
---
|
|
|
|
<span class="badge badge--primary">Support level: authentik</span>
|
|
|
|
## What is Apache Guacamole™
|
|
|
|
From https://guacamole.apache.org/
|
|
|
|
:::note
|
|
Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.
|
|
:::
|
|
|
|
## Preparation
|
|
|
|
The following placeholders will be used:
|
|
|
|
- `guacamole.company` is the FQDN of the Guacamole install.
|
|
- `authentik.company` is the FQDN of the authentik install.
|
|
|
|
Create an OAuth2/OpenID provider with the following parameters:
|
|
|
|
- Client Type: `Confidential`
|
|
- Redirect URIs: `https://guacamole.company/` (depending on your Tomcat setup, you might have to add `/guacamole/` if the application runs in a subfolder)
|
|
- Scopes: OpenID, Email and Profile
|
|
|
|
Under _Advanced protocol settings_, set the following:
|
|
|
|
- Token validity: Any value to configure how long the session should last. Guacamole will not accept any tokens valid longer than 300 Minutes.
|
|
- Signing Key: Set the key as `authentik Self-signed Certificate`
|
|
|
|
Note the Client ID value. Create an application, using the provider you've created above.
|
|
|
|
## Guacamole
|
|
|
|
It is recommended you configure an admin account in Guacamole before setting up SSO to make things easier. Create a user in Guacamole using the email address of your user in authentik and give them admin permissions. Without this you might loose access to the Guacamole admin settings and have to revert the settings below.
|
|
|
|
import Tabs from "@theme/Tabs";
|
|
import TabItem from "@theme/TabItem";
|
|
|
|
<Tabs
|
|
defaultValue="docker"
|
|
values={[
|
|
{label: 'Docker', value: 'docker'},
|
|
{label: 'Standalone', value: 'standalone'},
|
|
]}>
|
|
<TabItem value="docker">
|
|
The docker containers are configured via environment variables. The following variables are required:
|
|
|
|
```yaml
|
|
OPENID_AUTHORIZATION_ENDPOINT: https://authentik.company/application/o/authorize/
|
|
OPENID_CLIENT_ID: # client ID from above
|
|
OPENID_ISSUER: https://authentik.company/application/o/*Slug of the application from above*/
|
|
OPENID_JWKS_ENDPOINT: https://authentik.company/application/o/*Slug of the application from above*/jwks/?exclude_x5
|
|
OPENID_REDIRECT_URI: https://guacamole.company/ # This must match the redirect URI above
|
|
```
|
|
|
|
</TabItem>
|
|
<TabItem value="standalone">
|
|
Standalone Guacamole is configured using the `guacamole.properties` file. Add the following settings:
|
|
|
|
```
|
|
openid-authorization-endpoint=https://authentik.company/application/o/authorize/
|
|
openid-client-id=# client ID from above
|
|
openid-issuer=https://authentik.company/application/o/*Slug of the application from above*/
|
|
openid-jwks-endpoint=https://authentik.company/application/o/*Slug of the application from above*/jwks/?exclude_x5
|
|
openid-redirect-uri=https://guacamole.company/ # This must match the redirect URI above
|
|
```
|
|
|
|
</TabItem>
|
|
</Tabs>
|