Hello, When accessing the guacamole page does Keycloak login page redirect?
Em qui, 12 de set de 2019 às 19:19, Stephan Leruth <[email protected]> escreveu: > Hello, > > I have the following files : > > [root@guacamole ~]# tail -f /var/log/tomcat/catalina. > catalina.2019-09-12.log catalina.2019-09-13.log catalina.out > [root@guacamole ~]# tail -f /var/log/tomcat/catalina.2019-09-13.log > sept. 13, 2019 12:13:51 AM org.apache.catalina.startup.HostConfig deployWAR > INFOS: Deployment of web application archive > /var/lib/tomcat/webapps/guacamole.war has finished in 10 995 ms > sept. 13, 2019 12:13:51 AM org.apache.coyote.AbstractProtocol start > INFOS: Starting ProtocolHandler ["http-bio-8080"] > sept. 13, 2019 12:13:52 AM org.apache.coyote.AbstractProtocol start > INFOS: Starting ProtocolHandler ["http-bio-8443"] > sept. 13, 2019 12:13:52 AM org.apache.coyote.AbstractProtocol start > INFOS: Starting ProtocolHandler ["ajp-bio-8009"] > sept. 13, 2019 12:13:52 AM org.apache.catalina.startup.Catalina start > INFOS: Server startup in 11303 ms > ^C > [root@guacamole ~]# tail -f /var/log/tomcat/catalina. > catalina.2019-09-12.log catalina.2019-09-13.log catalina.out > [root@guacamole ~]# tail -f /var/log/tomcat/catalina.out > tomcat-7.0.76 RPM installed > > > But no log. I may have misunderstood the question ? > > Thank you > *Envoyé:* jeudi 12 septembre 2019 à 19:22 > *De:* "Rafael Ramos" <[email protected]> > *À:* [email protected] > *Objet:* Re: RE: Guacamole 1.0.0 - Keycloak OpenID Information > Hi Stephan, > > I use valid certificate, issued by Let's Encrypt. > > When you try to access after configuring Keycloak, do you get a message? > Could you share catalina.log during the test? > > Em qui, 12 de set de 2019 às 14:17, Stephan Leruth <[email protected]> > escreveu: > >> Hello, >> >> Could you confirm or not that you are using self-signed certificates or >> not? I am using self-signed certificates on my Keycloak server and my >> Guacamole server and I suspect this is causing the problem. >> >> Thank you >> >> >> >> sur 12/09/2019 le 14:45, Ryan Underwood écrivit: >> >> > You can debug the flow easily directly in your browser using dev tools. >> If you're using Chrome you'll need to check "preserve log" under the >> network tab or it will disappear before you can see what happened; Firefox >> has this defaulted. >> > Also make sure your scope preferred_username is actually available. I >> forget what keycloak calls a username. I think I added an email to get it >> working originally using default settings. >> > -Ryan >> > >> > -----Original Message----- >> > From: Stephan Leruth <[email protected]> >> > Sent: Thursday, September 12, 2019 3:58 AM >> > To: [email protected] >> > Subject: Re: Guacamole 1.0.0 - Keycloak OpenID Information >> > >> > Hello, >> > >> > Unfortunately it still does not work. >> > To summarize my installation, I use 2 servers : >> > - Keycloak 4.3.0 on CentOS 7 >> > - Guacamole 1.0.0 on CentOS 7 >> > By checking the URL, I can confirm that the patch described here ( >> https://github.com/apache/guacamole-client/commit/0344ef30e45954d1252d44b9826c7eedad8b02f3) >> is correctly applied. >> > Looking at your nginx configuration, I understand that you access >> Guacamole via the URL https://guacamole.com.br/. Is it correct ? For >> my part, I access it via the URL https: //dom.domain.local/guacamole. I do >> not think that's the source of the problem ? >> > I can not find a log that allows me to trace the error. The script I >> used for the installation of Guacamole is this one : >> https://github.com/Zer0CoolX/guacamole-install-rhel >> > >> > Thank you very much for your help. >> > >> > sur 11/09/2019 le 23:41, Rafael Ramos écrivit: >> > >> > > Hi Stephan, >> > > >> > > My nginx configuration is: >> > > location / { >> > > proxy_pass http://localhost:8080/guacamole/; >> > > proxy_buffering off; >> > > proxy_http_version 1.1; >> > > proxy_set_header X-Forwarded-For >> > > $proxy_add_x_forwarded_for; >> > > proxy_set_header Upgrade $http_upgrade; >> > > proxy_set_header Connection $http_connection; >> > > proxy_cookie_path /guacamole/ /; >> > > } >> > > >> > > And my guacamole.properties: >> > > openid-authorization-endpoint: >> > > https://keycloak/auth/realms/master/protocol/openid-connect/auth >> > > openid-jwks-endpoint: >> > > https://keycloak/auth/realms/master/protocol/openid-connect/certs >> > > openid-issuer: https://keycloak/auth/realms/master >> > > openid-client-id: guacamole >> > > openid-redirect-uri: https://guacamole.com.br/ >> > > openid-scope: openid email profile >> > > openid-username-claim-type: preferred_username >> > > >> > > >> > > >> > > Em qua, 11 de set de 2019 às 18:36, Stephan Leruth <[email protected]> >> > > escreveu: >> > > >> > > > >> > > > Hello, >> > > > >> > > > I applied the same settings as you but the problem is not solved. >> > > > >> > > > Could you tell me your NGINX configuration ? >> > > > >> > > > Thank you >> > > > >> > > > >> > > > sur 11/09/2019 le 23:26, Rafael Ramos écrivit: >> > > > >> > > > > Hello, >> > > > > >> > > > > I am using Keycloak on Guacamole and I have no problems. >> > > > > >> > > > > The only difference is that I have the following settings: >> > > > > Standard Flow Enabled: Off >> > > > > Direct Access Grants Enabled: Off >> > > > > >> > > > > And in extensions I have only: >> > > > > guacamole-auth-0-openid-1.0.0.jar >> > > > > guacamole-auth-jdbc-mysql-1.0.0.jar >> > > > > >> > > > > Em qua, 11 de set de 2019 às 13:56, Stephan Leruth >> > > > > <[email protected]> >> > > > > escreveu: >> > > > > >> > > > > > Hello, >> > > > > > >> > > > > > I use Guacamole in version 1.0.0 and it works perfectly. >> > > > > > I configured the connection via LDAP (Active Directory) and this >> > > > allows me >> > > > > > to give access rights to certain users. However, I receive many >> > > > complaints >> > > > > > because the users want to implement a single sign-on (SSO). >> > > > > > >> > > > > > By reading the Apache Guacamole documentation, I read that >> > > > authentication >> > > > > > by OpenID is supported. I decided to set up a Keycloak server. >> > > > > > Once it was correctly configured (SSO functional but no client >> > > > > > configured), I tried to configure Guacamole. After several days >> > > > > > of >> > > > testing, >> > > > > > I always have the same error : an infinite loop during >> authentication ! >> > > > > > >> > > > > > I have read different topics on the Internet that indicate that >> > > > > > this >> > > > is an >> > > > > > identified problem and should be corrected in the following >> > > > > > versions (1.2.0). Correct ? >> > > > > > I also read this guide ( >> > > > > > https://blog.exceptionerror.io/2019/06/10/home-lab-2019/) which >> > > > indicates >> > > > > > that the patch can be done manually. After completing these >> > > > > > commands, >> > > > it >> > > > > > does not work better. >> > > > > > >> > > > > > I allow myself to add my Keycloak and Guacamole configuration >> > > > > > for can >> > > > be >> > > > > > identify a big mistake on my part ? >> > > > > > >> > > > > > #OpenID Authentication >> > > > > > openid-authorization-endpoint: >> > > > > > >> > > > >> https://sso01.dom.domain.local/auth/realms/master/protocol/openid-co >> > > > nnect/auth >> > > > > > openid-jwks-endpoint: >> > > > > > >> > > > >> https://sso01.dom.domain.local/auth/realms/master/protocol/openid-co >> > > > nnect/certs >> > > > > > openid-issuer: >> > > > > > https://sso01.dom.domain.local/auth/realms/master >> > > > > > openid-client-id: guacamole >> > > > > > openid-redirect-uri: >> > > > > > https://guacamole.dom.domain.local/guacamole >> > > > > > openid-username-claim-type: username >> > > > > > openid-scope: openid email profile >> > > > > > openid-allowed-clock-skew: 500 >> > > > > > >> > > > > > Thank you ! >> > > > > > >> > > > > > >> > > > > > Shaguu >> > > > > > >> > > > > > ---------------------------------------------------------------- >> > > > > > ----- To unsubscribe, e-mail: >> > > > > > [email protected] >> > > > > > For additional commands, e-mail: [email protected] >> > > > >> > > > >> > > > -------------------------------------------------------------------- >> > > > - To unsubscribe, e-mail: [email protected] >> > > > For additional commands, e-mail: [email protected] >> > > > >> > > > >> > >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: [email protected] >> > For additional commands, e-mail: [email protected] >> > >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: [email protected] >> > For additional commands, e-mail: [email protected] >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > > --------------------------------------------------------------------- To > unsubscribe, e-mail: [email protected] For additional > commands, e-mail: [email protected]
