On Tue, Sep 28, 2021 at 9:01 AM International Security Providers < [email protected]> wrote:
> I just saw that my Installation already asks for the password when I only > define the user variable. > > Yes, this is the prompting feature previously mentioned. > but for a true SSO-Experience there should be something else than storing > and handling cleartext creds of the users. I thought about using one very > complicated password for all users there, but still beeing able to use my > SAMBA-integration. > > Yes, but therein lies the challenge of using SSO with something like this. You basically have three options: 1) Use AD instead of SSO, requiring users to log in to Guacamole, but then making the remote desktop connections transparent using GUAC_USERNAME and GUAC_PASSWORD tokens. 2) Use SSO, and have it prompt the users for credentials when they actually connect to a remote desktop server. It's worth noting that I've worked with VDI products from both AWS and Azure, and this is how these providers have their VDI products implemented - SSO will get you into the system where you get your initial connection selection page, but you then end up having to enter your password, again, when you actually connect. So, it isn't a problem unique to Guacamole. Some SSO implementations - like CAS - allow you to work around this by providing the password back to the service provider. Yes, there are security considerations, here, but at least the ClearPass feature in CAS requires that you have an SSL certificate set up to do encryption of that data between the CAS IdP and the Service Provider (e.g. Guacamole). So, there's extra protection of that data as it goes back over the wire. It's not perfect, but it's better than nothing. 3) Use a credential vault that also integrates with your SSO provider to both store credentials and transparently unlock them and provide them to requesting application. This is the goal of GUACAMOLE-641, integrating at least Azure KeyVault. It's also worth noting, here, that this is more or less what CAS ClearPass is - it's just that, instead of accessing a vault with pre-stored credentials, the "vault" is the password you just entered. So...if you consider CAS ClearPass unusable due to security concerns, I'm not sure a KeyVault is any better - eventually the password has to be translated from an encrypted storage format to a cleartext format to be provided to the remote desktop server - there just isn't much way around this. 4) Use certificate/key-based (x509) authentication. Guacamole currently doesn't support this, so there would have to be some work done, here, but allowing x509 to work for both accessing Guacamole and then being able to pass that through to a remote desktop system as a virtual smart card is probably the most secure way to accomplish this. Just going to take some code to make it happen. (Note that I could be off on my details, here - if someone thinks I'm off my rocker I won't be offended if you step in and correct me :-). -Nick
