On Sun, Nov 19, 2023 at 4:41 PM Benjamin Marty <[email protected]>
wrote:
> Hello
>
> Currently, I'm using Guacamole with LDAP. This has the great
> advantage, that users which exist in the Active Directory can be
> authenticated over LDAP and afterward can use the same "shared"
> connection. The "shared" connection is of the Protocol RDP and
> Username ${GUAC_USERNAME} and Password ${GUAC_PASSWORD}. Guacamole
> will then automatically fill the Username and Password of the current
> User and use that for the RDP connection. This means I don't need to
> manually add a connection per User.
>
> Now I think about switching to OpenID Connect. The Login to Guacamole
> over OpenID Connect works fine, but filling ${GUAC_PASSWORD} doesn't
> work anymore.
>
Correct - when you use OpenID (or SAML, or CAS without the ClearPass
extension), the password is not shared between the IdP and SP, so it will
not be available to Guacamole.
>
> Is there a generic way to solve this in an Environment where multiple
> Users should be able to use an RDP connection to Windows Server?
>
If you leave the password, or the username and password blank, you should
get prompted for it during the connection process. Of course, these
essentially means users will have to log in twice - once to the SSO
platform, and then, again, to Windows.
It's worth noting that several other VDI and Remote Desktop solutions work
like this - VMware Horizon when connected to SAML or OpenID SSO,
Microsoft's WVD solution in Azure, etc.
The other options I can think of (Certificate/Smart-Card pass-through)
aren't currently implemented, so I don't think there's anything else at the
moment that would do the trick.
-Nick
>
> Thanks
>
> Benjamin
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
