On Fri, Feb 28, 2025 at 7:32 PM Cyrus <cyru...@gmail.com> wrote: > Hello!, > > I'm trying to setup Authorization via Keycloak Authorization module > and OIDC integration for Guacamole. > > I've setup all the proper rules in Keycloak, currently based on group > membership. There's an internal testing feature that allowed me to > validate that Authorization for a given application for user1 is > denied, and for user2 is granted depending on group membership: > > https://www.keycloak.org/docs/latest/authorization_services/index.html > > I was expected this to be part of any OIDC standard integration, but > Guacamole happily allows access to both user1 & user2. Reading around > it seems that the policy enforcing should be implemented on the client > or web resource side (which sound odd): > > https://www.keycloak.org/securing-apps/policy-enforcer > > I can't find any reference in the Guacamole documentation, can you > please confirm if something like that is supported somehow?. > > My guess is that this is related to your other post ([1]), but here are my responses: * I think it should be possible, within the IdP (Keycloak), to limit access to certain applications based on group membership. I'm not a user of or familiar with Keycloak, but the other SSO IdPs that I've worked with (CAS and Entra) definitely allow for this. * If for some reason this is not possible, you should still be able to limit access within Guacamole by only assigning rights for connections, connection groups, and administrative privileges, to the users and/or user groups you deem necessary. Even if a user can get to the Guacamole UI, that does not mean they have any access to use connections/groups within the system.
-Nick [1] - https://lists.apache.org/thread/9vsrk62phmgb6tr9x9wmjpbblc38dj55
