On Fri, Feb 28, 2025 at 5:20 PM Cyrus <cyru...@gmail.com> wrote: > Hello!, > > I'm trying to setup Guacamole 1.6.0 to authenticate users via Keycloak > 26.1.2 (with Samba4 AD as federated authentication source). > > I've followed the documentation and even added this optional > parameters "just in case": > > openid-username-claim-type: email > openid-groups-claim-type: groups > openid-scope: openid email profile groups > > I get my users to authenticate successfully, but groups information is > missing as well as: > > If group information is missing, then something is not working correctly in the transfer of information from your IdP to Guacamole. You'll need to make sure Keycloak is configured to send the group claims, and that you've matched up the claim type with what Keycloak is actually sending.
> Full name (expected) > Email address (expected) > Organization (not really sure) > Role (not really sure) > > Can anybody provide any hints about how to populate: > > Full name > Email address > Groups > > I think you misunderstand the "openid-scope" option - it is not there to pull in that information and populate it within the database (e.g. during auto-creation of user accounts); rather it impacts what information is available for OpenID usernames, and may also be available for parameter tokens. See: https://guacamole.apache.org/doc/gug/openid-auth.html#configuring-guacamole-for-single-sign-on-with-openid-connect https://guacamole.apache.org/doc/gug/configuring-guacamole.html#extension-specific-tokens -Nick
