El sáb, 1 mar 2025 a las 23:20, Nick Couchman (<vn...@apache.org>) escribió: > > On Fri, Feb 28, 2025 at 5:20 PM Cyrus <cyru...@gmail.com> wrote: >> >> Hello!, >> >> I'm trying to setup Guacamole 1.6.0 to authenticate users via Keycloak >> 26.1.2 (with Samba4 AD as federated authentication source). >> >> I've followed the documentation and even added this optional >> parameters "just in case": >> >> openid-username-claim-type: email >> openid-groups-claim-type: groups >> openid-scope: openid email profile groups >> >> I get my users to authenticate successfully, but groups information is >> missing as well as: >> > > If group information is missing, then something is not working correctly in > the transfer of information from your IdP to Guacamole. You'll need to make > sure Keycloak is configured to send the group claims, and that you've matched > up the claim type with what Keycloak is actually sending. > >> >> Full name (expected) >> Email address (expected) >> Organization (not really sure) >> Role (not really sure) >> >> Can anybody provide any hints about how to populate: >> >> Full name >> Email address >> Groups >> > > I think you misunderstand the "openid-scope" option - it is not there to pull > in that information and populate it within the database (e.g. during > auto-creation of user accounts); rather it impacts what information is > available for OpenID usernames, and may also be available for parameter > tokens. See: > > https://guacamole.apache.org/doc/gug/openid-auth.html#configuring-guacamole-for-single-sign-on-with-openid-connect > https://guacamole.apache.org/doc/gug/configuring-guacamole.html#extension-specific-tokens > > -Nick
Hello!, After proper sleep, I found there was a "claim name" which I left blank as it wasn't mandatory. After populating the name, users were properly mapped to their group. For the sake of consistency and cleanness, I'll remove the "openid-scope" as I understand is unnecessary and incorrect. Regards, Cyrus
--------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
