> > > Hello!, > > Thanks for the feedback. It's clear from your explanation that the ask > about conditional group creation doesnt' address the need. > > The thing regarding group member validation is that I have set it up, > but it doesn't work. There are some indications that the client should > support Authorization in addition to Authentication, will give it > another try. > > Unfortunately I have no experience with Keycloak, so I'm not going to be much help with this - assuming Keycloak supports filtering by group membership based on application, though, this should be entirely up to Keycloak to handle. I'm not sure exactly what you mean by "the client should support Authorization in addition to Authentication," but Guacamole does support Authorization - it's exactly what I was describing in my last response, that, while a user may be able to get access to the Guacamole interface, they would have to be assigned permissions to connections and/or connection groups in order to use them.
> Regarding the authenticated user not being able to access any defined > connection, usually what I find is that detractors would argue that an > attacker can source access from an user unrelated to the platform > (social engineering, etc) and from there exploit application > vulnerabilities that might not be exposed to unauthenticated parties. > > I agree with this, in general - better not to even allow an unauthorized user to authenticate to a system - I just believe that Keycloak ought to (properly) handle this concern prior to ever getting to the Guacamole application/UI. Guacamole is relying on the IdP to authenticate the user, and part of that authentication process should be an initial validation of authorization to use the application. -Nick
