Apache Guacamole is a web-based remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.
As of version 0.9.14, Guacamole can use OpenID Connect , CAS or HTTP Headers as authentication sources through plug-ins.
This document explains how to implement OpenID Connect
Refer to the official Guacamole documentation to install Guacamole, either manually or through Docker images
You need to be able to enable extensions. If you are using docker, you need to follow these instructions in order to provide your own extensions directory and Guacamole configuration file
Your Guacamole configuration directory will look something like this.
├── extensions │ └── 00-guacamole-auth-openid-1.0.0.jar └── guacamole.properties
And guacamole.properties
should contain at least
openid-authorization-endpoint: http://auth.example.com/oauth2/authorize openid-jwks-endpoint: http://auth.example.com/oauth2/jwks openid-issuer: http://auth.example.com openid-client-id: guacamole openid-redirect-uri: http://guacamole.example.com/guacamole/ openid-username-claim-type: sub
redirect uri
with your Guacamole server's URL
Make sure you have already enabled OpenID Connect on your LemonLDAP::NG server
You also need to allow the Implicit Flow
under OpenID Connect Service
» Security
Then, add a Relaying Party with the following configuration
openid-client-id
in guacamole.properties
openid-redirect-uri
in guacamole.properties
RS512