Thanks for your reply, Nick. On #2: User workstation —> Guacamole intermediate server —> Target RDP or SSH server
After the initial authentication to Guacamole with SAML/ smartcard/etc, If the intermediate server could get a ephemeral certificate (on behalf of the authenticated user) from a CA and allow auto login over SSH snd RDP to the target server. This post describes the conceot: https://informationsecuritybuzz.com/articles/why-ephemeral-certificates-are-the-ideal-option-for-secure-it-access/ Get Outlook for iOS<https://aka.ms/o0ukef> ________________________________ From: Nick Couchman <vn...@apache.org> Sent: Saturday, July 3, 2021 10:16:35 AM To: user@guacamole.apache.org <user@guacamole.apache.org> Subject: Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)? On Sat, Jul 3, 2021 at 12:06 PM Angal, Rajeev <ran...@visa.com.invalid> wrote: Love Guacamole so far! For remote Windows servers that support only smartcard authentication, would like the following capabilities: 1. Smartcard redirection 2. Generation of ephemeral certs on the “gateway” for seamless “SSO” Are these features available or on the roadmap? The first one is definitely not implemented, yet, and I don't think there's a JIRA feature issue for it, either. For the second one, I'm not entirely sure what you mean. Several SSO platforms are supported in Guacamole - CAS, OpenID, and SAML - and within those some of them have support for validating logins using various means, including certificates between Guacamole and the SSO IdP. I know there was a recent e-mail on the list regarding getting SAML to work with certificate validation, so there may be some issues with that, and it's worth testing out further. In the end, doing certificate-based authentication to Guacamole shouldn't require too much work - the guacamole-ext framework provides relatively simple ways for supporting new authentication mechanisms, and SmartCards are really just x509 certificates, so really anything that supports certificate-based authentication should work. I know CAS supports x509 authentication, so it would probably be reasonably easy to get CAS x509 -> Guacamole authentication working without having to modify any code at all. -Nick
