On Mon, Mar 11, 2024 at 7:45 AM Alexandre Cariage <a...@sight-sound.ch> wrote:
> Hi all, > > Quickly : > > I'm looking to allow users to connect through OpenID Connect, and use the > same credentials *inside the connection itself*, to open a Windows > session with RDP. > > I.e., the Guacamole authentication is made by OpenID, and, through RDP, > the Windows session open with the OpenID credentials too, allowing for a > seamless login with the creation of an OpenID user only. > > Can Guacamole pass credentials this way ? > No, not quite this simply, anyway - this is a "limitation" of OpenID - but really more of a design feature. One of the key purposes of SSO is that there is no need for the sensitive credentials to be passed around from application to application. Because of this, OpenID, once it authenticates the user, does not provide any way for those credentials - the password, specifically - to be retrieved, which means Guacamole doesn't even know the password to be able to pass them on. The username should be known, and, assuming the OpenID username matches the RDP username, that part should work. > If not, is there any other way to edit credentials on the fly (in other > words, pass "Username" and "Password" fields of an RDP Connection in > Guacamole as the connection is launched) ? > Yes, if you leave the username and/or password fields blank, Guacamole will prompt you for the missing credentials at the time the connection is launched. The other option is to use a kev vault - currently Keeper Secrets Manager is the only one supported - to retrieve secrets on-the-fly, but that requires that you have that up and running in your environment, or that you implement another key vault. -Nick