Apache Guacamole™

What is Apache Guacamole™

From https://guacamole.apache.org/

note

Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.

Preparation

The following placeholders will be used:

• guacamole.company is the FQDN of the Guacamole install.
• authentik.company is the FQDN of the authentik install.

Create an OAuth2/OpenID provider with the following parameters:

• Client Type: Confidential
• JWT Algorithm: RS256
• Redirect URIs: https://guacamole.company/ (depending on your Tomcat setup, you might have to add /guacamole/ if the application runs in a subfolder)
• Scopes: OpenID, Email and Profile

Note the Client ID value. Create an application, using the provider you've created above.

Guacamole

Docker

The docker containers are configured via environment variables. The following variables are required:

OPENID_AUTHORIZATION_ENDPOINT: https://authentik.company/application/o/authorize/

OPENID_CLIENT_ID: # client ID from above

OPENID_ISSUER: https://authentik.company/application/o/*Slug of the application from above*/

OPENID_JWKS_ENDPOINT: https://authentik.company/application/o/*Slug of the application from above*/jwks/

OPENID_REDIRECT_URI: https://guacamole.company/ # This must match the redirect URI above

Standalone

Standalone Guacamole is configured using the `guacamole.properties` file. Add the following settings:

openid-authorization-endpoint=https://authentik.company/application/o/authorize/

openid-client-id=# client ID from above

openid-issuer=https://authentik.company/application/o/*Slug of the application from above*/

openid-jwks-endpoint=https://authentik.company/application/o/*Slug of the application from above*/jwks/

openid-redirect-uri=https://guacamole.company/ # This must match the redirect URI above