Versions Compared

Old Version 3

changes.mady.by.user Ann Base (Deactivated)

Saved on

compared with

New Version 4

changes.mady.by.user Ann Base (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This article describes how to configure Apache Guacamole as a web resource in Smart ID Digital Access component (Hybrid Access Gateway)

Prerequisites

Expand
titlePrerequisites

Step-by-step instruction

Install Guacamole

Expand
titleInstall Guacamole
  1. Login via SSH to the Guacamole server.

  2. Install Guacamole using this command:

    Code Block
    languagebash
    titleInstall Guacamole
    wget -q -O - https://us.nexusgroup.com/dl/hag-docker-guacamole.sh | bash


  3. Start the Docker container as ‘root’ or any other Docker administrator user:

    Code Block
    titleStart Docker container
    sudo su -
cd /opt/docker-guacamole
docker-compose up -d


Create web resource

Expand
titleCreate web resource
  1. In Digital Access Admin, go to Manage Resource Access.
  2. Click Web Resources > Add Web Resource Host.
  3. Enable resource is checked by default.
  4. Enter a Display Name, the Host of the Guacamole server and the HTTP Port (8080). 
  5. Under Portal settings check Make resource available in the Portal. Upload an icon image and link text.
  6. Click Next until the web-resource is created and you see the Advanced Settings... option.


Expand
titleAdd attribute

Either you continue from the previous step, or you

  • Select the web resource under Registered Resources
  • Click Edit Resource Host...
  • Click Advanced Settings...
  1. At the bottom of the page, click Add Attribute... under section Back-end Attributes.
  2. Add a back-end attribute:
    1. Enter guac as Name.
    2. Use Header as Type.
    3. Use Static Value as Source.
    4. Choose None as Encoding

    5. As Value, add username, password and IP address or DNS name of RDP host:

      Code Block
      languagetext
      <protocol>://username:password@<target-server>/?<parameterkey1>=<parametervalue1>&<parameterkey2>=<parametervalue2>

      this could look like:

      Code Block
      languagetext
      titleExample
      rdp://agadmin:admi123!@192.168.1.2/?color-depth=16


      Note

      protocol -  is one of: rdp, ssh, telnet, vnc
      additional parameters following: key=value,key=value...
      More details can be found here: https://guacamole.apache.org/doc/gug/configuring-guacamole.html#connection-configuration


  3. Click Add.
  4. Click Next and Finish Wizard.

Single Sign-on settings

Expand
titleAdd Single Sign-On templates

If the username and password should be picked from a specific SSO domain, do the following adaptions. Refer also to Single sign-on script in Digital Access, headings "Upload script files" and "Add filters".

Do the instructions below for these scripts:

Upload script files

Insert excerpt
Single sign-on script in Digital Access
Single sign-on script in Digital Access
nopaneltrue

Anchor
AddFilters
AddFilters

Expand
titleAdd filters
  1. In Digital Access Admin, go to Manage Resource Access > Global Resource Settings.
  2. Go to the Filters tab and click Add Filter...
  3. As Display Name enter sso_username
  4. As Script Name enter sso_username
  5. Select Request as Type of Filter.
  6. Select the Guacamole web resource as Resource Host.
  7. Enter * in Path.
  8. Select Headers as Apply Filter To.
  9. Click Add.
  10. Also add filters for sso_password, sso_domain and sso_uid.


Expand
titleSet internal cookies for User ID
  1. In Digital Access Admin, go to Manage Resource Access > Global Resource Settings.
  2. Go to the Advanced tab.
  3. Check User ID under Internal Cookies.
  4. Check Use "Cache-Control: no store" under Cache Control.
  5. Click Save.


Expand
titleCreate an “SSO Domain” with the credentials you need

See Add single sign-on domain in Digital Access.


Expand
titleUpdate the Web resource HOST
  1. In Digital Access Admin, go to Manage Resource Access.
  2. Click Web Resources > Edit Web Resources and select the web resource host you created.

    1. To use the scripts for SSO, sso_username and sso_password have to be used within the Guacamole resource, like:

      Code Block
      languagetext
      rdp://sso_username:sso_password@192.168.1.2/

      This is explained in the following steps.

  3. Under heading Single Sign-On:
    1. Check Enable Single Sign-On 
    2. Select Script as Single Sign-On Type.
    3. Select the SSO domain you created before as SSO Domain.
  4. Click Edit Attribute guac.
  5. Click Advanced settings...
  6. Update the Header as to use 'sso_username' and 'sso_password' etc to use the dynamic values.
  7. Click Save and then publish the updates.

Add multiple Guacamole sessions

Expand
titleAdd multiple Guacamole sessions
  1. Create a new DNS entry for the guacamole server (add a CNAME).
  2. Follow the same steps as for the first connection.
  3. If you want to use SSO, follow the instructions in Add filter for the new CNAME.


This article is valid for Digital Access 6.0.2 and Smart ID 20.06.1 and later.

Related information

Links