-
I have 2 Cloudron instances which are synced with on-premise AD servers. I have the Guacamole app installed with the location set to use the bare domain. Prior to Guacamole V2.0 package update, users would browse to the Cloudron domain, login with their AD credentials at the login page shown, and were taken straight to Guacamole. From V2.0 package update onwards, the new OIDC login feature requires users to click a tiny link in the bottom corner of the initial login page, which takes them to another login page (OpenID Login page), to then log in with their AD credentials. (To clarify for those that aren't aware, using AD credentials at the first login page no longer works).
Not sure if I am missing something - but is it possible to set the default login page for Guacamole as the OpenID login page? Or is it possible to set the default login page to use the OpenID credentials? I've had a look through the GUI settings, checked the forums and google, but come up empty. Any help is appreciated. -
J james marked this topic as a regular topic
-
J james moved this topic from Support
-
Hello @phsc
Unfortunately I am not aware of a simple way to make OIDC login as the default.
Maybe you could create a custom branding and change the login page HTML to reflect what you would like to have.
To have something like this:
I just edited the HTML in the browser as a mockup.
See => https://docs.cloudron.io/packages/guacamole/#branding -
Hello @phsc
Unfortunately I am not aware of a simple way to make OIDC login as the default.
Maybe you could create a custom branding and change the login page HTML to reflect what you would like to have.
To have something like this:
I just edited the HTML in the browser as a mockup.
See => https://docs.cloudron.io/packages/guacamole/#branding@james Thanks for your suggestion.
I currently have very basic custom branding applied, but still wasn't able to work out a solution - this is currently outside of my abilities. To confuse matters, I attempted to apply the example branding as linked in the documentation (to prove that changes were applying), but it didn't work. -
@phsc maybe worth asking the upstream guacamole community or raise a feature request there.
@nebulon thanks for your response. I wasn't sure if this was a Cloudron thing or a Guacamole thing, so as a paying customer I thought I would ask here first. Now focusing on the Guacamole documentation, I found the solution - its actually very easy! Not sure why I didn't stumble upon it sooner.
To redirect users immediately to the OpenID identity provider (Cloudron in this case) instead of going to the default Guacamole authentication method, requires a 1 line configuration change in the guacamole.properties file.
To do this, go to the File Manager for the Guacamole app and open the guacamole.properties file. Add a new line as shown below:
extension-priority: openidSave and close the file, then restart the Guacamole app.
Now when browsing to the your normal Guacamole URL, you will be redirected to the OpenID login page
https://guacamole.apache.org/doc/gug/openid-auth.html#automatically-redirecting-all-unauthenticated-users
https://guacamole.apache.org/doc/gug/configuring-guacamole.html#guacamole-properties
https://docs.cloudron.io/apps/#file-manager -
Hello @phsc
Awesome find! Do you think we should make this default in the Cloudron app when OIDC is used?Hi @james, yes, I think so. Correct me if I am wrong, but Guacamole is configured to use Cloudron's OIDC Provider, so it makes sense that it would automatically take you to the OpenID login page. If you wanted to give less technically able users (like me) a choice, I'm assuming an option could be put under the Access Control section of the Guacamole app settings?
-
I think
extension-priority: openidcomplicates logging in as root , no? (i.e with the default admin) . I think the real issue is that guacamole login page is not well designed .
