Apache Guacamole with Azure AD or Okta SAML for Netskope Private Access
This document explains how to configure Single-Sign-On (SSO) using SAML for Apache Guacamole for both Azure AD and Okta.
What is Guacamole?
Apache Guacamole is a clientless remote desktop gateway that supports standard protocols, like VNC, RDP, and SSH. We call it clientless because no plugins or client software are required. Thanks to HTML, once Guacamole is installed on a server, all you need to access your desktops is a web browser. For more information, refer to: Apache.org
Guacamole allows you to access servers, workstations, and infrastructure (essentially anything that connects using SSH or RDP) via a web browser.
It also provides a layer of isolation as the user is not directly connected to the resource themselves. Instead, Guacamole connects to the resource and the user interacts with a HTML canvas of what is on-screen, allowing you to control actions, such as the ability to copy and paste between the remote host and user machine.
Guacamole is particularly useful in instances where you want to provide access to internal company resources to 3rd parties. like MSPs or contractors, but don’t want them to be able to connect to the resource directly.
Why Bother with an SSO Integration?
SSO authentication for Guacamole is valuable as a means to get visibility of internal resources (like what servers/workstations a user can see and connect to within the Guacamole UI), and this can be managed entirely within your existing Identity Provider (IdP), rather than within Guacamole itself.
By simply assigning users to different Groups within the IdP, you can control what internal resources they have access to, without having to touch Guacamole itself.
This has two benefits:
A reduction of operational overhead in having to manage system access in more than one location.
Ensuring that your IdP is the single-source of truth for validation of identity (critical if you moving your business towards a Zero Trust Architecture)
If you are a homelabber and want to start dabbling with SSO, Azure Active Directory’s free tier will work fine for this integration.
Prerequisites
You need the following to configure Guacamole and configure the SAML integration:
A Linux system capable of supporting the docker.io release of Docker, and Docker Compose.
Ubuntu Server 20.04 LTS is recommended.
This guide describes using Ubuntu Server 20.04 LTS running in AWS (t2.micro instance == 1 vCPU, 1 GB memory)
An Identity Provider (IdP) that supports SAML 2.0, such as Azure AD or
Okta.
The Azure AD free tier is sufficient.
This guide describes using Azure AD and Okta, but the steps are applicable to any SAML 2.0 IdP.
The FQDN/domain you wish to use to access Guacamole, like
guac.company.local.The domain must resolve internally to the IP address of the system that Guacamole is running on, like
guac.company.local > 10.0.10.7.If you will be accessing Guacamole through a Clientless ZTNA solution like Netskope Private Access, then the domain you choose MUST be an external one and the same one that users will use to access it remotely, like
guac.company.com. You CANNOT use a local/internal domain like .local.
If you don't already have Guacamole configured, go to Installing Guacamole with Docker, which explains how to deploy Guacamole as a series of Docker containers, meaning, as long as your system can run Docker, it will be able to run Guacamole.
A configured Netskope Private Access Publisher.
Workflow
Configure SAML with Azure AD or Okta.
Create a SAML account in Netskope for your IdP.
Enable browser access for private apps.
Create a Real-time Protection Policy