Skip to main content

Netskope Help

Apache Guacamole with Azure AD or Okta SAML for Netskope Private Access

This document explains how to configure Single-Sign-On (SSO) using SAML for Apache Guacamole for both Azure AD and Okta.

What is Guacamole?

Apache Guacamole is a clientless remote desktop gateway that supports standard protocols, like VNC, RDP, and SSH. We call it clientless because no plugins or client software are required. Thanks to HTML, once Guacamole is installed on a server, all you need to access your desktops is a web browser. For more information, refer to: Apache.org

Guacamole allows you to access servers, workstations, and infrastructure (essentially anything that connects using SSH or RDP) via a web browser.

It also provides a layer of isolation as the user is not directly connected to the resource themselves. Instead, Guacamole connects to the resource and the user interacts with a HTML canvas of what is on-screen, allowing you to control actions, such as the ability to copy and paste between the remote host and user machine.

Guacamole is particularly useful in instances where you want to provide access to internal company resources to 3rd parties. like MSPs or contractors, but don’t want them to be able to connect to the resource directly.

Why Bother with an SSO Integration?

SSO authentication for Guacamole is valuable as a means to get visibility of internal resources (like what servers/workstations a user can see and connect to within the Guacamole UI), and this can be managed entirely within your existing Identity Provider (IdP), rather than within Guacamole itself.

By simply assigning users to different Groups within the IdP, you can control what internal resources they have access to, without having to touch Guacamole itself.

This has two benefits:

If you are a homelabber and want to start dabbling with SSO, Azure Active Directory’s free tier will work fine for this integration.

Prerequisites

You need the following to configure Guacamole and configure the SAML integration:

  • A Linux system capable of supporting the docker.io release of Docker, and Docker Compose.

    • Ubuntu Server 20.04 LTS is recommended.

    • This guide describes using Ubuntu Server 20.04 LTS running in AWS (t2.micro instance == 1 vCPU, 1 GB memory)

  • An Identity Provider (IdP) that supports SAML 2.0, such as Azure AD or

    Okta.

    • The Azure AD free tier is sufficient.

    • This guide describes using Azure AD and Okta, but the steps are applicable to any SAML 2.0 IdP.

  • The FQDN/domain you wish to use to access Guacamole, like guac.company.local.

    • The domain must resolve internally to the IP address of the system that Guacamole is running on, like guac.company.local > 10.0.10.7.

    • If you will be accessing Guacamole through a Clientless ZTNA solution like Netskope Private Access, then the domain you choose MUST be an external one and the same one that users will use to access it remotely, like guac.company.com. You CANNOT use a local/internal domain like .local.

  • If you don't already have Guacamole configured, go to Installing Guacamole with Docker, which explains how to deploy Guacamole as a series of Docker containers, meaning, as long as your system can run Docker, it will be able to run Guacamole.

  • A configured Netskope Private Access Publisher.

Workflow
  1. Configure SAML with Azure AD or Okta.

  2. Create a SAML account in Netskope for your IdP.

  3. Enable browser access for private apps.

  4. Create a Real-time Protection Policy