Skip to main content

OpenID Connect

Auth0 Integration

Auth0 provides single sign-on across applications with two-factor authentication and federation to enterprise identity providers such as Microsoft Active Directory.

Integration with Auth0 is implemented through the auth-openid extension. This integration works also with other OpenID Connect compatible identity providers.

  1. Before you start with the integration, make sure that users in Auth0 and Guacamole share the same username. Auth0 uses the email address as username by default. The users in Guacamole have be be named accordingly.

  2. Create a new client (https://manage.auth0.com/#/clients/create) and choose Regular Web Application

  3. In the Settings tab, add the Public Hostname of the EC2 instance to the Allowed Callback URLs (e.g. https://ec2-00-00-00-00.compute-1.amazonaws.com/).

  4. Set the JWT Expiration (seconds) to 3600. Auth0

  5. Enable the OpenID Connect extension by linking the extension into the extensions folder. Execute the following command from /home/ec2-user/guaws. The destination file name (guacamole-auth-0-openid-1.5.2.jar) is important because Guacamole processes the authentication extensions in alphabetical order.

    sudo ln -s ../available-extensions/guacamole-auth-sso-1.5.2/openid/guacamole-auth-sso-openid-1.5.2.jar \
      /home/ec2-user/guaws/guacamole/etc/extensions/guacamole-auth-0-openid-1.5.2.jar

  6. Open /home/ec2-user/guaws/guacamole/etc/guacamole.properties and add these properties

    # Replace mytenant.auth0.com with your tenant domain
    openid-authorization-endpoint=https://mytenant.auth0.com/authorize
    openid-jwks-endpoint=https://mytenant.auth0.com/.well-known/jwks.json

    # The issuer to expect for all received ID tokens.
    openid-issuer=https://mytenant.auth0.com/

    # Include your client ID which can be found in the Settings tab
    openid-client-id=

    # Replace with the Public Hostname of the EC2 instance
    openid-redirect-uri=https://ec2-00-00-00-00.compute-1.amazonaws.com/

  7. Restart Guacamole by executing guawsctl restart guac. If Guacamole does not come back after the restart command or if signing in fails, review the log files by executing guawsctl logs -f guac.

  8. Visit the public hostname of your EC2 instance and you will be redirected to Auth0 for authentication.