> For the complete documentation index, see [llms.txt](https://newdocs.keeper.io/kcm-linux-rpm-method/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://newdocs.keeper.io/kcm-linux-rpm-method/authentication/authenticating-users-with-openid-connect.md).
# OpenID Connect Auth
{% hint style="success" %}
**This documentation assumes that you already have access to an OpenID Connect identity provider**, such as Google, Okta, Azure, etc. If you do not already have Guacamole installed, please see the [installation instructions](/kcm-linux-rpm-method/installation.md).
{% endhint %}
### Installing OpenID Connect support for Guacamole
Keeper Connection Manager packages Guacamole’s OpenId Connect support within the `kcm-guacamole-auth-sso-openid` package:
```
$ sudo yum install kcm-guacamole-auth-sso-openid
```
### Connecting Guacamole to OpenID Connect
Guacamole’s main configuration file, `/etc/guacamole/guacamole.properties`, must be modified to point the OpenID Connect installation:
```
$ sudo vi /etc/guacamole/guacamole.properties
```
The `guacamole.properties` file provided with Keeper Connection Manager is organized into sections documented with blocks of comments and example properties. The first section which must be modified is marked “OPENID-1” and defines the IdP configuration. Uncomment the properties in this section and edit them according to your identity provider setup.
```
##
## [OPENID-1] Identity provider details
##
## The details of the identity provider (IdP) that Guacamole should use for
## authentication. These properties dictate how Guacamole should communicate
## with the IdP, including the how users should be redirected for
## authentication by the IdP. THIS INFORMATION IS REQUIRED if the OpenID
## extension will be used.
##
## If your IdP implements "OpenID Connect Discovery", these values can be
## found within the JSON file hosted at:
##
## https://identity-provider/.well-known/openid-configuration
##
## where "https://identity-provider" is the base URL of the IdP.
##
#openid-authorization-endpoint: https://myprovider.example.net/sso/openid/auth
#openid-jwks-endpoint: https://myprovider.example.net/sso/openid/certs
#openid-issuer: https://myprovider.example.net
```
The second section contains the Keeper Connection Manager server information that is used by the IdP.
```
##
## [OPENID-2] Guacamole server details
##
## The details of the Guacamole server that should be provided to the OpenID
## Connect IdP when authenticating the user. This information defines how the
## OpenID Connect IdP should send identity assertions back to the Guacamole
## server if their identity is confirmed. THESE PROPERTIES ARE REQUIRED if
## the OpenID extension will be used.
##
#openid-client-id: abcd1234-xyz.apps.myprovider.example.net
#openid-redirect-uri: https://myserver.example.net
```
The 3rd section contains the OpenID Connect identity mappings.
```
##
## [OPENID-3] Identity mapping
##
## How identity assertions received form the OpenID Connect IdP should be
## mapped back to user and group identities. Mapping users and groups is
## flexible within OpenID, with the definition of user/group identity left
## to the application to determine from the various assertions ("claims")
## returned by the OpenID IdP in response to successful authentication.
##
## By default, Guacamole will use the "email" claim as the username and the
## content of the "groups" claim (if present) as the set of associated user
## groups. OpenID IdP implementations may support additional claims that may
## be more appropriate for your use case. If using different claims from the
## defaults, the "openid-scope" property must be adjusted so that Guacamole
## knows to request those claims from the IdP.
##
#openid-scope: openid email profile
#openid-username-claim-type: email
#openid-groups-claim-type: groups
```
The 4th section contains optional parameters that can be set.
```
##
## [OPENID-4] Clock skew and timeouts
##
## By default, clock skew between the Guacamole server and the OpenID IdP of up
## to 30 seconds is tolerated, tokens generated by the OpenID IdP are valid for
## no longer than 5 hours, and the "nonce" generated for each OpenID request by
## Guacamole will remain valid for no longer than 10 minutes.
##
## If necessary, these values can be overridden. Clock skew is specified in
## seconds, and token/nonce validity is specified in minutes.
##
#openid-allowed-clock-skew: 30
#openid-max-token-validity: 300
#openid-max-nonce-validity: 10
#saml-compress-response: true
```
### Completing installation
Guacamole will generally only load new extensions and reread `guacamole.properties` during the startup process. To apply the configuration changes, Guacamole must be restarted:
```
$ sudo systemctl restart guacamole
```
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://newdocs.keeper.io/kcm-linux-rpm-method/authentication/authenticating-users-with-openid-connect.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.