habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website/docs: improve-rac-documents (#14414)

Browse Source 
* Updated sidebar

* Started updating how to rac doc

* Added rac public key doc

* Changed to how to doc

* Change wording

* Removed mentions of SSH because public key auth can be used for RDP too

* Removed more mentions of SSH

* Changed some language and formatting

* Added document explaining the use of other guacamole connection settings.

* Updated SSH doc to include other methods of how to apply connection settings and updated the rac-settings doc to refer to the SSH doc.

* Significant changes - Removed rac-settings page and merged it into the overview/index page. Applied suggestions from Tana and Dominic in how-to-rac and rac-public-ket.

* Lint fix

* Addressing build issues

* Update website/docs/add-secure-apps/providers/rac/how-to-rac.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

* Update website/docs/add-secure-apps/providers/rac/how-to-rac.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

* Update website/docs/add-secure-apps/providers/rac/how-to-rac.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

* Update website/docs/add-secure-apps/providers/rac/index.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

* Update website/docs/add-secure-apps/providers/rac/index.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

* Update website/docs/add-secure-apps/providers/rac/index.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

* Update website/docs/add-secure-apps/providers/rac/index.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

* Shorter headers and removed text block as Tana suggested.

* Update website/docs/add-secure-apps/providers/rac/how-to-rac.md

Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

* Update website/docs/add-secure-apps/providers/rac/how-to-rac.md

Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

* test tweak

* few tweaks

* more polish

* tweak

* fix typo whah

---------

Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Tana M Berry <tana@goauthentik.io>
This commit is contained in:
Dewi Roberts
2025-05-23 13:02:43 +03:00
committed by GitHub
parent e57a98aeb5
commit 4e932e47c9
4 changed files with 158 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
website/docs/add-secure-apps/providers/rac/how-to-rac.md
View File

@ -2,9 +2,9 @@
title: Create a Remote Access Control (RAC) provider
---
The RAC provider is a highly flexible feature for accessing remote machines. This document provides instructions for the basic creation and configuration of a RAC provider within a defined scenario.
The Remote Access Control (RAC) provider is a highly flexible feature for accessing remote machines.
Fow more information about using a RAC provider, see the [Overview](./index.md) documentation. You can also view our video on YouTube for setting up RAC.
For overview information, see the [RAC provider](./index.md) documentation. You can also view our video on YouTube for setting up RAC.
<iframe width="560" height="315" src="https://www.youtube.com/embed/9wahIBRV6Ts;start=22" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>
@ -12,31 +12,30 @@ Fow more information about using a RAC provider, see the [Overview](./index.md)
The RAC provider requires the deployment of the [RAC Outpost](../../outposts/index.mdx).
## Overview workflow to create a RAC provider
## Overview workflow to create an RAC provider
The typical workflow to create and configure a RAC provider is to 1. create app/provider, 2. create property mappings (that define the access credentials to each remote machine), 3. create an endpoint for each remote machine you want to connect to.
The typical workflow to create and configure a RAC provider is:
Depending on whether you are connecting using RDP, SSH, or VNC, the exact configuration choices might differ, but the overall workflow applies to all RAC connections.
1. Create an application and provider.
2. Create property mappings (that define the access credentials to each remote machine).
3. Create an endpoint for each remote machine you want to connect to.
### Step 1. Create an application and RAC provider
Depending on whether you are connecting using RDP, SSH, or VNC, the exact configuration choices will differ, but the overall workflow applies to all RAC connections.
The first step is to create the RAC app and provider.
### Create an application and RAC provider
1. Log in as an admin to authentik, and go to the Admin interface.
The first step is to create the RAC application and provider pair.
2. In the Admin interface, navigate to **Applications -> Applications**.
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with provider**.
3. Follow these [instructions](../../applications/manage_apps.mdx#instructions) to create your RAC application and provider.
3. Click **Create with provider**. Follow the [instructions](../../applications/manage_apps.mdx#instructions) to create your RAC application and provider.
### Create RAC property mappings
### Step 2. Create RAC property mapping
Next, you need to add property mappings for each remote machine you want to access. Property mappings allow you to pass information to external applications, and with RAC they are used to pass the host name, IP address, and access credentials of the remote machine.
Next, you need to add a property mapping for each of the remote machines you want to access. Property mappings allow you to pass information to external applications, and with RAC they are used to pass the host name, IP address, and access credentials for the remote machines.
1. In the Admin interface, navigate to **Customization -> Property Mappings**.
2. On the **Property Mappings** page, click **Create**.
3. On the **New property mapping** box, set the following:
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Customization > Property Mappings** and click **Create**.
- **Select Type**: RAC Property Mappings
- **Create RAC Property Mapping**:
@ -45,38 +44,35 @@ Next, you need to add a property mapping for each of the remote machines you wan
- **Username**: the username for the remote machine
- **Password**: the password for the remote machine
- **RDP settings**:
- **Ignore server certificate: select **Enabled\*\* (Depending on the setup of your RDP Server, it might be required to enable this setting.)
- **Ignore server certificate**: select **Enabled** (Depending on the setup of your RDP Server, it might be required to enable this setting.)
- **Enable wallpaper**: optional
- **Enable font smoothing**: optional
- **Enable full window dragging**: optional
- Advanced settings:
- **Expressions**: optional, using Python you can define custom [expressions](../property-mappings/expression.mdx).
4. Click **Finish** to save your settings and close the box.
3. Click **Finish**.
### Step 3. Create Endpoints for the Provider
### Create endpoints for the provider
Finally, you need to create an endpoint for each remote machine. Endpoints are defined within providers; connections between the remote machine and authentik are enabled through communication between the provider's endpoint and the remote machine.
1. In the Admin interface navigate to **Applications -> Providers**.
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications > Providers**.
3. Click the **Edit** button on the RAC provider that you previously created.
4. On the Provider page, under **Endpoints**, click **Create**, and provide the following settings:
2. Select the RAC provider you created in Step 1 above.
3. On the Provider page, under **Endpoints**, click **Create**.
4. On the **Create Endpoint** box, provide the following settings:
- **Name**: define a name for the endpoint, perhaps include the type of connection (RDP, SSH, VNC)
- **Protocol**: select the appropriate protocol
- **Host**: the host name or IP address of the system you are connecting to.
- **Name**: define a name for the endpoint, perhaps include the type of connection (RDP, SSH, VNC).
- **Protocol**: select the appropriate protocol.
- **Host**: enter the host name or IP address of the remote machine.
- **Maximum concurrent connections**: select a value or use `-1` to disable the limitation.
- **Property mapping**: select either the property mapping that you created in Step 2, or use one of the default settings.
- **Advance settings**: optional
- **Property mapping**: select either the property mapping that you previously created, or use one of the default settings.
- **Advance settings**: (_optional_)
5. Click **Create** to save your settings and close the box.
5. Click **Create**.
### Access the remote machine
## Access the remote machine
To verify your configuration and access the remote machine, go to the **User interface** of your authentik instance. On the **My applications** page click the **Remote Access** application. authentik connects you to a secure shell on the remote machine, in your web browser.
To verify your configuration and then access the remote machine, go to the **User interface** of your authentik instance. On the **My applications** page click the **Remote Access** application and authentik then connects you to a secure session on the remote machine, in your web browser.
If you defined multiple endpoints, they are each displayed; click the endpoint for the remote machine that you want to access.
If you defined multiple endpoints, click the endpoint for the remote machine that you want to access.

21
website/docs/add-secure-apps/providers/rac/index.md
View File

@ -16,6 +16,8 @@ Note that with RAC, you create a single application and associated provider that
For instructions on creating a RAC provider, refer to the [Managing RAC providers](./how-to-rac.md) documentation. You can also view our [video on YouTube](https://www.youtube.com/watch?v=9wahIBRV6Ts) for setting up a RAC.
For an example of how to configure RAC connections settings, refer to the [RAC SSH Public Key Authentication](./rac-public-key.md) documentation.
There are several components used with a RAC provider; let's take a closer look at the high-level configuration layout of these components and how they are managed using endpoints and connections.
![](./rac-v3.png)
@ -36,17 +38,30 @@ Configuration details such as credentials can be specified through _settings_, w
1. Provider settings
2. Endpoint settings
3. Connection settings (see [Connections](#connections))
3. Connection settings
4. Provider property mapping settings
5. Endpoint property mapping settings
### Connections
### Connection settings
Each connection is authorized through authentik Policy objects that are bound to the application and the endpoint. Additional verification can be done with the authorization flow.
A new connection is created every time an endpoint is selected in the [User Interface](../../../customize/interfaces/user/customization.mdx). Once the user's authentik session expires, the connection is terminated. Additionally, the connection timeout can be specified in the provider, which applies even if the user is still authenticated. The connection can also be terminated manually.
Additionally it is possible to modify the connection settings through the authorization flow. Configuration set in `connection_settings` in the flow plan context will be merged with other settings as shown above.
A new connection is created every time an endpoint is selected in the [User Interface](../../../customize/interfaces/user/customization.mdx). Once the user's authentik session expires, the connection is terminated. Additionally, the connection timeout can be specified in the provider, which applies even if the user is still authenticated. The connection can also be terminated manually.
The RAC provider utilises [Apache Guacamole](https://guacamole.apache.org/) for establishing SSH, RDP and VNC connections. RAC supports the use of Apache Guacamole connection configurations.
For a full list of possible connection configurations, see the [Apache Guacamole connection configuration documentation](https://guacamole.apache.org/doc/gug/configuring-guacamole.html#configuring-connections).
RAC connection settings can be set via several methods:
1. The settings of the RAC provider
2. RAC endpoint settings
3. RAC property mappings
4. Retrieved from user or group attributes via RAC property mappings
For an example of how to set a connection setting see the [RAC SSH public key authentication](./rac-public-key.md) page.
## Capabilities

103
website/docs/add-secure-apps/providers/rac/rac-public-key.md Normal file
View File

@ -0,0 +1,103 @@
---
title: RAC SSH Public Key Authentication
---
## About RAC SSH public key authentication
The RAC provider supports SSH public key authentication. This allows for secure connections to SSH endpoints without the use of passwords.
SSH private keys can be configured via several methods:
## Apply a private key to an RAC provider
1. Log in to authentik as an administrator, and open the authentik Admin interface.
2. Navigate to **Applications** > **Providers**.
3. Click the **Edit** icon on the RAC provider that requires public key authentication.
4. In the **Settings** codebox enter the private key of the endpoint, for example:
```python
private-key:
-----BEGIN SSH PRIVATE KEY-----
SAMPLEgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
-----END SSH PRIVATE KEY-----
```
5. Click **Update**.
## Apply a private key to an RAC endpoint
1. Log in to authentik as an administrator, and open the authentik Admin interface.
2. Navigate to **Applications** > **Providers**.
3. Click the name of the RAC provider that the endpoint belongs to.
4. Under **Endpoints**- click on the **Edit** icon next to the endpoint that requires public key authentication.
5. Under **Advanced settings**, in the **Settings** codebox enter the private key of the endpoint:
```python
private-key:
-----BEGIN SSH PRIVATE KEY-----
SAMPLEgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
-----END SSH PRIVATE KEY-----
```
6. Click **Update**.
## Apply a private key to an RAC property mapping
1. Log in to authentik as an administrator, and open the authentik Admin interface.
2. Navigate to **Customization** > **Property Mappings** and click **Create**, then create a **RAC Provider Property Mapping** with the following settings:
- **Name**: Choose a descriptive name
- Under **Advanced Settings**:
- **Expression**:
```python
return {
"private-key": "-----BEGIN SSH PRIVATE KEY-----
SAMPLEgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
-----END SSH PRIVATE KEY-----",
}
```
3. Click **Finish**.
4. Navigate to **Applications** > **Providers**.
5. Click the **Edit** icon on the RAC provider that requires public key authentication.
6. Under **Protocol Settings** add the newly created property mapping to **Selected Property Mappings**.
7. Click **Update**.
## Retrieve a private key from a user's attributes and apply it to an RAC property mapping
1. Log in to authentik as an administrator, and open the authentik Admin interface.
2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **RAC Provider Property Mapping** with the following settings:
- **Name**: Choose a descriptive name
- Under **Advanced Settings**:
- **Expression**:
```python
return {
"private-key": request.user.attributes.get("<private-key-attribute-name>", "default"),
}
```
3. Click **Finish**.
4. Navigate to **Applications** > **Providers**.
5. Click the **Edit** icon on the RAC provider that requires public key authentication.
6. Under **Protocol Settings**, add the newly created property mapping to **Selected Property Mappings**.
7. Click **Update**.
:::note
For group attributes, the following expression can be used `request.user.group_attributes(request.http_request)`
:::

5
website/sidebars/docs.mjs
View File

@ -237,7 +237,10 @@ const items = [
type: "doc",
id: "add-secure-apps/providers/rac/index",
},
items: ["add-secure-apps/providers/rac/how-to-rac"],
items: [
"add-secure-apps/providers/rac/how-to-rac",
"add-secure-apps/providers/rac/rac-public-key",
],
},
"add-secure-apps/providers/radius/index",
"add-secure-apps/providers/saml/index",