Skip to main content
Skip table of contents

Guacamole - OIDC integration

This page guides you to integrate TrustBuilder MFA with Guacamole through OpenID Connect. Guacamole’s OpenID Connect support implements the implicit flow.

See Generic integration - OpenID Connect (OIDC) for basic information about OpenID Connect in TrustBuilder.



To configure TrustBuilder MFA with Guacamole through OpenID Connect, you should set up an “OpenID Connect” connector in TrustBuilder and provide the TrustBuilder information to Guacamole in order to communicate with TrustBuilder. You should set the same parameters in TrustBuilder connector properties as in the guacamole properties (in the Guacamole configuration file).

Read the following instructions to see how to proceed.

Creating OIDC connector in TrustBuilder

  1. Log in to the TrustBuilder MFA administration console.

  2. Go to the Secure Sites tab.

  3. Choose to add a connector of type “Open ID connect”.

  4. Configure the connector settings:



Connector name

A chosen name / information to define this connector's goal.

Client ID

Unique client identifier that will be used during authentications.

Login Type

Indicates whether the login used during the connection should be retrieved in the login field, the email field or the login 2 field.

Client Secret

Not used

Validity period of the token (optional)

The maximum amount of time that the token should remain valid, in seconds.
In Guacamole, the default validity period of the token is 300 seconds. To be compliant with Guacamole properties, set this parameter to 300 in TrustBuilder connector.

If you set a different value, you should also edit the guacamole configuration file: set openid-max-token-validity with the same value in second.

Default Authentication URL

Select the default authentication method to use on the authentication page served by TrustBuilder:

To protect users from attacks such as Push Bombing, we recommend selecting the QR code authentication. The QR code authentication method does not use push notifications, therefore it does not enable a push bombing scenario.

More information about protecting users from Push Bombing attacks


Determines the claims (or information) returned within the OpenID token. Note that the openid scope is included to request OpenID Connect protocol. It cannot be configured.

In Guacamole properties file, the default scope used is “openid email profile". To be compliant with Guacamole properties, check the “email” and “profile” in the connector.

If you set another configuration, you should also edit the guacamole configuration file. For example: if you check only “profile” case in connector properties, you should set the scope to “openid profile" in the guacamole configuration file.

  1. Click on Add to create the OpenID Connect connector.

  2. The connector creation automatically generates a connector alias, a Discovery URL and a secure site alias. These elements are displayed on the top of the connector properties.

  3. The associated secure site is automatically generated (in Secure sites tabs).

Click here for more information about the Discovery URL

OpenID Connect defines a discovery mechanism, called OpenID Connect Discovery, where an OpenID server publishes its metadata at a well-known URL, typically “”.

The URL returns a .JSON listing of the OpenID/OAuth endpoints, supported scopes and claims, public keys used to sign the tokens, and other details. The clients can use this information to construct a request to the OpenID server. The field names and values are defined in the OpenID Connect Discovery Specification.

The Discovery URL provided by TrustBuilder is unique to a connector. It can be retrieve in connector properties.

Paste the following Discovery URL in a browser to preview an example of the JSON file content:

"response_types_supported":["id_token token","id_token","code"],

Configuring Guacamole properties file

You should provide TrustBuilder metadata to allow TrustBuilder and Guacamole to communicate.

TrustBuilder metadata can be retrieved at the Discovery URL. They should be added in the file which is Guacamole's main configuration file.
These properties dictate how Guacamole should connect to the OIDC provider, how it should verify the OIDC provider's response, and how OIDC provider should redirect users back to Guacamole once authenticated.

The following properties are required:

  • openid-authorization-endpoint → The TrustBuilder OIDC authorization endpoint which is used to initiate the OIDC authentication and authorization process.

  • openid-jwks-endpoint → The URL of TrustBuilder JWKS which allows to retrieve the public keys. These keys are used to verify the signature of the JSON Web Tokens (JWTs) issued by TrustBuilder.

  • openid-issuer → The base URL of to reach the issuer of OIDC tokens (TrustBuilder)

  • openid-client-id → the unique client identifier

  • openid-redirect-uri → The URI that should be submitted redirect users back to Guacamole once authenticated.


You can get your connector alias and the discovery URL by editing a created OpenID Connect connector.

Other properties are also available. They must be configured according to the configuration of the connector set up in TrustBuilder:

  • openid-scope → The space-separated list of OpenID scopes to request. It should match the connector’s “Scopes” setting:

    • openid-scope=openid email

    • openid-scope=openid email profile

  • openid-max-token-validity → the maximum amount of time that the token should remain valid. It should match the connector’s “Validity period of token” setting.

  • See more optional properties

Test the OIDC connection to TrustBuilder

To test the OIDC connector the most important entry is the authorization_endpoint. You can retrieve the authorization_endpoint value in the JSON file returned by the Discovery URL.

In the example below, the OIDC flow is implicit with reponse_type=id_token. Only an ID_token will be issued

  1. Set up a simple HTML form posting to the authorization_endpoint URL to initiate the authentication dialog with TrustBuilder.
    Example of form:

<form method="post" name="logon" id="form"
    <input name="login_hint" value="login">
    <input name="iw_activation_code" placeholder="activation code">
    <input type="hidden" name="redirect_uri" value="result.html">
    <input type="hidden" name="client_id" value="MyOIDC">
    <input type="hidden" name="response_type" value="id_token">
    <input type="hidden" name="response_mode" value="query">
    <input type="hidden" name="scope" value="openid">
    <input type="hidden" name="nonce" value="asdorj5">
    <input type="submit" value="Connect" />


  1. After posting the form you should be redirected to the TrustBuilder MFA authentication page of the connector. Click on Activate this browser to allow your browser become a trusted device.

    Example of TrustBuilder MFA authentication page before activation

  2. After browser token activation, you should be able to authenticate.

    Example of TrustBuilder MFA connection page after activation of the browser token (Virtual Authenticator)

  3. After successful authentication, you are redirected to a page specified in the redirect_uri of the sample form above.
    Here is a sample page to retrieve the result of an OIDC authentication

    function getUrlVars() {
    	var vars = {};
    	var parts = window.location.href.replace(/[#?&]+([^=&]+)=([^&]*)/gi, function(m,key,value) {
    	return vars;
    document.addEventListener('DOMContentLoaded', (event) => {
    	console.log("Dom loaded !");
    Authentication successful

    Open the JavaScript console and see the result of the authentication under the form of a id_token encoded and encrypted.
    The ID_token returns information about the authenticated user, the Client ID, the issuer URL (TrustBuilder), a creation date, an expiration date and a nonce.

Here is a sample ID_token:

You can decode this id token on JWT.IO.

Let's see the payload returned once the id_token is decoded:

"sub": "bob",
"aud": "MyOIDC",
"iss": "",
"exp": 1713190058,
"iat": 1618582058,
"nonce": "asdorj5"

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.