Visit Nexus to get an overview of Nexus' solutions, read customer cases, access the latest news, and more.

This article describes how to configure Apache Guacamole as a web resource in Smart ID Digital Access component

Expand/Collapse All


Step-by-step instruction

Install Guacamole

  1. Login via SSH to the Guacamole server.
  2. Download the Guacamole 1.5 > nexus-guacamole-1.5.1.tar.gz file from the Nexus support portal and unzip it in your working directory.
  3. Install Guacamole using this command:

    Install Guacamole

Create web resource

  1. In Digital Access Admin, go to Manage Resource Access.
  2. Click Web Resources > Add Web Resource Host.
  3. Enable resource is checked by default.
  4. Enter a Display Name, the Host of the Guacamole server and the HTTP Port (8080). 
  5. Under Portal settings check Make resource available in the Portal. Upload an icon image and link text.
  6. Click Next until the web-resource is created and you see the Advanced Settings... option.

Either you continue from the previous step, or you

  • Select the web resource under Registered Resources
  • Click Edit Resource Host...
  • Click Advanced Settings...
  1. At the bottom of the page, click Add Attribute... under section Back-end Attributes.
  2. Add a back-end attribute:
    1. Enter guac as Name.
    2. Use Header as Type.
    3. Use Static Value as Source.
    4. Choose None as Encoding
    5. As Value, add username, password and IP address or DNS name of RDP host:


      this could look like:


      protocol -  is one of: rdp, ssh, telnet, vnc
      additional parameters following: key=value,key=value...
      More details can be found here:

  3. Click Add.
  4. Click Next and Finish Wizard.
  1. In Digital Access Admin, go to Manage Resource Access.
  2. Select the web resource under Registered Resources
  3. Click Add Resource Path...
  4. Enter guacamole as Path.
  5. Enter the link text and select an icon to make the resource available in the portal. This is the link on the access portal required to access the resource.

Single Sign-on settings

If the username and password should be picked from a specific SSO domain, do the following adaptions. Refer also to Single sign-on script in Digital Access, headings "Upload script files" and "Add filters".

Do the instructions below for these scripts:

Upload script files

  1. In Digital Access Admin, click Browse.
  2. Upload the provided files (without changing the file names) to access-point/custom-files/scripts.

  1. In Digital Access Admin, go to Manage Resource Access > Global Resource Settings.
  2. Go to the Filters tab and click Add Filter...
  3. As Display Name enter sso_username.
  4. As Script Name enter sso_username.
  5. Select Request as Type of Filter.
  6. Select the Guacamole web resource as Resource Host.
  7. Enter * in Path.
  8. Select Headers as Apply Filter To.
  9. Click Add.
  10. Add filters for sso_password, sso_domain, and sso_uid.
  1. In Digital Access Admin, go to Manage Resource Access > Global Resource Settings.
  2. Go to the Advanced tab.
  3. Check User ID under Internal Cookies.
  4. Check Use "Cache-Control: no store" under Cache Control.
  5. Click Save.
  1. In Digital Access Admin, go to Manage Resource Access.
  2. Click Web Resources > Edit Web Resources and select the web resource host you created.
    1. To use the scripts for SSO, sso_username and sso_password have to be used within the Guacamole resource, like:


      This is explained in the following steps.

  3. Under heading Single Sign-On:
    1. Check Enable Single Sign-On.
    2. Select Script as Single Sign-On Type.
    3. Select the SSO domain you created before as SSO Domain.
  4. Click Advanced settings...
  5. Click Edit Attribute guac.
  6. Update the Header to use 'sso_username' and 'sso_password' etc. to use the dynamic values.
  7. Click Save and then publish the updates.

Add multiple web resources to a Guacamole server instance

  1. Create a new DNS entry for the guacamole server (add a CNAME).
  2. Follow the same steps as for the first connection.
  3. If you want to use SSO, you must add filter for the new CNAME. Follow the instructions in Add filters under heading Single Sign-On settings.

This article includes updates for Digital Access 6.3.2.

Related information